How to Monitor LDAP or Active Directory Security Provider in WebLogic and Oracle FMW Domains?
While performing WebLogic operations Security Provider definitions LDAP or Active Directory Matters
Part-I: Tech Tutorial Scope
Monitoring LDAP or Active Directory Authentication: Is the integration working as expected?
While performing WebLogic operations, we have many Security Provider definitions. These security provider definitions are either LDAP or Active Directory.
When Active Directory is down, there is no access to the shared resources that require domain authentication. No one can login to a machine they do not have cached credentials. The cached credential stops working eventually. Login operations could not be performed in the applications that running on it. This situation makes it difficult to detect faults at the same time of the event. AD (Active Directory) is our lock and the key. Another effect of this problem is the slowness of WebLogic domain, which we need to manage it. When this problem occurs, we cannot fully understand the cause of the problem because of WebLogic domains become unresponsive.
We have developed a WLSDM Monitoring application to detect the problem simply and quickly.
Let’s deep dive how we achieved it!
At the end of this blog post, you will understand how we monitor the status (UP/DOWN) of our Security Provider systems that defined on WebLogic domains, and the response times of these systems via WLSDM. Precisely, you are going to learn “how we can quickly detect errors and produce alert mechanism with a simple line which generates alerts through WLSDM”
PART-II: ldapsearch
Ldapsearch and Custom Security Provider
- Is the Security Provider service UP or DOWN?
- If it is UP, what is the response time of it?
You will learn how these practices are being monitored via WLSDM. This practice was developed using the “ldapsearch” tool.
What is ldapsearch tool?
ldapsearch is a command-line tool that opens a connection to an LDAP server, binds to it, and performs a search using a filter. Then results are displayed in LDIF format. ldapsearch tool is installed on few Linux systems or Oracle product installations by default. If you do not have it, you can install it on your system as follow.
PART-III: Creating LDAP or AD Monitoring Script
3.1 Installation of ldapsearch (Skip this step if its already installed)
If the ldapsearch tool is not already installed on your VM server, you can install it with below commands.
3.2 Set Environment Variables:
If ORACLE_HOME is not set in your session you need to set the variable value in the script as below, additionally set ldapsearch path in the script.
3.3 Set AD Server Information
Assign AD server values to the variables.
3.4 Calculate Response Time
The response time calculation is provided as follows and the result is assigned to the _responseTime variable.
The ldapsearch query is running between the _startTime and _endTime parameters.
3.5 Ldapsearch Query
If the query return from ldapsearch is found in sAMAccountName, the result is 1, if not then returns 0.
Complete Script
PART-IV: Integrating Script with WLSDM
4.1. Monitoring WebLogic Security Providers through WLSDM
Let’s use this script to monitor the response time and check that our AD provider is up and running by integrating with WLSDM interfaces.
WLSDM has a feature called “Generic DevOps MBean”. Using this feature, we can generate any MBean type using shell/bat commands or SQL queries. Another feature WLSDM has is the smart dashboard. The Smart Dashboard is useful to monitor metrics (any Integer type values). We can assign any MBean metric attribute to the Smart dashboard then a WebLogic Administrator can monitor it continuously.
In summary;
- Create an MBean dynamically using WLSDM Generic DevOps MBean feature by choosing Shell/Bat script or SQL Query
- Apply these MBean attributes to the smart dashboard so a WebLogic administrator can monitor it continuously
4.2 WLSDM Generic MBean
1.Log in to WebLogic Console, click on Smart Dashboard Console link. This will navigate you to WLSDM dashboard.
2. Go to “Configuration > Monitoring & Diagnostics” page as shown below. This will take you to the page where we can create and register the MBean object.
3. Go to “Generic DevOps MBeans” tab. Here we can see all the existing MBean definitions. Open “Page Operations” menu available on right top of page by clicking “New Generic DevOps MBean” button.
4. This will open a modal window as shown below. Here we can select the type (Shell / SQL) and WebLogic server where the MBean is going to be registered.
a. Select the Embedded Script. It allows us to write a shell script or bat script. If the WebLogic server is installed on Linux servers, then we can write a shell script, for the Windows based servers then we can write BAT or Powershell scripts. WLSDM will take care of executing all the commands and scripts on VM servers.
b. Move the WebLogic server instance from Target servers to the Applied Servers. The MBean we are going to create will be deployed only to the Applied Servers. Take below screen capture as reference.
5. This screen is important. Put your bat/shell commands here and click Transform button. This will generate MBean Objects from the script output. Once MBeans are generated then click on Next button.
6. We can view the dashboard by clicking the Dashboard that we have created in the last wizard step.
Result
Monitoring LDAP Health States and Response Time Performance
You are going to have the below dashboards ultimately. As you can see, each attribute is displayed in a separate chart. The blue line shows the AD Provider server status, and the yellow line shows the AD Provider response time in seconds.
Appendix: About Active Directory & LDAP
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.
A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a system administrator or a normal user.
It also enables information management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.
Conclusion
In this article you have learned how to detect Active Directory or LDAP server outages and service disruptions immediately. Additionally, you can monitor and measure LDAP server’s response time performance by following WLSDM charts. With this project, you are able to identify problems and quickly solve critical AD or LDAP problems.
There are tones of wonderful tutorials available on WLSDM website about Generic DevOps MBean functionality which are available in below web page:
Author: Umut Akantürk
Editor: Fevzi Korkutata