Oracle® Collaboration Suite Administrator's Guide 10g Release 1 (10.1.2) for Windows or UNIX Part Number B25490-05 |
|
|
View PDF |
The Infrastructure component of Oracle Collaboration Suite is the Oracle Application Server 10g instance(s), which host the centralized databases, and services utilized by most or all of the Oracle Collaboration Suite applications.
These components and databases include:
Identity Management Services (IM)
OracleAS Metadata Repository (MR)
Delegated Administration Services (DAS)
Single Sign-On service (SSO)
Oracle Directory and Integration Provisioning Server (DIP)
Oracle Internet Directory (OID)
This chapter describes how to manage various parts of the Oracle Collaboration Suite Infrastructure. You will perform most of these management tasks using Enterprise Manager Application Server Control Console for Oracle Collaboration Suite (OCS Control).
This chapter does not address topics about managing the actual databases that reside on the Infrastructure. For information about managing your Oracle Collaboration Suite databases, see Chapter 6, "Managing Oracle Collaboration Suite Databases".
This chapter contains the following topics:
This section explains how to enable the single sign-on server to support multiple realms within one instance of the Oracle Identity Management infrastructure. You may use different realms, or namespaces, within one instance of the Oracle Identity Management infrastructure to set and store Oracle configuration information unique to different sets of users.
Note: Oracle Collaboration Suite 10g does not support 'multi-tenancy'. Although you may set up multiple realms to manage distinct populations of users, you cannot partition Oracle Collaboration Suite, such as for Internet Service Providers (ISPs). Mail users from one domain can see Mail users from all other domains. |
Realm configuration is a three-part process that consists of the following:
Creating realms in Oracle Internet Directory
"Turning on" multiple realms in OracleAS Single Sign-On
Making Oracle Collaboration Suite applications aware of identity management realms
This section contains the following topics:
The authentication sequence for single sign-on to multiple realms is much the same as it is for single sign-on in a single, default realm. The only difference from the user's perspective is that, when the user affiliated with the first type of realm is presented with the login screen (see Figure 7-1), he or she must enter not only a user name and password but also a new credential: the realm nickname. The value entered can be case insensitive.
This section covers the following topics:
Once a user has entered his credentials, both his realm nickname and user name are mapped to entries in Oracle Internet Directory. More specifically, the single sign-on server uses directory metadata to find the realm entry in the directory. Once it finds this entry, the single sign-on server uses realm metadata to locate the user. Once the user's entry is found, his password, an attribute of his entry, is validated. And once his password is validated, he is authenticated.
Figure 7-1 The Big Picture: Single Sign-On in Multiple Realms
Presented with two users, both with the same nickname but affiliated with different realms, a partner application requires some mechanism for distinguishing between these users. The application requires such a mechanism because it must be able to adapt content—an OracleAS Portal page with stock news and stock listings, for instance—to match the needs of the realm requesting it. Accordingly, OracleAS release 9.0.4 adds the realm nickname, realm DN, and realm GUID as attributes passed to mod_osso. Recall that mod_osso sets a cookie, storing the retrieved attributes as HTTP headers. When deciding what content to offer up, the application may use function calls to retrieve any one of these attributes from mod_osso headers.
For detailed information about mod_osso headers and the methods used to access them, see the chapter about mod_osso in Oracle Identity Management Application Developer's Guide.
Figure 7-2 shows how applications running in mod_osso see HTTP headers for two users with the same nickname who are affiliated with two different realms. The application uses the headers that appear in bold face to distinguish between the two users. The host, or default realm, in this case is mycompany.com
.
Figure 7-2 mod_sso Headers for Users with the Same Name
Configuring the single sign-on server for multiple realms involves creating an entry for each realm in the single sign-on schema. Every realm that you create in Oracle Internet Directory must have a corresponding entry in the single sign-on schema. In this process you must also create information for use by OracleAS Portal, if you want to use Portal to access Oracle Collaboration Suite.
Note:
|
To configure the single sign-on server for multiple realms, complete the steps that follow. Steps 1, 2, and 5 must be completed only once because these steps enable the server for multiple realms. Steps 3 and 4 must be completed each time you add a realm.
Ensure that you have installed the OracleAS infrastructure and the single sign-on server. These components are part of the default Oracle Collaboration Suite deployment.
Go to ORACLE_HOME
/sso/admin/plsql/wwhost
.
Run the enblhstg.csh
script using the syntax that follows. Run it twice, once for sso
mode and once for portal
mode. See Table 7-1 for an explanation of script parameters:
enblhstg.csh -mode sso -sc sso_schema_connect_string -ss orasso -sw sso_schema_password -h oid_host_name -p oid_port -d "cn=orcladmin" -w oid_bind_password -pc dummy enblhstg.csh -mode portal -pc portal_schema_connect_string -ps portal_schema_name -pw portal_schema_password -h OID_hostname -p OID_port -d "cn=orcladmin" -w OID_bind_password -sc dummy
Note: If the single sign-on server is part of a distributed deployment, make sure that you run the script on the computer that contains the metadata repository for OracleAS.You only need to run the portal mode if you are, or are planning to be, using Oracle Collaboration Suite Portal in your deployment. |
Here is an example:
enblhstg.csh -mode sso -sc webdbsvr2:1521:s901dev3 -ss orasso -sw xyz -h dlsun670.us.oracle.com -p 389 -d "cn=orcladmin" -w welcome123 -pc dummy
Add realms to Oracle Internet Directory:
Login into the Oracle Internet Directory Provisioning Console as the orcladmin
super-user:
http://<fully_qualified_oid_instance>:<port_no>/oiddas
Click on Realm Management
Enter value for "Realm Management"
Click Submit
Create an entry for the realm in the single sign-on database. Use the script ORACLE_HOME
/sso/admin/plsql/wwhost/addsub.csh
. Again, if your single sign-on server is part of a distributed deployment, run the script on the computer that contains the metadata repository.
Use the following syntax to execute the script:
addsub.csh -name realm_nickname -id realm_ID -mode both -sc sso_schema_connect_string -ss sso_schema_name -sw sso_schema_password -h oid_host_name -p oid_port -d oid_bind_dn -w oid_bind_dn_password -sp sys_schema_password -pc portal_schema_connect_string -pp portal_syspassword -ps portal_schema_name -pw portal_schema_password
Note: In the above syntax, the-mode string is set to both . If you never intend to use OracleAS Portal, you can just use the sso mode. In this case, you may omit the Portal-related flags (-pc , -pp , -ps , and -pw ). |
Table 7-1 defines parameters for both enblhstg.csh
and addsub.csh
.
Table 7-1 Parameters for enblhstg.csh and addsub.csh
Parameter | Description |
---|---|
-mode |
The value here may be |
-sc |
The connect string for the single sign-on schema. Use the format |
-ss |
The name of the single sign-on schema. This parameter must be |
-sw |
The password for the single sign-on schema. |
-h |
The host name for the Oracle Internet Directory server. |
-p |
The port number for the Oracle Internet Directory server. |
-d |
The bind DN for the Oracle Internet Directory server. The value of this parameter is |
-w |
The password for the Oracle Internet Directory super user, |
-name |
The realm nickname. This is the value that you enter into the company field on the login page. |
-id |
The realm ID. Choose an integer greater than 1. The value |
-sp |
The |
|
The Portal schema connect string |
|
The Portal system password |
|
The Portal schema name |
|
The Portal schema password |
Note:
|
Update the sample login page with the multiple realm version of the page. You do this by editing ORACLE_HOME
/j2ee/OC4J_SECURITY/applications/sso/web/login.jsp
.
Note: In a distributed deployment, this file is located on the single sign-on Applications tier. |
After making a backup copy of the file, search through it for the following string:
<%-- UNCOMMENT THE FOLLOWING BLOCK TO ENABLE MULTI-SUBSCRIBER SUPPORT --%>
Uncomment this section:
<%-- tr valign="middle"> <td style="padding-top: 10px" align="<%= reverse? "left" : "right" %>"> <label for="subscribername"> <%= getString(rb, "login.form.label.subscribername") %> </label> </td> <td style="padding-top: 10px"> <input type="text" name="subscribername" size="40" maxlength="255" class="textinput" value="<%= (subscribername != null) ? subscribername.trim() : "" %>"> </td> </tr --%>
Oracle Internet Directory propagates the DIT structure of the default realm across realms when it creates these realms. Note, however, that the users, groups, and privileges that exist in the DIT of the default realm are not propagated. The super user (the oidadmin
account) or realm administrator must assign, or reassign, privileges. For more information about assigning privileges, see "Managing User Entries Using the Provisioning Console".
The Oracle Internet Directory 10g Service Registry is a new feature of Oracle Collaboration Suite 10g Release 1 (10.1.2). In order to allow the various Oracle Collaboration Suite components to easily locate interfaces (service URIs) of other components, a new directory of services has been created in the Oracle Internet Directory 10g. During the configuration of each Oracle Collaboration Suite component, URIs are recorded in the Service Registry.
This section contains the following topics:
Introduction to the Oracle Internet Directory Service Registry
URIs Recorded in the Oracle Internet Directory Service Registry
Retrieving the Contents of the Oracle Internet Directory Service Registry
Using Oracle Directory Manager to Edit the Oracle Internet Directory Service Registry
During operation, components automatically check the Service Registry to discover the correct URI for each available service. For example, Oracle Mobile Collaboration checks the Service Registry to discover the URI for Oracle Mail's IMAP server, in order to display new e-mails to a user on a wireless device.
The Service Registry is particularly important to the operation of OracleAS Portal and Oracle Collaborative Portlets. These components make many connections to the various Oracle Collaboration Suite applications in order to populate the portlets with connection URLs and summarized data.
You may need to make changes to the URIs recorded in the Service Registry from time to time. Changes must be made manually when you perform any of the following procedures:
Add a load-balancer and additional Applications tier nodes to your Oracle Collaboration Suite configuration
Install or configure OracleAS Portal and Oracle Collaborative Portlets on separate Applications tiers
Move an Applications tier to a new host computer, give it a new host name, or change ports used
Change to Secure Socket Layers (SSL) access to Oracle Collaboration Suite applications
The Oracle Internet Directory Service Registry stores a variety of information about each configured Oracle Collaboration Suite application. For the purposes of problem solving and handling changes made to Oracle Collaboration Suite applications, the most important information recorded is the set of URIs which are used to communicate between the various applications.
These URIs can be categorized into three broad groups:
Browser URLs
Web Service URLs
Other miscellaneous URIs
Browser URLs are the URLs which are provided as links for users to select, in order to navigate to the various application Web resources.
Web Service URLs are used by the various applications themselves, to query each other for data to present in their own user interfaces. For example, OracleAS Portal makes extensive use of Web Service URLs to present information such as new Oracle Mail messages and upcoming Oracle Calendar events in the Portal page. Oracle Workspaces also makes extensive use of Web Service URLs to aggregate and present resources from different Oracle Collaboration Suite applications together in a single workspace view.
In a load balanced deployment, both Browser and Web Service URIs should be load balanced and must be modified in the Service Registry if you make host or port changes. Only the Browser URIs can be set to use HTTPS (SSL).
Various other URIs are also stored in the Oracle Internet Directory Service Registry, such as the RSS feed URL provided by Oracle Discussions.
Table 7-2, "URIs Recorded in the Oracle Internet Directory Service Registry" shows a comprehensive list of URIs recorded in the Oracle Internet Directory Service Registry. Note that the path of some objects is created based on your database <db> or hostname <host> values.
Table 7-2 URIs Recorded in the Oracle Internet Directory Service Registry
Application | Path | URI Label | URI Type |
---|---|---|---|
Calendar |
cn=OCAD 24924 |
labeleduri;adminurl: |
Browser |
cn=OCAL 78476 |
labeleduri;appuri: |
||
cn=OCAL 78476 |
labeleduri;csmuri: |
||
cn=OCAS 90991 |
labeleduri;syncserversecureurl: |
Browser |
|
cn=OCAS 90991 |
labeleduri;syncserverurl: |
Browser |
|
cn=OCAS 90991 |
labeleduri;webbaseurl: |
Browser |
|
cn=OCAS 90991 |
labeleduri;webserviceurl: |
Web Service |
|
CollaborativeWorkspaces |
cn=<db> |
labeleduri;adminurl: |
Browser |
cn=<db> |
labeleduri;webbaseurl: |
Browser |
|
cn=<db> |
labeleduri;webui: |
Browser |
|
|
cn=emailadmin |
labeleduri;adminurl: |
Browser |
cn=imap |
labeleduri: |
||
cn=smtp |
labeleduri: |
||
cn=Webmail |
labeleduri;peopleurl: |
Browser |
|
cn=Webmail |
labeleduri;webbaseurl: |
Browser |
|
cn=Webmail |
orclraparameter;webbaseurl: |
Browser |
|
cn=webservice |
labeleduri;webservice: |
Web Service |
|
Content Services |
cn=FILES |
labeleduri;adminurl: |
Browser |
cn=FILES |
labeleduri;s2sauthenticationurl: |
Web Service |
|
cn=FILES |
labeleduri;webdavurl: |
Browser / WebDAV |
|
cn=FILES |
labeleduri;webservicesurl: |
Web Service |
|
OCSClient |
cn=IntegratedClient |
labeleduri;baseurl: |
Browser |
cn=IntegratedClient |
labeleduri;popuplibraryurl: |
Browser |
|
cn=Search |
labeleduri;webbaseurl: |
Browser |
|
Portal |
cn=ReturnToPortalURL |
labeleduri: |
Browser |
RTC |
cn=RTC |
labeleduri;adminurl: |
Browser |
cn=RTC |
labeleduri;enduserurl: |
Browser |
|
cn=RTC |
labeleduri;guesturl: |
Browser |
|
cn=RTC |
labeleduri;integrationservicehome: |
Web Service |
|
cn=RTC |
labeleduri:integrationserviceurl: |
Web Service |
|
ThreadedDiscussions |
cn=Discussions:<db>:<host> |
labeleduri;adminurl: |
Browser |
cn=Discussions:<db>:<host> |
labeleduri;rss: |
RSS Feed |
|
cn=Discussions:<db>:<host> |
labeleduri;webbaseurl: |
Browser |
|
cn=Discussions:<db>:<host> |
labeleduri;webui: |
Browser |
|
cn=Discussions:<db>:<host> |
orclassociasinstance: |
Other |
|
cn=Discussions:<db>:<host> |
orclraparameter: |
Other |
|
Wireless |
cn=WIRELESS1 |
labeleduri;adminurl: |
Browser |
cn=WIRELESS1 |
labeleduri;calendarnotificationlistenerurl: |
||
cn=WIRELESS1 |
labeleduri;mobilesetupurl: |
Browser |
|
cn=WIRELESS1 |
labeleduri;presencewebservicesurl: |
Web Service |
See Also: For instructions on locating and editing Oracle Internet Directory Service Registry URIs, see "Using Oracle Directory Manager to Edit the Oracle Internet Directory Service Registry" |
You can retrieve the content of the Service Registry using the command line, by using the ldapsearch
tool.
Use the following command from the Oracle Collaboration Suite Infrastructure Oracle home to output the contents of the Oracle Internet Directory Service Registry:
ldapsearch -h <ldaphost> -p <ldapport> -D "cn=orcladmin" -w <orcladmin_password> -b "cn=Services,cn=OracleContext" -s sub "objectclass=*"
The following is an excerpt from an example output of this command:
. cn=OCAL 35282,cn=VirtualServices,cn=Calendar,cn=Services,cn=OracleContext labeleduri;csmuri=x-oracle-calendar://cfritsc5.ch.oracle.com:5734 labeleduri;appuri=x-oracle-calendar://cfritsc5.ch.oracle.com:5730 orclenabled=true orclservicesubtype=OCAL objectclass=top objectclass=orclVirtualService orclservicetype=Calendar orclversion=10.1.1.0.0 cn=OCAL 35282 .
To edit the Oracle Internet Directory Service Registry using the Oracle Directory Manager:
Start the Oracle Directory Manager:
Unix:
ORACLE_HOME/bin/oidadmin
Windows:
Start > Programs > Oracle Application Server > OracleHome > Integrated Management Tools > Oracle Directory Manager
When you start Oracle Directory Manager, it will prompt you for connection information. Enter the following information to connect to your Oracle Internet Directory, typically hosted in the Oracle Collaboration Suite Database on your Oracle Collaboration Suite Infrastructure:
Host: <infrahost.yourdomain.com> Port: 389 Username: cn=orcladmin Password: <password>
Port 389 is the default port used by Oracle Internet Directory. You may be using a different port. If so, enter the correct Oracle Internet Directory port.
If you have configured your Oracle Internet Directory to be accessed using Secure Socket Layers (SSL), select the SSL Enabled checkbox. Otherwise, leave it blank.
Select Login to log in to the Oracle Internet Directory. When the connection is successful, the Oracle Internet Directory management screen is displayed. See Figure 7-3, "Accessing Oracle Internet Directory with Oracle Directory Manager".
Figure 7-3 Accessing Oracle Internet Directory with Oracle Directory Manager
To access the Service Registry, drill down into the Oracle Internet Directory by selecting the following items in the System Objects pane:
Select Entry Management
Select cn=OracleContext
Select cn=Services
The System Objects pane displays a list of the Oracle Collaboration Suite applications which have entries in the Service Registry. The Properties tab displays the properties of the cn=Services object. See Figure 7-4, "Displaying the Service Registry with Oracle Directory Manager".
Figure 7-4 Displaying the Service Registry with Oracle Directory Manager
To display URIs stored by each component in the Service Registry, select the component in the System Objects pane. Most components will contain a cn=VirtualServices object; this object contains one or more URIs used by other applications and OracleAS Portal to access that application. Applications store URIs in one or more child objects of the cn=VirtualServices object.
Note: The Oracle Universal Installer seeds the Oracle Internet Directory with objects for every Oracle Collaboration Suite application during installation, even if you do not configure and deploy every application. These unconfigured application entries will not contain child objects of their cn=VirtualServices objects. The child objects, and the URIs they store, are created in the Service Registry by each component's Configuration Assistant when it first runs. |
See Figure 7-5, "Oracle Calendar OCAL Virtual Services Object in the Service Registry" for an example of URIs stored in child objects of the cn=VirtualServices object. For illustrative purposes, the OCAL child object of Oracle Calendar is shown.
Figure 7-5 Oracle Calendar OCAL Virtual Services Object in the Service Registry
Carefully edit application URIs stored in the Service Registry, according to the specific procedure you are following. For example, if you are creating a load-balanced cluster of Applications tiers for OCAS, edit the OCAS URIs to point to the new virtual host name of the load balancer.
When you have finished editing the properties of an object, select Apply to save the new values in Oracle Internet Directory. If you decide to reject the changes you have made, select Revert to reset the displayed attributes to those currently stored in the Oracle Internet Directory.
Using opmnctl
or Oracle Collaboration Suite Control, restart the Oracle Collaboration Suite Infrastructure and all Oracle Collaboration Suite Applications tiers, to clear caches that may still be storing the old URIs and to load the new URIs you have entered.
There is no need to restart the Oracle Collaboration Suite Database.