Configure passwordless database connections for Java apps on Oracle WebLogic Server

This article shows you how to configure passwordless database connections for Java apps on Oracle WebLogic Server offers with the Azure portal.

In this guide, you accomplish the following tasks:

  • Provision database resources using Azure CLI.
  • Enable the Microsoft Entra administrator in the database.
  • Provision a user-assigned managed identity and create a database user for it.
  • Configure a passwordless database connection in Oracle WebLogic offers with the Azure portal.
  • Validate the database connection.

The offers support passwordless connections for PostgreSQL, MySQL and Azure SQL databases.

Prerequisites

Create a resource group

Create a resource group with az group create. Because resource groups must be unique within a subscription, pick a unique name. An easy way to have unique names is to use a combination of your initials, today's date, and some identifier. For example, abc1228rg. This example creates a resource group named abc1228rg in the eastus location:

export RESOURCE_GROUP_NAME="abc1228rg"
az group create \
    --name ${RESOURCE_GROUP_NAME} \
    --location eastus

Create a database server and a database

Create a flexible server with the az mysql flexible-server create command. This example creates a flexible server named mysql20221201 with admin user azureuser and admin password Secret123456. Replace the password with yours. For more information, see Create an Azure Database for MySQL Flexible Server using Azure CLI.

export MYSQL_NAME="mysql20221201"
export MYSQL_ADMIN_USER="azureuser"
export MYSQL_ADMIN_PASSWORD="Secret123456"

az mysql flexible-server create \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $MYSQL_NAME \
    --location eastus \
    --admin-user $MYSQL_ADMIN_USER \
    --admin-password $MYSQL_ADMIN_PASSWORD \
    --public-access 0.0.0.0 \
    --tier Burstable \
    --sku-name Standard_B1ms

Create a database with az mysql flexible-server db create.

export DATABASE_NAME="contoso"

# create mysql database
az mysql flexible-server db create \
    --resource-group $RESOURCE_GROUP_NAME \
    --server-name $MYSQL_NAME \
    --database-name $DATABASE_NAME

When the command completes, you should see output similar to the following example:

Creating database with utf8 charset and utf8_general_ci collation
{
  "charset": "utf8",
  "collation": "utf8_general_ci",
  "id": "/subscriptions/contoso-hashcode/resourceGroups/abc1228rg/providers/Microsoft.DBforMySQL/flexibleServers/mysql20221201/databases/contoso",
  "name": "contoso",
  "resourceGroup": "abc1228rg",
  "systemData": null,
  "type": "Microsoft.DBforMySQL/flexibleServers/databases"
}

Configure a Microsoft Entra administrator to your database

Now that you've created the database, you need to make it ready to support passwordless connections. A passwordless connection requires a combination of managed identities for Azure resources and Microsoft Entra authentication. For an overview of managed identities for Azure resources, see What are managed identities for Azure resources?

For information on how MySQL Flexible Server interacts with managed identities, see Use Microsoft Entra ID for authentication with MySQL.

The following example configures the current Azure CLI user as a Microsoft Entra administrator account. To enable Azure authentication, it's necessary to assign an identity to MySQL Flexible Server.

First, create a managed identity with az identity create and assign the identity to MySQL server with az mysql flexible-server identity assign.

export MYSQL_UMI_NAME="id-mysql-aad-20221205"

# create a User Assigned Managed Identity for MySQL to be used for AAD authentication
az identity create \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $MYSQL_UMI_NAME

## assign the identity to the MySQL server
az mysql flexible-server identity assign \
    --resource-group $RESOURCE_GROUP_NAME \
    --server-name $MYSQL_NAME \
    --identity $MYSQL_UMI_NAME

Then, set the current Azure CLI user as the Microsoft Entra administrator account with az mysql flexible-server ad-admin create.

export CURRENT_USER=$(az account show --query user.name --output tsv)
export CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id --output tsv)

az mysql flexible-server ad-admin create \
    --resource-group $RESOURCE_GROUP_NAME \
    --server-name $MYSQL_NAME \
    --object-id $CURRENT_USER_OBJECTID \
    --display-name $CURRENT_USER \
    --identity $MYSQL_UMI_NAME

Create a user-assigned managed identity

Next, in Azure CLI, create an identity in your subscription by using the az identity create command. You use this managed identity to connect to your database.

az identity create \
    --resource-group ${RESOURCE_GROUP_NAME} \
    --name myManagedIdentity

To configure the identity in the following steps, use the az identity show command to store the identity's client ID in a shell variable.

# Get client ID of the user-assigned identity
export CLIENT_ID=$(az identity show \
    --resource-group ${RESOURCE_GROUP_NAME} \
    --name myManagedIdentity \
    --query clientId \
    --output tsv)

Create a database user for your managed identity

Now, connect as the Microsoft Entra administrator user to your MySQL database, and create a MySQL user for your managed identity.

First, you're required to create a firewall rule to access the MySQL server from your CLI client. Run the following commands to get your current IP address.

export MY_IP=$(curl http://whatismyip.akamai.com)

If you're working on Windows Subsystem for Linux (WSL) with VPN enabled, the following command may return an incorrect IPv4 address. One way to get your IPv4 address is by visiting whatismyipaddress.com. In any case, set the environment variable MY_IP as the IPv4 address from which you want to connect to the database.

Create a temporary firewall rule with az mysql flexible-server firewall-rule create.

az mysql flexible-server firewall-rule create \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $MYSQL_NAME \
    --rule-name AllowCurrentMachineToConnect \
    --start-ip-address ${MY_IP} \
    --end-ip-address ${MY_IP}

Then, prepare an .sql file to create a database user for the managed identity. The following example adds a user with login name identity-contoso and grants the user privileges to access database contoso.

export IDENTITY_LOGIN_NAME="identity-contoso"

cat <<EOF >createuser.sql
SET aad_auth_validate_oids_in_tenant = OFF;
DROP USER IF EXISTS '${IDENTITY_LOGIN_NAME}'@'%';
CREATE AADUSER '${IDENTITY_LOGIN_NAME}' IDENTIFIED BY '${CLIENT_ID}';
GRANT ALL PRIVILEGES ON ${DATABASE_NAME}.* TO '${IDENTITY_LOGIN_NAME}'@'%';
FLUSH privileges;
EOF

Execute the .sql file with the command az mysql flexible-server execute. You can get your access token with the command az account get-access-token.

export RDBMS_ACCESS_TOKEN=$(az account get-access-token \
    --resource-type oss-rdbms \
    --query accessToken \
    --output tsv) 

az mysql flexible-server execute \
    --name ${MYSQL_NAME} \
    --admin-user ${CURRENT_USER} \
    --admin-password ${RDBMS_ACCESS_TOKEN} \
    --file-path "createuser.sql"

You may be prompted to install the rdbms-connect extension, as shown in the following output. Press y to continue. If you're not working with the root user, you need to input the user password.

The command requires the extension rdbms-connect. Do you want to install it now? The command will continue to run after the extension is installed. (Y/n): y
Run 'az config set extension.use_dynamic_install=yes_without_prompt' to allow installing extensions without prompt.
This extension depends on gcc, libpq-dev, python3-dev and they will be installed first.
[sudo] password for user:

If the .sql file executes successfully, you find output that is similar to the following example:

Running *.sql* file 'createuser.sql'...
Successfully executed the file.
Closed the connection to mysql20221201

The managed identity myManagedIdentity now has access to the database when authenticating with the username identity-contoso.

If you no longer want to access the server from this IP address, you can remove the firewall rule by using the following command.

az mysql flexible-server firewall-rule delete \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $MYSQL_NAME \
    --rule-name AllowCurrentMachineToConnect \
    --yes

Finally, use the following command to get the connection string that you use in the next section.

export CONNECTION_STRING="jdbc:mysql://${MYSQL_NAME}.mysql.database.azure.com:3306/${DATABASE_NAME}?useSSL=true"
echo ${CONNECTION_STRING}

Configure a passwordless database connection for Oracle WebLogic Server on Azure VMs

This section shows you how to configure the passwordless data source connection using the Azure Marketplace offers for Oracle WebLogic Server.

First, begin the process of deploying an offer. The following offers support passwordless database connections:

Fill in the required information in the Basics pane and other panes if you want to enable the features. When you reach the Database pane, fill in the passwordless configuration as shown in the following steps.

  1. For Connect to database?, select Yes.
  2. Under Connection settings, for Choose database type, open the dropdown menu and then select MySQL (with support for passwordless connection).
  3. For JNDI Name, input testpasswordless or your expected value.
  4. For DataSource Connection String, input the connection string you obtained in the last section.
  5. For Database username, input the database user name of your managed identity (the value of ${IDENTITY_LOGIN_NAME}). In this example, the value is identity-contoso.
  6. Select Use passwordless datasource connection.
  7. For User assigned managed identity, select the managed identity you created previously. In this example, its name is myManagedIdentity.

The Connection settings section should look like the following screenshot, which uses Oracle WebLogic Server Cluster on VMs as an example.

Screenshot of the Azure portal showing the Configure database pane of the Create Oracle WebLogic Server on VMs page.

You've now finished configuring the passwordless connection. You can continue to fill in the following panes or select Review + create, then Create to deploy the offer.

Verify the database connection

The database connection is configured successfully if the offer deployment completes without error.

Continuing to take Oracle WebLogic Server Cluster on VMs as an example, after the deployment completes, follow these steps in the Azure portal to find the Admin console URL.

  1. Find the resource group in which you deployed WLS.
  2. Under Settings, select Deployments.
  3. Select the deployment with the longest Duration. This deployment should be at the bottom of the list.
  4. Select Outputs.
  5. The URL of the WebLogic Administration Console is the value of the adminConsoleUrl output.
  6. Copy the value of the output variable adminConsoleUrl.
  7. Paste the value into your browser address bar and press Enter to open the sign-in page of the WebLogic Administration Console.

Use the following steps to verify the database connection.

  1. Sign in to the WebLogic Administration Console with the username and password you provided on the Basics pane.

  2. Under the Domain Structure, select Services, Data Sources, then testpasswordless.

  3. Select the Monitoring tab, where the state of the data source is Running, as shown in the following screenshot.

  4. Select the Testing tab, then select the radio button next to the desired server.

  5. Select Test Data Source. You should see a message indicating a successful test, as shown in the following screenshot.

    Screenshot of the WebLogic Console portal showing a successful test of the datasource.

Clean up resources

If you don't need these resources, you can delete them by doing the following commands:

az group delete --name ${RESOURCE_GROUP_NAME}
az group delete --name <resource-group-name-that-deploys-the-offer>

Next steps

Learn more about running WLS on AKS or virtual machines by following these links: