Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2)
This chapter discusses configuring OC4J to use the Oracle Internet Directory (OID) LDAP-based provider. It contains the following sections:
Some LDAP properties affect the entire OC4J instance; these properties are discussed in "Specifying OracleAS JAAS Provider Settings" .
You normally associate OC4J with infrastructure at the time of installation.However, you can also associate OC4J with infrastructure using Oracle Enterprise Manager 10g Application Server Control Console. See the Oracle Enterprise Manager 10g help topic "Application Server Infrastructure Page".
When you associate an OC4J instance with an Oracle Application Server Infrastructure (including the Oracle Internet Directory), your application can leverage the LDAP-based provider for central management of users.
Before using the LDAP-based provider, you must set up certain users, groups, and permissions in Oracle Delegated Administration Services, and then grant these users and groups the appropriate permissions.
If you specify the LDAP-based provider globally in the
/config/application.xml configuration file, then you must also create an anonymous user, as discussed in "Creating an anonymous User Using ldapmodify". Under normal conditions, you do not need to modify
application.xml. The principal reason to do so is to configure the default application in an OC4J instance to use the LDAP-based provider as the user manager. The default application is a system application created by OC4J for internal use. (See the deployment and configuration overview in the Oracle Application Server Containers for J2EE Servlet Developer's Guide for information about the OC4J default application.)
You can set up the appropriate groups and users by using the tool
oracle.security.jazn.util.LoadOidData, which is part of the
jazncore library supplied in the
ORACLE_HOME directory. You run the tool with the command line:
java -cp ./jazncore.jar oracle.security.jazn.util.LoadOidData
The syntax for this tool is:
LoadOidData [-h ldaphost] [-p ldapport] [-D binddn] [-w passwd] [-f filename [-oc4jAdminPwd passwd] [-ignoreError true|false]
The supported options are:
ldaphost for the LDAP host name
ldapport for the port of the LDAP server
binddn for the distinguished name for the Oracle Internet Directory administrator
password for the password of the Oracle Internet Directory administrator
filename for the file containing the entries to be loaded, which is the following:
password for the password that will be assigned to OC4J administrator
boolean to specify whether the tool continues after reporting an error (if
true) or stops as soon as it encounters an error (if
For example, assume the password for the Oracle database administrator is
welcome1 and the password for the OC4J administrative user is
welcome2. The command line (assuming
/j2ee/home) would be:
java -cp $J2EE_HOME/jazncore.jar oracle.security.jazn.util.LoadOidData -h oidhost -p oidport -D cn=orcladmin -w welcome1 -f $J2EE_HOME/jazn/install/oidConfigForOc4j.sbs -oc4jAdminPwd welcome2
After you run this tool, your default Oracle Identity Management realm will contain the following:
An administrative user that is a member of the
administrators group will have the following permissions:
Finally, you must set the
ldap.user property to
admin and the
ldap.password property to the appropriate password, as discussed in "Configuring LDAP SSL Properties".
You create an anonymous user by creating an LDIF (lightweight directory interchange format) file, then supplying the LDIF file as an input to the
ldapmodify tool. An appropriate LDIF file is shown in Example 7-1. Note that you must replace yourDistinguishedName by the distinguished name of the default identity management realm.
Example 7-1 An anony.ldif file to Create anonymous User
dn: cn=anonymous, cn=Users, yourDistinguishedName changetype: add uid: anonymous givenName: anonymous cn: anonymous sn: anonymous description: This entry is used as the identification for unauthenticated users. orclisenabled: disabled objectClass: top objectclass: person objectclass: organizationalPerson objectClass: inetorgperson objectClass: orcluser objectClass: orcluserV2
After you have created your
anony.ldif file, use the
ldapmodify command to add the anonymous user. The syntax for this command is:
ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w password -h hostname -p port \ -f anony.ldif
When you issue this command, replace password, hostname, and port with the password, host name, and port for your installation.
Before beginning development, you must ensure that the operating-system-specific environment variable controlling loading of dynamic libraries (for example,
LD_LIBRARY_PATH in Solaris) is set appropriately. See Table 2-5, "Dynamic Library Path Settings" for details.
When you manage OC4J with Oracle Enterprise Manager, it sets this variable automatically.
To create users and groups when using the LDAP-based provider, you use the Oracle Delegated Administration Services tools. For details, see Oracle Identity Management Guide to Delegated Administration.