Skip Headers
Oracle® Beehive Installation Guide
Release 1 (1.4) for Linux x86

Part Number E13791-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

31 Oracle Beekeeper Post-Installation Procedures

Oracle Beekeeper is available for Oracle Beehive Release 1 (1.3) and later.

Depending on your security requirements or any other issue particular to your deployment, perform one or more of the following procedures after installing Oracle Beekeeper:

Configuring Oracle Beekeeper for SSL Access

  1. Create a keystore with the following command. The keytool command is located in <Oracle Beekeeper home>/jdk/bin. The following example will create a keystore named server.keystore in the directory <Oracle Beekeeper home> with the password welcome:

    keytool -genkey -keyalg "RSA"
      -keystore <Oracle Beekeeper home>/server.keystore
      -storepass welcome -validity 90
    

    Note:

    For more information about the keytool utility, refer to http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

    For additional information, refer to "Using Keys and Certificates with OC4J and Oracle HTTP Server" and "Using SSL with Standalone OC4J" in Chapter 15, "SSL Communication with OC4J" in Oracle Containers for J2EE Security Guide.

  2. Make a copy of <Oracle Beekeeper home>/j2ee/home/config/default-web-site.xml and name it <Oracle Beekeeper home>/j2ee/home/config/secure-web-site.xml.

  3. In secure-web-site.xml, edit the <web-site> element. Set the port attribute to any available port number, secure to true, and protocol to https:

    <web-site
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xsi:noNamespaceSchemaLocation=
        "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" 
      port="4443"
      secure="true"
      protocol="https"
      display-name="Default Web Site"
      schema-major-version="11"
      schema-minor-version="1">
    

    Note:

    You may also add the attribute virtual-hosts to the <web-site> to use both SSL and virtual hosts. Refer to "Configuring Virtual Host" for more information.
  4. Add the following element inside the <web-site> element:

    <ssl-config
      keystore="<Oracle Beekeeper home>/server.keystore" 
      keystore-password="welcome"/>
    

    Set the attribute keystore to the full path name of the keystore you created previously. Set the attribute keystore-password to the password of the keystore.

  5. In <Oracle Beekeeper home>/j2ee/home/config/server.xml, edit the <web-site> element and add the attribute path="./secure-web-site.xml":

    <web-site path="./secure-web-site.xml"/>
    
  6. Restart OC4J as described in "Restarting OC4J".

Configuring Oracle Beekeeper with Oracle Wallet

If you have configured Oracle Beehive for SSL access and you want to add or modify a directory profile, you must specify the location of an Oracle Wallet configured for Oracle Beehive in the UnmanagedOc4J component in which Oracle Beekeeper runs.

Note:

For information about directory profiles (or LDAP mapping profiles), refer to "Step 1: Creating an LDAP Mapping Profile" in "Integrating and Synchronizing LDAP with Oracle Beehive".

For more information about configuring Oracle Wallet for Oracle Beehive, refer to "Step 2: Configuring Oracle Beehive Instance to Use Oracle Wallet" in "Configuring TLS with Oracle Wallet".

  1. Retrieve the component identifier for UnmanagedOc4j with the beectl list_components command. You may call this command from any Oracle Beehive application tier:

    beectl list_components --type UnmanagedOc4j
       
    ----------------+-------------------------------------------------------------
    Component type  | Component identifier             
    ----------------+-------------------------------------------------------------
    UnmanagedOc4j   | e084c8c8-4a78-4852-8699-480b9bf4f79c
    ----------------+--------------------------------------------------------------
    
  2. Set the WalletDir property in the UnmanagedOc4j component to the location of your Oracle Wallet:

    beectl modify_property
      --component <UnmanagedOc4J identifier>
      --name WalletDir
      --value <Oracle Wallet directory>
    
  3. Activate the configuration:

    beectl activate_configuration
    

Changing Oracle Beekeeper Port

  1. Edit the file <Oracle Beekeeper home>/j2ee/home/config/default-web-site.xml and modify the port attribute in the <web-site> element to any available port number:

    <web-site ... port="7779" ... >
    
  2. Restart OC4J as described in "Restarting OC4J".

Extending Java Single Sign-On Session Timeout

To extend the Java Single Sign-On session timeout for Oracle Beekeeper, add the highlighted text to the file <Oracle Beekeeper home>/j2ee/home/config/jps-config.xml:

<serviceInstance name="idm" provider="idm.provider">
    <description>JSSO Authentication Configuration</description>
    <property name="idm.authentication.name" value="JavaSSO"/>
    <property name="idm.token.asserter.class" 
      value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
    <property name="idm.token.collector.class"
      value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
    <property name="idm.token.type" value="COOKIE_TOKEN"/>
    <property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
    <property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
    <property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
    <property name="custom.sso.cred.key" value="JSSO_KEY"/>
    <property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
    <property name="custom.sso.session.timeout" value="3600"/>
  </serviceInstance>

After making changes to the jps-config.xml file, restart OC4J as described in "Restarting OC4J".

For more information about Java Single Sign-On, refer to Chapter 14, "OC4J Java Single Sign-On" in Oracle Containers for J2EE Security Guide.

Configuring Oracle Beekeeper for LDAP-Based Authentication

You may configure Oracle Beekeeper so that it authenticates its users with credentials stored in your LDAP directory. These steps apply only if you have integrated and synchronized your Oracle Beehive instance with Oracle Internet Directory. Refer to "Integrating and Synchronizing LDAP with Oracle Beehive" for more information.

  1. Edit the file <Oracle Beekeeper home>/j2ee/home/application-deployments/javasso/jps-config.xml and update the values that are highlighted in the following excerpt with configuration information that corresponds to your LDAP directory:

    <serviceInstance name="beehive.ldap.loginmodule" 
      provider="jaas.login.provider">
      <description>Beehive LDAP Login Module</description>
      <property name="loginModuleClassName" 
        value="oracle.ocs.csi.authentication.login.modules.OcsLdapLoginModule"/>
      <property name="jaas.login.controlFlag" value="REQUIRED"/>
      <property name="debug" value="true"/>
      <property name="addAllRoles" value="true"/>
      <property name="oracle.security.jaas.ldap.user.object.class" 
        value="inetOrgPerson"/>
      <property name="oracle.security.jaas.ldap.provider.connect.pool" 
        value="true"/>
      <property name="oracle.security.jaas.ldap.provider.credential" 
        value="!welcome1"/>
      <property name="oracle.security.jaas.ldap.provider.type" value="other"/>
      <property name="oracle.security.jaas.ldap.provider.url" 
        value="ldap://ldapserver:389"/>
      <property name="oracle.security.jaas.ldap.role.searchscope" value="subtree"/>
      <property name="oracle.security.jaas.ldap.user.searchscope" value="subtree"/>
      <property name="oracle.security.jaas.ldap.user.searchbase" 
        value="cn=Users,dc=us,dc=oracle,dc=com"/>
      <property name="oracle.security.jaas.ldap.role.searchbase" 
        value="cn=Users,dc=us,dc=oracle,dc=com"/>
      <property name="oracle.security.jaas.ldap.role.object.class" 
        value="groupOfUniqueNames"/>
      <property name="oracle.security.jaas.ldap.role.name.attribute" value="cn"/>
      <property name="oracle.security.jaas.ldap.provider.user" 
        value="cn=orcladmin"/>
      <property name="oracle.security.jaas.ldap.user.name.attribute" value="uid"/>
      <property name="oracle.security.jaas.ldap.membership.searchscope" 
        value="direct"/>
      <property name="oracle.security.jaas.ldap.member.attribute" 
        value="uniqueMember"/>
      <property name="oracle.security.jaas.ldap.lm.cache_enabled" value="true"/>
      <property name="authenticated.role.name" value="authenticated-role"/>
    </serviceInstance>
    

    Tips:

    Obtain values for jps-config.xml from the following file:
    <Oracle Beehive home>/j2ee/
      <any OC4J container>/config/system-jazn-data.xml
    

    For example,

    <Oracle Beehive home>/j2ee/BEEAPP/config/system-jazn-data.xml
    

    Look for the <application> element that contains the element <name>beehive-auth-framework-password</name>.

    Prepend the clear-text password (the value of oracle.security.jaas.ldap.provider.credential of the administrator's account (the value of oracle.security.jaas.ldap.provider.user) with an exclamation point (!). The exclamation point will obfuscate the password the next time OC4J is restarted.

  2. In the same file (jps-config.xml), update the <jpsContexts> element with the highlighted value:

    <jpsContexts default="ldap">
    
  3. Edit the file <Oracle Beekeeper home>/j2ee/home/application-deployments/beekeeper/jps-config.xml) and make the same changes as in step 1.

  4. In the same file (<Oracle Beekeeper home>/j2ee/home/application-deployments/beekeeper/jps-config.xml), update the <jpsContexts> element with the highlighted value:

    <jpsContexts default="jsso-ldap">
    
  5. Restart OC4J as described in "Restarting OC4J"..

Configuring Virtual Host

  1. Add virtual-hosts="beehive_admin.us.oracle.com" to the <web-site> element in default-web-site.xml. (Replace beehive_admin.us.oracle.com with the name of your virtual host.)

    <web-site
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xsi:noNamespaceSchemaLocation=
        "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" 
      port="7778"
      secure="false"
      protocol="http"
      display-name="Default Web Site"
      schema-major-version="11"
      schema-minor-version="1" 
      virtual-hosts="beehive_admin.us.oracle.com">
    
  2. Restart OC4J as described in "Restarting OC4J".

Restarting OC4J

For information about starting and stopping OC4J, refer to Chapter 5, "Starting and Stopping OC4J" in Oracle Containers for J2EE Configuration and Administrator's Guide.