3
User Management

This chapter describes how to administer Oracle9iAS Single Sign-On user accounts and passwords.

This chapter contains the following topics:

• Usernames and Passwords

• Creating User Accounts

• Editing User Accounts

• Deleting User Accounts

• Administering Passwords

• Exporting and Importing User Accounts

Usernames and Passwords

Rules for specifying usernames are as follows:

• The username must be unique and is limited to 50 characters; short names are easier to remember

• The following characters are not allowed in the username: tilde (~), semi-colon (;), and single quote (').

• Usernames are not case-sensitive. For example, the Login Server evaluates the following values identically: SCOTT, Scott, and scott.

• Usernames can be created in multibyte character sets.

Rules for specifying passwords are as follows:

• You can establish restrictions on what can be used as a password. For example, you can restrict passwords to a minimum number of characters, or to include at least one numeric character.

• Passwords should be easy to remember but not obvious to others.

• New users should change their password the first time they log in.

Creating User Accounts

In order to log in to Oracle9iAS Portal and access non-public information and features, a user must have both a Oracle9iAS Single Sign-On user account and an Oracle9iAS Portal user account.

You only have to create a user's Oracle9iAS Single Sign-On user account, because an Oracle9iAS Portal account is automatically created when you first edit a user's Oracle9iAS Portal settings, or when the user first logs in to Oracle9iAS Portal using the Oracle9iAS Single Sign-On account.

To create an Oracle9iAS Single Sign-On user account:

• You must be a Login Server administrator.

• You must be an Oracle9iAS Portal administrator to access the Administer tab of the Oracle9iAS Portal home page.

The Create User page is used to create a Oracle9iAS Single Sign-On user account for a new user.

Table 3-1 describes the fields on the Create User page.

Table 3-1 Create User Page

Fields	Description
User Details
User Name	Enter a username for the account. See Also: "Usernames and Passwords" for rules for specifying usernames
Password	Enter a password for the account. The user uses this password to confirm that the user is authorized to log in using the account. See Also: "Usernames and Passwords" for rules for specifying passwords You can establish restrictions on what can be used as a password. For example you can restrict passwords to contain a minimum number of characters or to include at least one numeric character. See Also: "Configuring the Login Server" in Chapter 2, "Administrative Basics" for information about establishing password restrictions You should advise new users to change their password the first time they log in.
Confirm Password	Enter the password again to confirm that you entered it correctly in the Password field.
E-mail Address	Enter the user's e-mail address.
Account Activation and Termination
Activate Account On	Enter the date when the user can start using the account. Use the format specified to the right of the field.
Terminate Account On	Enter the date when the user will no longer be able to use the account. Use the format specified to the right of the field. Note: If you want the account to be available indefinitely, leave this field blank.
Login Server Privileges
Login Server Privilege Level	Select which privileges to grant the user on the Login Server: End User: No administrative privileges Full Administrator: Login Server administrator privileges

Perform the following steps to create a Oracle9iAS Single Sign-On user account.

1. Navigate to the Oracle9iAS Portal home page.

2. In the User portlet, click Create New Users.

   By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.

   The Create User page displays.

3. In the User Name field, enter a unique username for the account.

   See Also: "Usernames and Passwords" for information about username specification rules

4. In the Password field, enter a password for the account.

   See Also: "Usernames and Passwords" for information about password specification rules

5. Enter the same password in the Confirm Password field to confirm that you entered it correctly.

6. Optionally, in the E-Mail Address field, enter the user's e-mail address.

7. In the Activate Account On field, enter the date when the user can start logging on using the account. Use the format specified to the right of the field.

8. Optionally, in the Terminate Account On field, enter the date when the user will no longer be able to log in using the account. Use the format specified to the right of the field.

   Note: For the account to be available indefinitely, leave the Terminate Account On field blank.

9. In the Login Server Privileges list, select which privileges to grant the user on the Login Server, Full Administrator or End User.

10. Click Create.

    Note: When you click Create, a link is displayed at the top of the page that you can click to edit the Oracle9iAS Single Sign-On user account. You can also create additional user accounts, or click Close to return to exit the Create User page

11. Click Close.

    See Also: "Editing User Accounts" for information about editing Oracle9iAS Single Sign-On user accounts "Deleting User Accounts" for information about deleting Oracle9iAS Single Sign-On user accounts

Editing User Accounts

The Edit User page is used to specify the properties of Oracle9iAS Single Sign-On user accounts, such as passwords, account termination dates, and Login Server privileges.

Table 3-2 describes the fields in the Edit User page.

Note: You can also use this page to delete a user account.

Table 3-2 Edit User Page

Field	Description
User Details
User Name	Edit the account's username. See Also: "Usernames and Passwords" for information about specifying usernames.
Administrator's Password	Enter your password to confirm that you have the authority to reset user account passwords. Note: You only need to enter your password if you are resetting a user's password.
Password	Enter a new password for the account. The user uses this password to confirm that he or she is authorized to log in using the account. See Also: "Usernames and Passwords" for information about specifying passwords
Confirm Password	Enter the new password again to confirm that you entered it correctly in the Password field.
E-mail Address	Enter the user's e-mail address.
Account Activation and Termination
Activate Account On	Edit the date when the user can start using the account. Use the format specified to the right of the field.
Terminate Account On	Edit the date when the user will no longer be able to use the account. Use the format specified to the right of the field. Note: If you want the account to be available indefinitely, leave this field blank.
Login Server Privileges
Login Server Privilege Level	Select which privileges to grant the user on the Login Server. End User: The user has no administrative privileges on the Login Server Full Administrator: The user is a Login Server administrator and has full administrative privileges on the Login Server.

Perform the following steps to edit an Oracle9iAS Single Sign-On user account.

1. Navigate to the Oracle9iAS Portal home page.

2. In the User portlet, select the username of the Oracle9iAS Single Sign-On user account that you want to edit from the provided list.

   By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.

3. Click Edit.

   The Edit User page displays.

4. Edit the appropriate fields, as described in Table 3-2.

5. Click Close.

   See Also: "Administering Passwords" "Exporting and Importing User Accounts" "Administrator Roles" "Deleting User Accounts" Oracle9iAS Portal online documentation for information about editing Oracle9iAS Portal user accounts

Deleting User Accounts

This section describes how to delete Oracle9iAS Single Sign-On user accounts.

When you delete a user's Oracle9iAS Single Sign-On account, the user can no longer log in to applications through Oracle9iAS Portal. The user can still log in to external applications but must use the username and password for that particular external application.

Deleting an Oracle9iAS Portal user account does not delete the corresponding Oracle9iAS Single Sign-On user account. The user can therefore still log in to other applications using the Oracle9iAS Single Sign-On user account. Also, if the user attempts to log in to Oracle9iAS Portal using the Oracle9iAS Single Sign-On user account, a new Oracle9iAS Portal user account is automatically created. To prevent a user from logging in to Oracle9iAS Portal, ensure that the user is not an authorized Oracle9iAS Single Sign-On user.

To delete a user account:

• You must be an Oracle9iAS Portal administrator to access the Administer tab of the Oracle9iAS Portal home page and delete an Oracle9iAS Portal user account.

• You must be a Login Server administrator to delete a Oracle9iAS Single Sign-On user account.

  See Also: "Creating User Accounts" for information about creating Oracle9iAS Single Sign-On user accounts "Editing User Accounts" for information about editing Oracle9iAS Single Sign-On user accounts Oracle9iAS Portal online documentation for information about deleting Oracle9iAS Portal user accounts

Perform the following steps to delete a Oracle9iAS Single Sign-On user account using Oracle9iAS Portal:

1. Navigate to the Oracle9iAS Portal home page.

2. In the User portlet, enter the username of the user account that you want to delete in the Name field or select it from the provided list.

   By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.

3. Click Delete.

4. A confirmation dialog is displayed. Click Yes.

5. You should also delete the user's Oracle9iAS Portal user account. If you do not delete the account, and you create another Oracle9iAS Single Sign-On with the same username, the user will automatically have the same Oracle9iAS Portal privileges as the old user account.

Exporting and Importing User Accounts

You can export Oracle9iAS Single Sign-On user accounts from a source Login Server to a target Login Server using the following scripts provided with Oracle9iAS Portal:

• For UNIX:

  ssoexp.csh and ssoimp.csh
  
  

• For Windows NT:

  ssoexp.cmd and ssoimp.cmd
  
  

Before you can import applications or content areas into an instance of Oracle9iAS Portal, you must first import the Oracle9iAS Single Sign-On user accounts used by those applications and content areas to the Login Server used by that instance of Oracle9iAS Portal.

Exporting User Accounts

Perform the following steps to export Oracle9iAS Single Sign-On user accounts.

1. Start a command line prompt.

2. Change to the src/wwu directory of the directory in which Oracle9iAS Portal is installed.

3. For UNIX systems, enter the following:

   ssoexp.csh -s sso_schema [-p sso_password] [-d dump_file_name] [-c connect_string]
   
   

   For Windows NT systems, enter the following:

   ssoexp.cmd -s sso_schema [-p sso_password] [-d dump_file_name] [-c connect_string]
   
   

   where:

   sso_schema	is the database schema in which the source Login Server is installed. Example: PORTAL30_SSO Note: You must provide a value for this parameter.
   sso_password	is the password for the above schema. The default filename is sso_schema
   dump_file_name	is the file name you want to give the dump file created by the export script. The default filename is sso.dmp
   connect_string	is the connect string for the database in which the source Login Server is installed. You must provide the connect string only if you are performing the export from a different database.

   Example:

   ssoexp.csh -s portal30_sso -p portal30_sso -d export_sso.dmp -c orcl
   
   

4. Press Enter or Return.

   A dump file with the filename you specified is created that contains all of the required data for the Oracle9iAS Single Sign-On user accounts in the source Login Server.

   You can now use the dump file to import Oracle9iAS Single Sign-On user accounts into the target Login Server.

Importing User Accounts

Perform the following steps to import Oracle9iAS Single Sign-On user accounts.

1. Ensure that the Oracle9iAS Single Sign-On user accounts have been exported, and that the dump file is located in the src/wwu directory of the directory in which Oracle9iAS Portal is installed.

2. Start a command line prompt.

3. Change to the src/wwu directory.

4. For UNIX systems, enter the following:

   ssoimp.csh -s sso_schema [-p sso_password] [-o 
   from_sso_schema] [-d dump_file_name] [-m merge_mode]
   [-u db_user_mode] [-c connect_string]
   
   

   For Windows NT systems, enter the following:

   ssoimp.cmd -s sso_schema [-p sso_password] [-o 
   from_sso_schema] [-d dump_file_name] [-m merge_mode] 
   [-u db_user_mode] [-c connect_string]
   
   

   where:

   sso_schema	is the database schema in which the target Login Server is installed. Example: PORTAL30_SSO Note: You must provide a value for this parameter.
   sso_password	is the password for the above schema The default filename is sso_schema
   from_sso_schema	is the database schema in which the source Login Server is installed. The default filename is sso_schema
   dump_file_name	is the name of the dump file you want to use to import Oracle9iAS Single Sign-On user accounts. The default filename is sso.dmp
   merge_mode	is the mode used to determine what happens if an Oracle9iAS Single Sign-On user account with the same username already exists on the target Login Server. reuse mode: If an Oracle9iAS Single Sign-On user account with the same username already exists in the target Login Server, keep the existing user check mode: Does not actually import any Oracle9iAS Single Sign-On user accounts, but produces a list of duplicate usernames and their roles, so that you can decide what to do about duplications before performing the import
   db_user_mode	is the mode used to determine which database schema to use for Oracle9iAS Single Sign-On user accounts. public-user mode: Resets every Oracle9iAS Single Sign-On user account to use the Oracle9iAS Portal public schema. database-user mode: Uses the database schema specified for each Oracle9iAS Single Sign-On user account if it exists in the target database. If the specified database schema does not exist in the target schema, it is reset to the Oracle9iAS Portal public schema. The default filename is database_user
   connect_string	is the connect string for the database in which the target Login Server is installed. You must provide the connect string only if you are performing the import from a different database.

   Example:

   ssoimp.csh -s newportal30_sso -p newportal30_sso -o portal30_sso -d export_
   sso.dmp -m reuse -u public_user -c orcl
   

5. Press Enter or Return.

   The passwords of all the Oracle9iAS Single Sign-On user accounts imported into the target Login Server are reset to the username of the account. You should advise users to change their passwords as soon as possible after the import.

   Warning: Advise users to change their passwords immediately after the import.

   Note: To create a log file for the export or import scripts, redirect the screen output to a file, as in the following example: ssoexp.csh -s portal30_sso -p portal30_sso -d export_sso.dmp -c orcl | tee export.log

Administering Passwords

For security purposes, the Login Server administrator specifies password expiration dates. Passwords must also be reset immediately if they are compromised or forgotten.

Changing a password in the Login Server affects access to all of the Oracle9iAS Single Sign-On applications, not just Oracle9iAS Portal. If a user's password is not changed before its expiration date, the user cannot log in until the Login Server administrator resets it for the user.

To administer passwords:

• You must be a Login Server administrator to reset a user's password.

• You must be an Oracle9iAS Portal administrator to access the Administer tab of the Oracle9iAS Portal home page.

This section contains the following topics:

• Change Password Page

• Resetting the Administrator's Password

• Resetting User Passwords

• Installing the Password Reset Feature

• Reset Password Page Example

• WWSSO_ALERT Package Body Example

Change Password Page

The Change Password page is used to change passwords.

Table 3-3 describes the fields in the Change Password page.

Table 3-3 Change Password Page

Field	Description
User Name	Displays the username.
Old Password	Enter the password that you currently use to log in.
New Password	Enter a new password. See Also: "Usernames and Passwords" for information about specifying passwords
Confirm New Password	Enter the new password again to confirm that you entered it correctly in the New Password field.

Resetting the Administrator's Password

Perform the following steps to change the Login Server administrator password.

1. In the top right corner of your home page, click Account Info.

   The Edit Account Information page displays.

2. In the top right corner of the Edit Account Information page, click Change Password.

   The Change Password page displays.

3. In the Old Password field, enter the password that you currently use to log in.

4. In the New Password field, enter the new password.

   See Also: "Usernames and Passwords" for information about specifying passwords

5. Enter the same password in the Confirm New Password field to confirm that you entered it correctly.

6. Click OK to return to the Edit Account Information page.

7. Click OK to return to your home page.

   The next time you log in, use the new password.

Resetting User Passwords

Perform the following steps to reset a user's password.

1. Navigate to the Oracle9iAS Portal home page.

2. In the User portlet, select the username of the user account for which you want to reset the password from the provided list.

   By default, the User portlet is located on the Administer tab of the Oracle9iAS Portal home page.

3. Click Edit.

4. In the Administrator's Password field, enter your password to confirm that you have the authority to reset user account passwords.

5. In the Password field, enter the new password for the user.

6. Enter the same password in the Confirm Password field to verify that you entered it correctly.

   You should advise new users to change their password the first time they log in.

   Note: You can establish restrictions on what can be used as a password. For example, you can restrict passwords to a minimum number of characters or to include at least one numeric character.

   See Also: "Configuring the Login Server" in Chapter 2, "Administrative Basics", for information about establishing restrictions on passwords

7. Click OK.

Installing the Password Reset Feature

Sometimes users forget their passwords and must have them reset. The Login Server offers a feature that resets a user's password to a random value and then notifies the user of the new password.

This feature can present a security risk, because the user is not authenticated when requesting a reset password for a particular user account. For this reason, the password reset feature is not enabled by default and must be installed.

Perform the following steps to install the password reset feature.

1. On the database where the Login Server is installed, log in to SQL*Plus as the Login Server schema, as in the following example:

       sqlplus portal30_sso/portal30_sso
   
   

2. Enter the following:

   @ssoreset
   
   

   The ssoreset script creates the WWSSO_APP_ACCOUNT package in the Login Server schema and grants execute privileges on the WWSSO_APP_ACCOUNT package to PUBLIC.

   WWSSO_APP_ACCOUNT contains a single procedure, reset_password, that resets a password to a random value.

3. After resetting the password, the reset_password procedure calls the WWSSO_ALERT.password_reset_notification procedure.

   The WWSSO_ALERT.password_reset_notification procedure informs the user of the new password. If you do not enable the password reset feature, the WWSSO_ALERT.password_reset_notification procedure does not inform the user of the change.

   Note: By default, implementation of the WWSSO_ALERT package body, created during the installation of the Login Server, does not alert the user when the password is reset. You must replace the WWSSO_ALERT package body with an implementation that sends the user the new password; for example, through e-mail, using UTL_SMTP or workflow. If you do not replace the WWSSO_ALERT package body, the password is reset to an unknown value, and the user still cannot log in.

   The WWSSO_ALERT package specification is as follows:

                 CREATE OR REPLACE PACKAGE wwsso_alert
                 IS
                   /* General failure exception. This will be used
                   * by the UI to alert the user that the notification
                   * failed
                   */
                   NOTIFICATION_FAILURE EXCEPTION;
                   PROCEDURE password_reset_notification
                   (
                   p_user VARCHAR2,
                   p_password VARCHAR2,
                   p_email VARCHAR2 DEFAULT NULL
                   );
                 END wwsso_alert;
   
   

   See Also: "WWSSO_ALERT Package Body Example" for an example of a package body that sends the newly assigned password through e-mail.

4. Create a page that calls the reset_password procedure to allows users to reset their passwords.

Reset Password Page Example

The following is an example of how to design a page for resetting a user's password.

 <HTML>
  <HEAD>
  <TITLE="Reset password">
  </HEAD>
  <BODY>
   <H1>Reset password</H1>
   <FORM ACTION="http://server.domain[:port]/pls/dad/
   schema.WWSSO_APP_ACCOUNT.RESET_PASSWORD">
   <B>User Name: </B>
   <INPUT TYPE="TEXT" NAME="p_user">
   <BR><BR>
   <INPUT TYPE="HIDDEN" NAME="p_back_url"
   VALUE="http://server.domain[:port]/pls/dad/schema.home">
   <INPUT TYPE="HIDDEN" NAME="p_error_url"
   VALUE="http://server.domain[:port]/pls/dad/schema.error">
   <INPUT TYPE="SUBMIT" VALUE="Reset Password">
   <FORM>
  </BODY>
 </HTML>

Note: After the password for a username is reset using the reset_password procedure, the page must pass at least a username (p_user) and the URL of a page to which to return (p_back_url). The page may also pass the URL of a page to display if any errors are encountered (p_error_url).

See Also: "Installing the Password Reset Feature"

WWSSO_ALERT Package Body Example

The following is an example of how you might implement the WWSSO_ALERT package body for informing a user of the new password after resetting it.

set define ON
set verify OFF

CREATE or REPLACE PACKAGE BODY wwsso_alert
IS

   PROCEDURE send_mail
   (
    p_sender IN VARCHAR2,
     p_recipient IN VARCHAR2,
     p_message IN VARCHAR2
   )
   IS
     mailhost VARCHAR2(80) := '&smtp_server';
     mail_conn utl_smtp.connection;
   BEGIN
     mail_conn := utl_smtp.open_connection(mailhost, 25);
     utl_smtp.helo(mail_conn, mailhost);
     utl_smtp.mail(mail_conn, p_sender);
     utl_smtp.rcpt(mail_conn, p_recipient);
     utl_smtp.data(mail_conn, p_message);
     utl_smtp.quit(mail_conn);
   END;

   PROCEDURE password_reset_notification
  (
     p_user VARCHAR2,
     p_password VARCHAR2,
     p_email VARCHAR2 DEFAULT NULL
   )
   IS
   BEGIN
     send_mail
     (
       p_sender => '&password_administrator',
       p_recipient => p_email,
       p_message => p_user || 'Your new password is ' || p_password
     );
   EXCEPTION
     when OTHERS then
     raise NOTIFICATION_FAILURE;
   END;

END wwsso_alert;
 /

show errors PACKAGE BODY wwsso_alert