4 Configuring Oracle Enterprise Content Management Suite

This chapter explains how to configure an Oracle WebLogic Server domain for Oracle Enterprise Content Management Suite applications, in these topics:

4.1 Preparing to Configure Oracle Enterprise Content Management Suite

After you have successfully run the Oracle Fusion Middleware 11g Oracle Enterprise Content Management Suite Installer, you can deploy and configure the following Oracle Enterprise Content Management Suite products as applications:

  • Oracle Universal Content Management (Oracle UCM)

  • Oracle Inbound Refinery (Oracle IBR)

  • Oracle Imaging and Process Management (Oracle I/PM)

  • Oracle Information Rights Management (Oracle IRM)

  • Oracle Universal Records Management (Oracle URM)

To configure any of these applications, you need to create or extend an Oracle WebLogic Server domain, which includes a Managed Server for each deployed application and one Administration Server. Each of these servers is an Oracle WebLogic Server instance.

Important:

Each of these applications needs to run in its own Managed Server or its own cluster of Managed Servers. You cannot deploy Oracle UCM, Oracle IBR, Oracle I/PM, Oracle IRM, or Oracle URM to a Managed Server or cluster that already has another application deployed. Oracle ECM applications should not be deployed to the Administration Server.

You can create a domain to include one or more of these applications (one Managed Server each). Or you can create a domain to include a Managed Server for at least one application and then extend the domain with Managed Servers for one or more other applications. For example, for Oracle I/PM, you can extend the domain with Oracle SOA Suite, which includes Oracle BPEL Process Manager.

Note:

The Oracle I/PM product deployment provides for up to 10 GB of disk space to be used to stage simultaneous document uploads through the user interface. This limit exists to provide an upper limit to thwart malicious server attacks.

If you have not successfully run the installer on your system, first see Chapter 3, "Installing Oracle Enterprise Content Management Suite."

To create a domain for one or more Oracle Enterprise Content Management Suite applications, follow the instructions in Section 4.2, "Creating an Oracle WebLogic Server Domain."

To extend an existing domain for one or more Oracle Enterprise Content Management Suite applications, follow the instructions in Section 4.3, "Extending an Existing Domain."

Note:

You cannot extend a domain that has Oracle I/PM 11.1.1.2.1 or Oracle IRM 11.1.1.2.1 to include an Oracle ECM 11.1.1.3.0 application.

During the configuration, if you need additional help with any of the screens, either click the name of the screen in the instructions to see its description in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens," or click Help on the screen in the installer to access the online help.

After you create or extend a domain, you can configure Oracle Enterprise Manager Fusion Middleware Control for administration of Oracle Enterprise Content Management Suite applications. Fusion Middleware Control is deployed to the Administration Server when a domain is created. You can use Fusion Middleware Control for additional configuration tasks.

4.2 Creating an Oracle WebLogic Server Domain

You can create an Oracle WebLogic Server domain for Oracle Enterprise Content Management Suite with Fusion Middleware Configuration Wizard. When you create a domain for the suite, you configure one or more of its applications.

The configuration wizard is in the following directory. ECM_ORACLE_HOME represents the ECM Oracle home directory, where Oracle Enterprise Content Management Suite is installed:

  • UNIX operating system

    ECM_ORACLE_HOME/common/bin
    
  • Windows operating system

    ECM_ORACLE_HOME\common\bin
    

To create a log file of your configuration session, start Fusion Middleware Configuration Wizard with the -log option:

  • UNIX operating system

    cd MW_HOME/ECM_ORACLE_HOME/common/bin
    ./config.sh -log=log_file_name
    

    Your log file will be created in your oraInventory_location/logs/installActions/logs directory.

  • Windows operating system

    cd MW_HOME\ECM_ORACLE_HOME\common\bin
    config.cmd -log=log_file_name
    

    Your log file will be created in your inventory_location/logs/installActions/logs directory. The default inventory_location value follows:

    %PROGRAMFILES%\Oracle\Inventory
    

Table 4-1 describes the steps for creating a domain and provides links to descriptions of the screens in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens."

Table 4-1 Procedure for Creating a New Domain

Step Screen When This Screen Appears Description and Action Required

1

None.

Always

Start Fusion Middleware Configuration Wizard:

  • UNIX operating system

    cd ECM_ORACLE_HOME/common/bin
    ./config.sh [-log=log_file_name]
    
  • Windows operating system

    cd ECM_ORACLE_HOME\common\bin
    config.cmd [-log=log_file_name]
    

2

Welcome

Always

Select Create a new WebLogic Domain.

Click Next to continue.

3

Select Domain Source

Always

Note: To configure Oracle UCM, you need to select Oracle Universal Content Management - Content Server on the Select Domain Source screen. To configure Oracle Universal Records Management (Oracle URM), select Oracle Universal Records Management Server.

Select Generate a domain configured automatically to support the following products and one or more of these products:

  • Oracle Universal Records Management Server

  • Oracle Information Rights Management

  • Oracle Universal Content Management - Inbound Refinery

  • Oracle Universal Content Management - Content Server

  • Oracle Imaging and Process Management

When you select Oracle Imaging and Process Management, you also need to select Oracle Universal Content Management - Content Server. Oracle I/PM automatically selects Oracle UCM RIDC. If you deselect this automatic selection, Oracle Imaging and Process Management will also be deselected.

When you select any Oracle ECM application on the Select Domain Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle ECM applications will also be deselected.

Click Next to continue.

4

Specify Domain Name and Location

Always

Enter the name of the domain you want to create in the Domain name field.

The default location for the domain follows (MW_HOME represents the Middleware home directory):

  • UNIX operating system

    MW_HOME/user_projects/domains/
    
  • Windows operating system

    MW_HOME\user_projects\domains\
    

You can specify a different location in the Domain location field.

Note: Record the domain name and location from this screen because you will need them later to start the Administration Server.

You can specify the location of the Oracle Enterprise Content Management Suite application in the Application location field. The default location is MW_HOME/user_projects/applications/.

Click Next to continue.

5

Configure Administrator User Name and Password

Always

The User name field has the default administrator user name, weblogic. You can specify a different administrator user name.

In the User password field, enter the password for the administrator user.

Note: Record the administrator user name and password from this screen because you will need them later to start the Managed Servers and to access the domain through the Oracle WebLogic Server Administration Console or Fusion Middleware Control.

Click Next to continue.

6

Configure Server Start Mode and JDK

Always

Under WebLogic Domain Startup Mode, Development Mode is the default mode. For a production system, select Production Mode.

Under JDK Selection, you can leave Available JDKs and the default JDK selected, or you can change them. The default JDK for development mode is Sun SDK 160_18, and the default JDK for production mode is JRockit SDK 1.6.0_17, except on a 64-bit system, where the default JDK is the one you installed. To specify a different JDK, select Other JDK, and enter its location.

Click Next to continue.

7

Configure JDBC Component Schema

Always

Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), in the following fields:

  • Component Schema: Select a component schema row.

  • Vendor: Select a database vendor from the list.

  • Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list.

  • Schema Owner: Enter the user name of the application schema owner, specified during schema creation with RCU.

  • Schema Password: Enter the schema password, specified during schema creation with RCU.

  • DBMS/Service: Enter the name of the database instance if Oracle's Driver (Thin) for Instance connections is selected in the Driver field, or enter the service name (global database name) if Oracle's Driver (Thin) for Service connections is selected in the Driver field. For Microsoft SQL Server or IBM DB2, you must enter a database name because there is no service name.

    Specify the database that contains the application schema or schemas.

    For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: sales.example.com.

  • Host Name: Specify the name of the machine on which your database resides, in the format host.example.com. For Oracle RAC databases, specify the Virtual IP name or one of the node names as the host name.

  • Listen Port: Specify the database listen port number. The default port number is 1521 for an Oracle Database instance, 1433 for Microsoft SQL Server, or 50000 for IBM DB2.

Click Next to continue.

8

Test Component Schema

Always

The configuration wizard automatically tests the connection to the JDBC component schema.

If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection.

After the test succeeds, click Next to continue.

9

Select Optional Configuration

Always

Optionally, select any or all of these options for configuring the Administration Server and Managed Servers:

  • Administration Server

  • Managed Servers, Clusters and Machines

  • Deployments and Services

  • RDBMS Security Store

  • JMS File Store

Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it.

For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services.

Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

Click Next to continue to the configuration screens for the selected option or, if you did not select any options, to the Configuration Summary screen.

10

Configure the Administration Server

If you selected Administration Server on the Select Optional Configuration screen.

The default listen port number for the Administration Server is 7001, which you can change.

If you want to change the configuration of SSL for the Administration Server, you can select SSL enabled. The SSL port is set to 7002 by default in the SSL Listen Port field. If SSL enabled is selected, you can change the SSL listen port value.

Click Next to continue.

11

Configure Managed Servers

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value. For increased security, you can specify a nondefault port number.

Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications.

If you want to change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value.

For Oracle IRM, SSL is enabled by default, with port number 16101. SSL needs to be configured so that Oracle IRM Desktop does not show prompts to accept certificates when it contacts the Managed Server. The certificate used must be trusted by Microsoft Internet Explorer on computers running Oracle IRM Desktop.

Click Next to continue.

12

Configure Clusters

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Optionally, configure one or more clusters.

Notes:

  • To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

  • If you decide to configure a cluster, then you must assign a cluster address.

Click Next to continue.

13

Assign Servers to Clusters

If you configured any clusters on the Configure Clusters screen

Assign two or more of the Managed Servers in the domain to each cluster.

Click Next to continue.

14

Create HTTP Proxy Applications

If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster

Create a proxy application for each Managed Server that you did not assign to a cluster in the domain.

Click Next to continue.

15

Configure Machines

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine.

Click Next to continue.

16

Assign Servers to Machines

If you added any machines on the Configure Machines screen

Assign at least one server to each machine.

Click Next to continue.

17

Target Deployments to Clusters or Servers

If you selected Deployments and Services on the Select Optional Configuration screen.

Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers

Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses persistent-store-type as replicated_if_clustered. If the Oracle IRM web application is deployed on a clustered server, the in-effect persistent-store-type will be replicated. Otherwise, memory is the default.

When deploying Oracle IRM to a cluster, make sure that the Oracle IRM application is deployed to all nodes.

Click Next to continue.

18

Target Services to Clusters or Servers

If you selected Deployments and Services on the Select Optional Configuration.

Optionally, modify how your services are targeted to servers or clusters.

Click Next to continue.

19

Configure RDBMS Security Store Database

If you selected RDBMS Security Store on the Select Optional Configuration screen.

Optionally, make changes to your RDBMS security store.

Click Next to continue.

20

Configuration Summary

Always

Review your configuration and make any corrections or updates by following the instructions on the screen.

You can click Previous on each screen to go back to a screen where you want to change the configuration.

When the configuration is satisfactory, click Create to create the domain.

21

Creating Domain

Always

On a Windows operating system, you can select Create Admin Server to start the Administration Server as soon as the configuration is done.

When the domain is created successfully, click Done.


Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications.

Table 4-2 Default Ports for Managed Servers

Managed Server Default Listen Port Default SSL Port Port Range

Oracle I/PM

16000

16001

16000-16099

Oracle IRM

16100

16101

16100-16199

Oracle UCM

16200

16201

16200-16299

Oracle IBR

16250

16251

16200-16299

Oracle URM

16300

16301

16300-16399


The following operations should have completed successfully:

  • Creation of an Oracle WebLogic Server domain, with an Administration Server

  • Creation of a Managed Server for each application that you selected on the Select Domain Source screen

  • Deployment of each application to its Managed Server

    An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 10.2, "Starting Managed Servers."

4.3 Extending an Existing Domain

You can extend an existing Oracle WebLogic Server domain to configure one or more Oracle Enterprise Content Management Suite applications. Fusion Middleware Configuration Wizard is in the following directory:

  • UNIX operating system

    ECM_ORACLE_HOME\common\bin
    
  • Windows operating system

    ECM_ORACLE_HOME\common\bin
    

Note:

You cannot extend a domain that has Oracle I/PM 11.1.1.2.1 or Oracle IRM 11.1.1.2.1 to include an Oracle ECM 11.1.1.3.0 application.

You can also extend a domain to include other applications in the same domain. For example, you could extend an Oracle WebCenter domain to include an Oracle IRM Managed Server. Or you could extend an Oracle I/PM domain to include Oracle SOA Suite.

Note:

Before you extend a domain to include Oracle SOA Suite on an AIX platform, you need to confirm that the soa-ibm-addon.jar file is in the SOA_ORACLE_HOME/soa/modules directory. Make sure that the file is there, and add the following entry to the SOA_ORACLE_HOME/bin/ant-sca-compile.xml file at line 65:
 <include name="soa-ibm-addon.jar"/>

Table 4-3 describes the steps for extending a domain and provides links to descriptions of the screens in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens."

Table 4-3 Procedure for Extending an Existing Domain

Step Screen When This Screen Appears Description and Action Required

1

None.

Always

Start Fusion Middleware Configuration Wizard:

  • UNIX operating system

    cd ECM_ORACLE_HOME/common/bin
    ./config.sh
    
  • Windows operating system

    cd ECM_ORACLE_HOME\common\bin
    config.cmd
    

2

Welcome

Always

Select Extend an existing WebLogic Domain.

Click Next to continue.

3

Select a WebLogic Domain Directory

Always

Select the Oracle WebLogic Server directory to which you want to add your applications or services, or both.

Click Next to continue.

4

Select Extension Source

Always

Select Extend my domain automatically to support the following added products and one or more of these products:

  • Oracle Universal Records Management Server

  • Oracle Information Rights Management

  • Oracle Universal Content Management - Inbound Refinery

  • Oracle Universal Content Management - Content Server

  • Oracle Imaging and Process Management

When you select Oracle Imaging and Process Management, you also need to select Oracle Universal Content Management - Content Server, if Oracle UCM is not already configured. Oracle I/PM automatically selects Oracle UCM RIDC. If you deselect this automatic selection, Oracle Imaging and Process Management will also be deselected.

When you select any Oracle ECM application on the Select Extension Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle ECM applications will also be deselected.

Click Next to continue.

5

Configure JDBC Component Schema

Always

Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), in the following fields:

  • Component Schema: Select a component schema row.

  • Vendor: Select a database vendor from the list.

  • Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list.

  • Schema Owner: Enter the user name of the application schema owner, specified during schema creation with Repository Creation Utility (RCU).

  • Schema Password: Enter the schema password, specified during schema creation with RCU.

  • DBMS/Service: Enter the name of the database instance if Oracle's Driver (Thin) for Instance connections is selected in the Driver field, or enter the service name (global database name) if Oracle's Driver (Thin) for Service connections is selected in the Driver field. For SQL Server, you must enter a database name because there is no service name.

    Specify the database that contains the application schema or schemas.

    For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: sales.example.com.

  • Host Name: Specify the name of the machine on which your database resides, in the format host.example.com. For Oracle RAC databases, specify the Virtual IP name or one of the node names as the host name.

  • Listen Port: Specify the database listen port number. The default port number is 1521 for an Oracle Database instance, 1433 for Microsoft SQL Server, or 50000 for IBM DB2.

Click Next to continue.

6

Test Component Schema

Always

The configuration wizard automatically tests the connection to the JDBC component schema.

If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection.

After the test succeeds, click Next to continue.

7

Select Optional Configuration

Always

Optionally, select any or all of these options for configuring Managed Servers:

  • Managed Servers, Clusters and Machines

  • Deployments and Services

  • RDBMS Security Store

  • JMS File Store

Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it.

Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services.

If you are extending a domain that already includes Oracle UCM with Oracle I/PM and plan to use Oracle UCM 11g as the Oracle I/PM repository, select Managed Servers, Clusters and Machines so you can configure a separate machine for running the Oracle I/PM Managed Server.

Click Next to continue to the configuration screens for the selected option or if you did not select any options, to the Configuration Summary screen.

8

Configure Managed Servers

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value or, for increased security, specify a nondefault port number.

Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications.

To change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value.

For Oracle IRM, SSL is enabled by default, with port number 16101. SSL needs to be configured so that Oracle IRM Desktop does not show prompts to accept certificates when it contacts the Managed Server. The certificate used must be trusted by Microsoft Internet Explorer on computers running Oracle IRM Desktop.

Click Next to continue.

9

Configure Clusters

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Optionally, change the cluster configuration.

Notes:

  • To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

  • If you decide to configure a cluster, then you must assign a cluster address. You need a WebLogic Server Enterprise Edition license to use clusters.

Click Next to continue.

10

Assign Servers to Clusters

If you configured any clusters on the Configure Clusters screen

Assign two or more of the Managed Servers in the domain to each cluster.

Click Next to continue.

11

Create HTTP Proxy Applications

If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster

Create a proxy application for each Managed Server in the domain that you did not assign to a cluster.

Click Next to continue.

12

Configure Machines

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine.

If you are extending a domain that already includes Oracle UCM with Oracle I/PM and plan to use Oracle UCM 11g as the Oracle I/PM repository, configure a separate machine and assign the Oracle I/PM Managed Server to it.

Click Next to continue.

13

Assign Servers to Machines

If you added any machines on the Configure Machines screen

Assign at least one server to each machine.

Click Next to continue.

14

Target Deployments to Clusters or Servers

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers

Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses persistent-store-type as replicated_if_clustered. If the Oracle IRM web application is deployed on a clustered server, the in-effect persistent-store-type will be replicated. Otherwise, memory is the default.

Make sure that the Oracle IRM application is not deployed to one of the servers in a cluster.

Click Next to continue.

15

Target Services to Clusters or Servers

If you selected Deployments and Services on the Select Optional Configuration.

Optionally, modify how your services are targeted to servers or clusters.

Click Next to continue.

16

Configuration Summary

Always.

When the configuration is satisfactory, click Extend to extend the domain.

17

Creating Domain

Always

On a Windows operating system, you can select Create Admin Server to start the Administration Server as soon as the configuration is done.

When the domain is successfully extended, click Done.


The following operations should have completed successfully:

  • Extension of an existing Oracle WebLogic Server domain to include the application or applications that you selected on the Extend Domain Source screen

  • Creation of a Managed Server for each application that you selected

  • Deployment of each application to its Managed Server

    An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 10.2, "Starting Managed Servers."

4.4 Extending a Domain in an SSL Environment

If your Oracle WebLogic Server domain connects to a database through an SSL port, you need to back up your data source and SSL parameters and remove the SSL configuration from the data source before running Fusion Middleware Configuration Wizard to extend the domain. After you have successfully extended the domain, you can restore the SSL configuration to your data source.

To extend a domain in an SSL environment with Fusion Middleware Configuration Wizard:

  1. In the Oracle WebLogic Server Administration Console, select your data source, and save a backup of all SSL parameters.

    Back up the URL, javax.net.ssl.trustStorePassword, javax.net.ssl.trustStore, javax.net.ssl.trustStoreType, and any other SSL parameters that have been configured for the data source.

  2. Temporarily replace the SSL configuration for the data source with a non-SSL configuration.

    Use a non-SSL URL and remove all SSL properties. You should end with something like this configuration:

    • URL:

      :  jdbc:oracle:thin:@myhost.example.com:1521:db11107
      
    • Properties:

      • user=MAR20SSL_OCS

      • oracle.net.CONNECT_TIMEOUT=10000

      • sendStreamAsBlob=true

  3. Using Fusion Middleware Configuration Wizard, extend the domain, as described in Table 4-3.

  4. After successfully extending the domain, restore the SSL configuration to your data source. You should end with something like this configuration:

    • URL:

      jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.example.com)(PORT=2490)))(CONNECT_DATA=(SERVICE_NAME=db11107.example.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=myhost.example.com,OU=QA,O=ECM,L=RedwoodShores,ST=California,C=US"))) 
      
    • Properties:

      • javax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase

      • user=MAR20SSL_OCS

      • javax.net.ssl.trustStore=/mw_home/wlserver_10.3/server/lib/DemoTrust.jks

      • oracle.net.CONNECT_TIMEOUT=10000

      • javax.net.ssl.trustStoreType=JKS

      • javax.net.ssl.trustStoreType=JKS

      • sendStreamAsBlob=true

  5. If during step 3 you updated your domain with a new product that creates its own data source, you may need to add SSL configuration to it as well.

4.5 Increasing the Java VM Heap Size for Managed Servers

You need to increase the size of the heap allocated for the Java Virtual Machine (VM) on which each Man aged Server runs to at least 1 gigabyte. If you do not increase the Java VM heap size, then Oracle support and development will not accept any escalation of runtime issues, especially out-of-memory issues.

There are two common ways to adjust the runtime memory parameters for a Managed Server:

4.5.1 Setting Server Startup Parameters for Managed Servers with the Administration Console

You can set server startup parameters with the Oracle WebLogic Server Administration Console. This is the preferred approach for setting startup parameters because it ensures that the parameters are correctly pushed to each server, and it avoids problems that might occur during manual editing of server startup scripts. To increase the Java VM heap size to at least 1 gigabyte, you set the value of the -Xmx parameter.

To set server startup parameters for Managed Servers with the Administration Console:

  1. Log in to the Oracle WebLogic Server Administration Console.

  2. Click Environment under Domain Structure, on the left.

  3. Click Servers on the Summary of Environment page.

  4. Set the memory parameters for each Managed Server:

    1. Click the name of a Managed Server in the Servers table.

    2. On the Configuration tab, in the second row of tabs, click Server Start.

    3. In the Arguments box, paste a string that specifies the memory parameters.

      Table 4-4 shows parameters to specify for Sun and JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.

      Table 4-4 Java VM Memory Parameters

      Java VM Operating System Parameters

      Sun

      UNIX

      -Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=1024m

      Sun

      Windows

      -Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=1024m

      JRockit

      UNIX

      -Xms256m -Xmx1024m -XnoOpt

      JRockit

      Windows

      -Xms256m -Xmx1024m -XnoOpt


    4. Save the configuration changes.

  5. Restart any running Managed Servers.

4.5.2 Setting the USER_MEM_ARGS Environment Variable in the Startup Script for a Managed Server

You can set server startup parameter for a Managed Server by setting the USER_MEM_ARGS environment variable in its startup script. To increase the Java VM heap size to at least 1 gigabyte, you set the value of the -Xmx parameter.

To set the USER_MEM_ARGS Environment Variable in the Startup Script for a Managed Server:

  • UNIX shell (.sh)

    export USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m  -XX:MaxPermSize=1024m"
    
  • UNIX C shell (.csh)

    setenv  USER_MEM_ARGS "-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m  -XX:MaxPermSize=1024m"
    
  • Windows command script (.cmd)

    set USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m  -XX:MaxPermSize=1024m"
    

Note:

Table 4-4 shows parameters to specify for Sun and JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.

4.6 Setting Up Fonts on a UNIX Operating System

On a UNIX system, you need to make sure TrueType fonts are set up for Oracle IBR and Oracle UCM Dynamic Converter. If you are using a language other than English, you also need to set up fonts for national language support.

4.6.1 Setting Up TrueType Fonts on a UNIX System

For Oracle IBR and Oracle UCM Dynamic Converter to work correctly on a UNIX operating system, you need to set up TrueType fonts on the machine where IBR or the Dynamic Converter is running. If these fonts are not available on your system, you need to install them. Then you can configure Oracle IBR with the path to the font directory.

Some standard font locations on different UNIX platforms follow:

  • Solaris SPARC: /usr/openwin/lib/X11/fonts/TrueType

    Note:

    For document conversions on a Solaris SPARC platform, Oracle I/PM requires the GNU Compiler Collection (GCC) package 3.4.2 or later in the /usr/local/packages directory.

    Install this package on the Solaris operating system that will run Oracle I/PM. You can download GCC from the Sunfreeware web site at

    http://www.sunfreeware.com
    

    You also need to set the LD_LIBRARY_PATH environment variable to /usr/local/packages/gcc-3.4.2/lib before starting the Oracle I/PM Managed Server. If you are using a later version of GCC, set that version instead of 3.4.2.

  • AIX: /usr/lpp/X11/lib/X11/fonts/TrueType

  • HP-UX Itanium: /usr/lib/X11/fonts/TrueType

To set the path to the font directory in Oracle IBR:

  1. Log in to Oracle IBR.

  2. Select Conversion Settings, then Third-Party Application Settings, and then General OutsideIn Filter Options.

  3. Click Options.

  4. Enter the path to the TrueType fonts in the Path to fonts field.

    For example:

    /usr/share/x11/fonts/FTP
    
  5. Click Update.

  6. Restart Oracle IBR.

4.6.2 Installing Fonts for National Language Support on a UNIX System

For languages other than English, the following installation steps need to be done on a UNIX operating system before you start a Managed Server:

  • Copy MW_HOME/oracle_common/jdk/jre/lib/fonts to the /jre/lib/fonts directory in the Sun JDK installation directory for the Middleware home.

  • Copy MW_HOME/oracle_common/jdk/jre/lib/fonts to the /jre/lib/fonts directory in the Oracle JRockit JDK directory for the Middleware home.

4.7 Installing Libraries and Setting Environment Variables for Outside In Technology

Oracle UCM, Oracle IBR, Oracle I/PM, and the Oracle I/PM Advanced Viewer for clients use Outside In Technology (OIT), which requires certain libraries that are not part of Oracle ECM. Before an Oracle UCM, Oracle IBR, or Oracle I/PM Managed Server is started, you need to install the libraries for your platform. For a UNIX platform, you also need to set an environment variable to reference the libraries in the library path for the user who will start the Managed Server.

4.7.1 Installing Libraries for Outside In Technology on UNIX Platforms

Before you start an Oracle UCM, Oracle IBR, or Oracle I/PM Managed Server, you need the libraries required for your platform are available on your system.

Many of the required libraries are normally installed on the machine, including the C, math, X11, dynamic loader, and pthreads libraries, among others. The libgcc_s and libstdc++ libraries are part of the GNU Compiler Collection (GCC) package.

OIT requires the following libraries for the specified UNIX platform. The libraries in bold are part of the GCC package 3.4.2 or later.

Solaris Sparc 32-bit requires GCC package 3.4.2 or later, which you can download from the Sunfreeware web site at

http://www.sunfreeware.com

HPUX Itanium requires GCC package 3.3.6, which you can download from the following web site:

http://hpacxx.external.hp.com/gcc

If a libgcc_s or libstdc++ library is required for your platform, install the GCC package in the /usr/local/packages/gcc-3.4.2/lib directory in a Solaris Sparc system or the /usr/local/packages/gcc-3.3.6/lib or directory in an HPUX ia64 system, on the machine where Oracle I/PM or Oracle UCM will run. If you are using a later version of GCC, specify that version instead of 3.4.2 or 3.3.6.

OIT requires the following libraries for the specified UNIX platform. The libraries in bold are part of the GCC package.

  • Solaris Sparc 32-bit

    /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1 
    libICE.so.6 
    libSM.so.6 
    libX11.so.4 
    libXext.so.0 
    libXm.so.4 
    libXt.so.4 
    libc.so.1 
    libdl.so.1 
    libgcc_s.so.1 
    libgen.so.1 
    libm.so.1 
    libmp.so.2 
    libnsl.so.1 
    libpthread.so.1 
    libsocket.so.1 
    libstdc++.so.6 
    libthread.so.1 
    
  • HPUX ia64

    libCsup.so.1 
    libICE.so.1 
    libSM.so.1 
    libX11.so.1 
    libXext.so.1 
    libXm.so.1 
    libXp.so.1 
    libXt.so.1 
    libc.so.1 
    libdl.so.1 
    libgcc_s_hpux64.so.0 
    libm.so.1 
    libpthread.so.1 
    libstd_v2.so.1 
    libstdc++.so.5 
    libuca.so.1 
    libunwind.so.1
    
  • AIX 32-bit

    /usr/lib/libC.a(ansi_32.o) 
    /usr/lib/libC.a(shr.o) 
    /usr/lib/libC.a(shr2.o) 
    /usr/lib/libC.a(shr3.o) 
    /usr/lib/libICE.a(shr.o) 
    /usr/lib/libIM.a(shr.o) 
    /usr/lib/libSM.a(shr.o) 
    /usr/lib/libX11.a(shr4.o) 
    /usr/lib/libXext.a(shr.o) 
    /usr/lib/libXi.a(shr.o) 
    /usr/lib/libXm.a(shr_32.o) 
    /usr/lib/libXt.a(shr4.o) 
    /usr/lib/libc.a(shr.o) 
    /usr/lib/libcrypt.a(shr.o) 
    /usr/lib/libgaimisc.a(shr.o) 
    /usr/lib/libgair4.a(shr.o) 
    /usr/lib/libi18n.a(shr.o) 
    /usr/lib/libiconv.a(shr4.o) 
    /usr/lib/libodm.a(shr.o) 
    /usr/lib/libpthreads.a(shr.o) 
    /usr/lib/libpthreads.a(shr_comm.o) 
    /usr/lib/libpthreads.a(shr_xpg5.o) 
    /usr/lib/libpthreads_compat.a(shr.o) 
    
  • HPUX PA/RISC 32-bit

    /lib/libCsup.2 
    /lib/libCsup_v2.2 
    /lib/libX11.3 
    /lib/libXm.4 
    /lib/libXt.3 
    /lib/libc.2 
    /lib/libcl.2 
    /lib/libm.2 
    /lib/libstd.2 
    /lib/libstd_v2.2 
    /lib/libstream.2 
    /usr/lib/libCsup.2 
    /usr/lib/libCsup_v2.2 
    /usr/lib/libX11.3 
    /usr/lib/libXm.4 
    /usr/lib/libXt.3 
    /usr/lib/libc.2 
    /usr/lib/libcl.2 
    /usr/lib/libdld.2 
    /usr/lib/libisamstub.1 
    /usr/lib/libm.2 
    /usr/lib/libstd.2 
    /usr/lib/libstd_v2.2 
    /usr/lib/libstream.2 
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libICE.2
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libSM.2
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libX11.3
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXext.3
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXp.2
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXt.3
    
  • SUSE Linux

    For an SUSE Linux operating system, compat-libstdc++-5.0.7-121.1 RPM is required.

4.7.2 Setting Library Paths in Environment Variables on UNIX Platforms

Before Oracle Inbound Refinery or the Oracle UCM Dynamic Converter uses Outside In Technology for document and image conversions, the following environment variables must be set for the Oracle UCM Managed Server on the specified UNIX platforms:

  • Environment variables for library paths for Oracle I/PM

    • Solaris Sparc:

      LD_LIBRARY_PATH=/usr/local/packages/gcc-3.4.2/lib
      

      If you are using a later version of GCC, specify that version instead of 3.4.2.

    • AIX:

      LIBPATH=$DOMAIN_HOME/oracle/imaging/imaging-server
      
    • HP-UX Itanium:

      LD_PRELOAD=/usr/lib/hpux64/libpthread.so.1
      LD_LIBRARY_PATH=$DOMAIN_HOME/oracle/imaging/imaging-server
      
  • Environment variables for library paths for Oracle UCM with Dynamic Converter and Oracle IBR

    • Solaris Sparc:

      LD_LIBRARY_PATH=/usr/local/packages/gcc-3.4.2/lib
      

      If you are using a later version of GCC, specify that version instead of 3.4.2.

      Add the following line to the Oracle IBR intradoc.cfg file at DomainHome/ucm/ibr/bin:

      ContentAccessExtraLibDir=/usr/local/packages/gcc-3.4.2/lib
      

      Then restart Oracle IBR.

    • HP-UX Itanium:

      export LD_LIBRARY_PATH=/opt/hp-gcc/3.3.6/lib/:/opt/hp-gcc/3.3.6/lib/hpux64:$LD_LIBRARY_PATH
      

      The Dynamic Converter on HP-UX Itanium needs the 3.3.6 version of the GCC libraries installed before the Oracle UCM server is started.

  • DISPLAY environment variable

    On a UNIX operating system running XWindows, when redirecting the display to a system with suitable graphic capabilities, export DISPLAY to a valid X Server before starting the Oracle I/PM, the Oracle IBR Managed Server, or the Oracle UCM Dynamic Converter.

4.7.3 Downloading Visual C++ Libraries for a Windows Operating System

OutsideIn Technology requires the Visual C++ libraries included in the Visual C++ Redistributable Package for a Windows operating system. Three versions of this package (x86, x64, and IA64) are available from the Microsoft Download Center at

http://www.microsoft.com/downloads

Search for and download the version of the package that corresponds to the version of your Windows operating system:

  • vcredist_x86.exe

  • vcredist_x64.exe

  • vcredist_IA64.exe

The required version of each of these downloads is the Microsoft Visual C++ 2005 SP1 Redistributable Package. The redistributable module that Outside In requires is msvcr80.dll.

The WinNativeConverter has some vb.Net code, so it also requires Microsoft .NET Framework 3.5 Service Pack 1.

4.8 Configuring SSL for Oracle ECM Applications

You can configure SSL for Oracle ECM applications running in a production environment or development environment.

4.8.1 Configuring SSL for a Production Environment

Oracle IRM requires SSL to be enabled on the front-end application, whether it is Oracle HTTP Server (OHS) or a Managed Server running Oracle IRM as an application deployed to Oracle WebLogic Server. Communication between Oracle IRM Desktop and the Oracle IRM server application must be over SSL because sensitive information such as passwords are communicated.

Other uses of SSL, such as between OHS and Managed Servers, the Administration Server, and the LDAP authentication provider are optional.

For information about configuring SSL for a production environment, see "SSL Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.

4.8.2 Configuring SSL for a Development Environment

For a development environment, you can also configure one-way SSL with a server-specific certificate. One-way SSL means that only the server certificate passes from the server to the client but not the other way around. After you configure one-way SSL for a development environment on the server, you have to configure every client to accept the server certificate.

4.8.2.1 Configuring One-Way SSL for a Development Environment

For a development environment, you might want to configure SSL, but it is not required. The application will work correctly without SSL configuration, but if you are using basic authentication or form-based authentication, credentials will be transferred from the client to the server unencrypted.

You can configure one-way SSL with a server certificate for the Managed Server so that the client application can be configured to trust the certificate.

In the following procedure, the keystore commands relate only to SSL and not to Oracle IRM encryption keys.

To configure one-way SSL for a development environment:

  1. Run the following script to set the environment:

    • UNIX operating system

      MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
      

      For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib directory.

    • Windows operating system

      MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd
      

      For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME\wlserver_10.3\server\lib directory.

  2. Use the CertGen utility to create a server-specific, private key and certificate, as follows (in a single command line):

    java utils.CertGen -selfsigned 
                       -certfile MyOwnSelfCA.cer
                       -keyfile MyOwnSelfKey.key 
                       -keyfilepass mykeypass
                       -cn "hostname"
    

    For mykeypass, substitute a password for the key, and for hostname, substitute the name of the machine where Oracle IRM is deployed. You should use the same name while accessing Oracle Web Services. For example, to generate the server certificate for a machine named myhost.us.example.com, the command would be as follows (in a single command line):

    java utils.CertGen -selfsigned 
                       -certfile MyOwnSelfCA.cer
                       -keyfile MyOwnSelfKey.key 
                       -keyfilepass mykeypass
                       -cn "myhost.us.example.com"
    

    This command will generate a server certificate for the machine myhost.us.example.com.

    The parameter -cn " machine-name" must be set to the fully qualified domain name of the Oracle IRM server, which is the name that Oracle IRM will use to connect to the machine. Verify that the certificate has been issued to the machine name you specified.

    CertGen creates a unique and secret Private Key for Oracle IRM and a Self-Signed Root Certificate.

  3. Run the ImportPrivateKey utility to package the Private Key and Self-Signed Root Certificate into a key store, as follows (in a single command line):

    java utils.ImportPrivateKey 
                       -keystore MyOwnIdentityStore.jks
                       -storepass identitypass
                       -keypass keypassword
                       -alias trustself
                       -certfile MyOwnSelfCA.cer.pem
                       -keyfile MyOwnSelfKey.key.pem
                       -keyfilepass mykeypass
    

    Substitute an identity store password for identitypass, a key password for keypassword, and a key-file password for mykeypass.

  4. Run the keytool utility to package the key and certificate into a separate key store named Trust Keystore.

    In the following keytool commands (each a single command line), JAVA_HOME represents the location of the JDK. For information about the JAVA_HOME environment variable, see Section 3.1.2, "Installing Oracle WebLogic Server in a Middleware Home."

    • UNIX operating system

      JAVA_HOME/bin/keytool -import -trustcacerts -alias trustself 
              -keystore TrustMyOwnSelf.jks 
              -file MyOwnSelfCA.cer.der -keyalg RSA
      
    • Windows operating system

      JAVA_HOME\bin\keytool -import -trustcacerts -alias trustself 
              -keystore TrustMyOwnSelf.jks 
              -file MyOwnSelfCA.cer.der -keyalg RSA
      
  5. Click Next

    On a Windows operating system, follow the instructions on the wizard screens.

  6. Set Up a Custom Identity Keystore and Trust Store:

    1. Log in to the Oracle WebLogic Server Administration Console, at the following URL:

      http://adminServerHost:adminServerPort/console
      

      For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

      http://myHost:7001/console
      

      To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

    2. Select Environment under your domain from Domain Structure.

    3. Select Servers from Environment.

    4. From Summary of Servers, select the server for which to enable SSL.

    5. Click the Keystores tab on the Settings for servername page.

    6. In the Keystores field, select Custom Identity and Custom Trust.

      If the server is in development mode, you need to click the Lock & Edit button before you can make changes.

    7. Enter values in the following fields on the Keystores tab:

      Custom Identity Keystore

      Custom Identity Keystore Type

      Custom Identity Keystore Passphrase

      Confirm Custom Identity Keystore Passphrase

      Custom Trust Keystore

      Custom Trust Keystore Type

      Custom Trust Keystore Passphrase

      Confirm Custom Trust Keystore Passphrase

    8. Save the changes.

    9. Click the SSL tab.

    10. In the Identity and Trust Locations field, select Keystores.

    11. Enter values in the other fields on the SSL tab:

      Private key alias

      Private key passphrase

      Confirm Private key passphrase

    12. Save the changes.

      If the server is running in development mode, then the changes need to be activated.

4.8.2.2 Configuring Clients to Accept the Server Certificate

After you create a server certificate to configure one-way SSL, you must install it on every machine running the client application. Then you can import the certificate into client application so that it will trust the certificate and not show prompts when it connects to the Managed Server.

To configure clients to accept the server certificate:

  1. On the client machine, double-click the certificate file to open the Certificate window, and then click Install Certificate to start the Certificate Import Wizard.

    For a Windows operating system, the certificate file needs to be copied to the client machine that accesses this server through a browser.

    For a UNIX operating system that is accessing a web site over SSL rather than using the client application on the machine, follow the procedure required for your operating system to trust the certificate.

  2. In the Certificate Import Wizard, explicitly select a certificate store for Trusted Root Certification Authorities. The root certificate must be trusted on all client computers that will access the server.

    On a Windows operating system, install the certificate under Trusted Root Certification Authorities in Internet Explorer.

4.9 Reassociating the Identity Store with an External LDAP Authentication Provider

In a production system, Oracle Enterprise Content Management Suite applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. You need to reassociate the identity store for your application with one of the following external LDAP authentication providers before you complete the configuration of a Managed Server, before you connect a Managed Server to a repository, and before the first user logs in to the application:

  • Oracle Internet Directory

  • Oracle Virtual Directory

  • Third-party LDAP server

The user who logs in first to an Oracle I/PM Managed Server is provisioned with full security throughout the server. It is easier to reassociate the identity store for Oracle I/PM with an external LDAP authentication provider before the first user logs in, completes the configuration of the Oracle I/PM Managed Server, and connects it to the Oracle Universal Content Management (Oracle UCM) repository.

The Oracle IRM domain, which is different from the Oracle WebLogic Server domain, gets created the first time a user logs in to the Oracle IRM Management Console. The first user who logs in to the console is made the Domain Administrator for the Oracle IRM instance. Before you migrate user data for Oracle IRM, the users need to be in the target LDAP identity store. If you do not reassociate the identity store with an external LDAP authentication provider before the first user logs in to the Oracle IRM console, the general process for reassociating Oracle IRM users and migrating data follows:

  1. Back up existing data with the setIRMExportFolder script.

  2. Reassociate the identity store with an external LDAP directory.

  3. Verify that all users and groups exist in target LDAP identity store.

    Users are matched using the user name attribute that is set for the LDAP authentication provider and the username.attr property in the jps-config.xml file. For user lookups to function correctly if you modify a user name attribute to something other than the default value set for the LDAP authentication provider, you must also configure the username.attr and user.login.attr properties in the DOMAIN_HOME/config/fmwconfig/jps-config.xml file to correspond to the modified value.

  4. Migrate data with the setIRMImportFolder script.

You can reassociate the identity store for an Oracle WebLogic Server domain with Oracle Internet Directory and migrate Oracle I/PM or Oracle IRM users from the embedded LDAP directory to Oracle Internet Directory. The following procedure describes how to reassociate the identity store with Oracle Internet Directory.

You can use a similar procedure to reassociate the identity store with other LDAP authentication providers. Each provider has a specific authenticator type, and only that type should be configured. Table 4-5 lists the available authenticator types.

Table 4-5 LDAP Authenticator Types

LDAP Authentication Provider Authenticator Type

Microsoft AD

ActiveDirectoryAuthenticator

SunOne LDAP

IPlanetAuthenticator

Oracle Internet Directory

OracleInternetDirectoryAuthenticator

Oracle Virtual Directory

OracleVirtualDirectoryAuthenticator

EDIRECTORY

NovellAuthenticator

OpenLDAP

OpenLDAPAuthenticator

EmbeddedLDAP

DefaultAuthenticator


To reassociate the identity store with Oracle Internet Directory:

  1. Create the same Administration user in Oracle Internet Directory that was created during configuration of the domain that includes the Managed Server for your application; for example, weblogic.

    For optional user attributes, set the userPassword and user name attributes to whatever you configured for the domain Administration user name. For example, if uid was configured as a user name attribute, then you would need to set the same value for the uid attribute in Oracle Internet Directory.

  2. Enter the same password for the Oracle Internet Directory user that was specified for the corresponding domain user.

  3. For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the setIRMExportFolder WebLogic Scripting Tool (WLST) command before identity store reassociation.

    Use this command to set an export folder for exporting the user and group details referenced by Oracle IRM. Oracle IRM uses the export folder path to decide where to write out the user and group details, so the Managed Server must have write access to the folder path. The export folder must exist before you run the setIRMExportFolder command.

    The following example sets /scratch/irm-data as the export folder:

    cd ECM_ORACLE_HOME/common/bin 
    ./wlst.sh 
    > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort')
    > setIRMExportFolder('/scratch/irm-data')
    

    After the Oracle IRM Managed Server picks up this configuration change, normally right away, it will write out a series of XML documents in the export folder. This process is complete when a folder named accounts appears under the export folder. The accounts folder will contain one or more folders named batchXXX, with each batch folder containing a set of XML documents that include the user and group details. For example:

    /scratch
       /irm-data
           /accounts
               /batch1
                   user1.xml
                   user2.xml
                   group1.xml
    

    The batch folders are used to ensure that the operating system limit of the maximum number of files in a folder is not exceeded.

    After this process is complete, reset the export folder:

    setIRMExportFolder('')
    

    This reset ensures that Oracle IRM does not perform any further data exporting when the Managed Server is restarted.

  4. Configure the Oracle Internet Directory authentication provider:

    1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, "Starting the Administration Server."

    2. Log in to the Administration Console as the domain Administration user, at this URL:

      http://adminServerHost:adminServerPort/console
      

      For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

      http://myHost:7001/console
      

      To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

    3. Under Domain Structure on the left, select Security Realms.

    4. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

    5. Click the Providers tab, and then click New under the Authentication Providers table on the Authentication tab.

    6. In the Create a new Authentication Provider dialog box, enter a provider name in the Name field, change the type to OracleInternetDirectoryAuthenticator, and then click OK.

      For a list of authenticator types for different LDAP Authentication Providers, see Table 4-5.

    7. In the Authentication Providers table, click Reorder, move the provider you just created to the top of the list, and then click OK.

    8. Click DefaultAuthenticator, change the Control Flag value to OPTIONAL, and then click Save.

    9. Go back to the Providers tab.

    10. Click the name of the authentication provider you just created to navigate to the Configuration tab for the provider.

      The Configuration tab has two tabs, Common and Provider Specific. On the Common tab, change the Control Flag value to SUFFICIENT, and then click Save.

      SUFFICIENT means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.

      REQUIRED means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL and Oracle Internet Directory has been set to REQUIRED, the embedded LDAP user is no longer valid.

    11. Click the Provider Specific tab.

      Set Provider Specific values in the following fields, and leave default values in the other fields:

      • Host: The host name or IP address of the LDAP server.

      • Port: The Oracle Internet Directory Port, 389 by default.

      • Principal: The Distinguished Name (DN) of the LDAP user that Oracle WebLogic Server should use to connect to the LDAP server; for example:

        cn=orcladmin
        
      • Credential: The credential used to connect to the LDAP server (usually a password).

      • Confirm Credential: The same value as for the Credential field.

      • User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users; for example:

        cn=users,dc=example,dc=com
        

        In Oracle Internet Directory, this is the value of the User Search Base attribute, which you can look up in the OIDDAS administration dialog.

        Note:

        Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.
      • Use Retrieved User Name as Principal: Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal value.

        Select this attribute for Oracle IRM.

      • Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups; for example:

        cn=groups,dc=example,dc=com
        

        In Oracle Internet Directory, this is the value of the Group Search Base attribute, which you can look up in the OIDDAS administration dialog.

        Note:

        Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.
      • Propagate Cause For Login Exception: Propagates exceptions thrown by Oracle Internet Directory, like password expired exceptions, to Oracle WebLogic Server so they show in the console and the logs.

        Select this attribute for Oracle IRM, in the General area of the tab.

      If you modify a user name attribute to something other than the default value set for the LDAP server in the authenticator, you must also edit the DOMAIN_HOME/config/fmwconfig/jps-config.xml file to correspond to the modified value. Specifically, you need to add the username.attr and user.login.attr properties, shown in the following example, for user lookups to function correctly.

      <!-- JPS WLS LDAP Identity Store Service Instance -->
      <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
      <property name="idstore.config.provider"
      value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
      <property name="username.attr" value="uid"/>
      <property name="user.login.attr" value="uid"/>
      </serviceInstance>
      
    12. Click Save.

  5. Shut down the Administration Server, and then restart it to activate the changes.

    Note:

    Authentication providers in an Oracle WebLogic Server domain are chained. This means that user authentication needs to run successfully through all authentication providers. With the Control Flag value set to OPTIONAL for the default provider, it is allowed to fail without a server startup or user authentication failure.
  6. After the server is up again, log in to the Administration Console again, and click Security Realms under Domain Structure.

  7. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

  8. Click the Providers tab, then click the Users and Groups tab to see a list of users contained in the configured authentication providers, on the Users tab, and then click the Groups tab to see a list of groups.

    You should see user names from the Oracle Internet Directory configuration, which implicitly verifies that the configuration is working.

  9. Check that you have switched the security provider successfully, with either or both of these basic tests:

    • After the creation of the new security provider is complete, verify that all the users in that security provider are listed in that same user-group presentation as the list from Step 3.

    • Access the Managed Server URL, and log in as any of the Oracle Internet Directory users.

      For information about accessing a Managed Server, see Section 10.2, "Starting Managed Servers."

  10. If the Oracle Internet Directory instance is configured successfully, change the Control Flag value to SUFFICIENT, and then click Save.

    SUFFICIENT means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.

    REQUIRED means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL and Oracle Internet Directory has been set to REQUIRED, the embedded LDAP user is no longer valid.

  11. Restart the Administration Server and the Managed Server.

  12. For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the setIRMImportFolder WLST command after identity store reassociation.

    Use this command to set the import folder to point to the export folder that was set before identity store reassociation.

    Note:

    You should take a backup of the export folder before performing the import process because the import process deletes the contents of the folder during successful processing of the user and group details.

    This operation should be performed with only one Managed Server running a deployed Oracle IRM application, to ensure that only one Managed Server performs the user and group processing. After the import process is complete, all Managed Servers running the Oracle IRM application can be started.

    The following example sets /scratch/irm-data as the import folder:

    cd ECM_ORACLE_HOME/common/bin 
    ./wlst.sh 
    > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort')
    > setIRMImportFolder('/scratch/irm-data')
    

    After the Oracle IRM Managed Server picks up this configuration change, it will read the contents of the folder and update the global user ID (GUID) values in the Oracle IRM system to reflect the values in the new identity store. When a user or group has been processed, the import process deletes the corresponding XML file. After the import process is complete, the import folder will be empty:

    /scratch
       /irm-data
    

    If an error occurs during the processing of a user or group, the import process writes the error to a file that matches the user or group name. For example, if the user details in user1.xml cause an error during processing, the import process writes the error details to the file user1.xml.fail:

    /scratch
       /irm-data
           /accounts
               /batch1
                   user1.xml
                   user1.xml.fail
    

    If you can fix the error, then rerun the setIRMImportFolder WLST command to rerun the import process. For example, if user or group processing fails because the user or group does not exist in the new identity store, adding the user or group to Oracle Internet Directory will fix the error, and you can rerun the import process:

    > connect('weblogic', 'password', 'adminServerHost:adminServerPort')
    > setIRMImportFolder('/scratch/irm-data')
    

    After this process is complete, reset the import folder:

    setIRMImportFolder('')
    

    This reset ensures that Oracle IRM does not perform any further data importing when the Managed Server is restarted.

After the reassociation of the identity store, users in Oracle Internet Directory have the same rights that their namesakes had in the Oracle WebLogic Server embedded LDAP server before the migration of user data. For example, if a user existed in the embedded LDAP server before the migration with the user name weblogic and an Oracle IRM role of Domain Administrator, then, after migration, the user in Oracle Internet Directory with the user name weblogic would have the Oracle IRM role of Domain Administrator.

4.10 Adding Users to Oracle Internet Directory

You can add users to Oracle Internet Directory with Oracle Directory Services Manager, which is part of Oracle Identity Management. To add an entry to the directory with Oracle Directory Services Manager, you must have write access to the parent entry, and you must know the Distinguished Name (DN) to use for the new entry.

Note:

When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

For information about adding a group entry, see "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. For more information about entries, see "Managing Directory Entries" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

To add users to Oracle Internet Directory:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server.

  2. From the task selection bar, select Data Browser.

  3. On the toolbar, select the Create a new entry icon. Alternatively, right-click any entry and choose Create.

    The Create New Entry wizard starts.

  4. Specify the object classes for the new entry.

    To select object class entries, click the Add icon and use the Add Object Class dialog box. Optionally, use the search box to filter the list of object classes. To add the object class, select it, and then click OK. (All the superclasses from this object class through top are also added.)

    Note:

    You must assign user entries to the inetOrgPerson object class for the entries to appear in the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services.
  5. In the Parent of the entry field, you can specify the full DN of the parent entry for the entry you are creating.

    You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.

  6. Click Next.

  7. Choose an attribute that will be the Relative Distinguished Name (RDN) value for this entry and enter a value for that attribute.

    You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson, attributes cn (common name) and sn (surname or last name) are required, even if neither of them is the RDN value.

  8. Click Next.

    The wizard displays the next page. (Alternatively, you can click Back to return to the previous page.)

  9. Click Finish.

  10. To manage optional attributes, navigate to the entry you have just created in the Data Tree.

  11. If the entry is a person, click the Person tab and use it to manage basic user attributes.

    Click Apply to save your changes or Revert to discard them.

    If the entry is a group, see "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions.

  12. If this is a person entry, you can upload a photograph.

    To upload a photograph, click Browse, navigate to the photograph, then click Open.

    To update the photograph, click Update and follow the same procedure.

    To delete the photograph, click the Delete icon.

  13. Click Apply to save your changes or Revert to discard them.

4.11 Installing Fonts for National Language Support on a UNIX System

For languages other than English, the following installation steps need to be done on a UNIX operating system before you start a Managed Server:

  • Copy MW_HOME/oracle_common/jdk/jre/lib/fonts to the /jre/lib/fonts directory in the Sun JDK installation directory for the Middleware home.

  • Copy MW_HOME/oracle_common/jdk/jre/lib/fonts to the /jre/lib/fonts directory in the Oracle JRockit JDK directory for the Middleware home.

4.12 Configuring Desktop Authentication

You can configure single sign-on (SSO), Oracle Access Manager (OAM), SAML with SSO, and Windows Native Authentication.

For an overview of SSO, see "Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide.

For an overview of Oracle WebLogic Server authentication providers, see "Configuring Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

4.12.1 Configuring Oracle Access Manager

Oracle Access Manager enables users to seamlessly gain access to web applications and other IT resources across your enterprise. Oracle IRM supports Basic authentication with OAM, which contains an authorization engine that grants or denies access to particular resources based on properties of the user requesting access as well as on the environment from which the request was made.

For more information about OAM, see "Deploying the Oracle Access Manager Solutions" in Oracle Fusion Middleware Security Guide.

4.12.2 Configuring SAML with SSO

SSO authentication enables users to log in once and seamlessly navigate between applications without having to log in to each application separately. For information about LDAP and SSO configuration, see "Managing Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.

For SAML configuration information, see "Configuring the SAML Authentication Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

4.12.3 Configuring Windows Native Authentication

For information about configuring Windows Native Authentication (Kerberos), see "Configuring Single Sign-On with Microsoft Clients" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

4.13 Configuring Managed Server Clusters

For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple Oracle WebLogic Server server instances running simultaneously and working together to provide increased scalability and reliability. In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing.

A single domain can contain multiple Oracle WebLogic Server clusters, as well as multiple Managed Servers that are not configured as clusters. The key difference between clustered and nonclustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.

Note:

To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

For an overview of clusters, see "Understanding WebLogic Server Clustering" in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.

If you select Managed Servers, Clusters, and Machines on the Select Optional Configuration screen, you will see the screens described in Table 4-6.

Table 4-6 Managed Servers, Clusters, and Machines Advanced Settings Screens

No. Screen Description and Action Required

1

Configure Managed Servers

Add new Managed Servers, or edit and delete existing Managed Servers.

Click Next to continue.

2

Configure Clusters

Create clusters if you are installing in a high availability environment. For more information, refer to Oracle Fusion Middleware High Availability Guide.

Click Next to continue.

3

Assign Servers to Clusters

If you configured any clusters on the Configure Clusters screen

Click Next to continue.

4

Create HTTP Proxy Applications

If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster

Click Next to continue.

5

Configure Machines

Configure the machines that will host the Managed Servers in a cluster, and assign each Managed Server to a machine.

Click Next to continue.

6

Target Deployments to Clusters or Servers

Assign your Managed Servers to clusters or servers in your domain.

Click Next to continue.

7

Target Services to Clusters or Servers

Use this screen to target your services (such as JMS and JDBC) to servers or clusters so that your applications can use the services.

Click Next to continue.


You can add a Managed Server to a cluster later, with the Administration Console or Fusion Middleware Control. For more information, see "Scaling Your Environment" in Oracle Fusion Middleware Administrator's Guide.

4.14 Setting Up Oracle Web Services Manager Security

To set up Oracle Web Services Manager (Oracle WSM) security policies for Oracle Enterprise Content Management Suite, you need to do these tasks:

  1. Installing Oracle WebLogic Server and Oracle Enterprise Content Management Suite

  2. Creating Oracle WSM MDS Schema with RCU

  3. Configuring Oracle ECM Applications and Oracle WSM Policy Manager in an Oracle WebLogic Server Domain

  4. Configuring the Server Socket Port and Incoming Socket Connection Address Security Filter for Oracle WSM

  5. Securing Web Services with a Key Store and Oracle WSM Policies

4.14.1 Installing Oracle WebLogic Server and Oracle Enterprise Content Management Suite

Install Oracle WebLogic Server with the Typical option, which also installs Oracle Coherence and the Sun and JRockit JDKs. For information about how to install Oracle WebLogic Server, see Section 3.1.2, "Installing Oracle WebLogic Server in a Middleware Home."

The installation of Oracle WebLogic Server creates an Oracle Fusion Middleware home, where you can install Oracle Enterprise Content Management Suite, which creates an ECM Oracle home. Oracle WSM can be installed from the Oracle ECM suite. The Middleware home includes an Oracle Common home, where the Oracle WSM files are installed. For information about how to install Oracle Enterprise Content Management Suite, which installs the files necessary for deploying Oracle UCM to Oracle WebLogic Server, see Section 3.2, "Installing Oracle Enterprise Content Management Suite in Oracle Fusion Middleware."

4.14.2 Creating Oracle WSM MDS Schema with RCU

Make the following selection on the Repository Creation Utility (RCU) Select Components Screen to create the MDS schema, which you need for setting up Oracle WSM security:

  • Metadata Services under AS Common Schemas

    The selection is for creating an Oracle WSM Policy Manager schema.

This schema will provide a back-end repository for Oracle UCM and the Oracle WSM Policy Manager. If an MDS schema already exists in your database, you can reuse the schema.

For more information about creating the Oracle WSM MDS schemas with RCU, see Section 2.2, "Creating Oracle Enterprise Content Management Suite Schemas."

4.14.3 Configuring Oracle ECM Applications and Oracle WSM Policy Manager in an Oracle WebLogic Server Domain

To configure one or more Oracle ECM applications and Oracle WSM Policy Manager, you need to create or extend an Oracle WebLogic Server domain. For information about creating a domain to include Oracle WSM Policy Manager, see Section 4.2, "Creating an Oracle WebLogic Server Domain." For information about extending a domain with Oracle WSM Policy Manager, see Section 4.3, "Extending an Existing Domain."

4.14.4 Configuring the Server Socket Port and Incoming Socket Connection Address Security Filter for Oracle WSM

During post-installation configuration of a Managed Server, you can configure the Server Socket Port and Incoming Socket Connection Address Security Filter values for Oracle WSM.

Make sure that following settings exist along with other default settings:

  • Server socket port: 4444

    This value is stored in the configuration file for the Managed Server as IntradocServerPort=4444.

  • Incoming Socket Connection Address Security Filter: *.*.*|0:0:0:0:0:0:0:1

    This value is stored in the configuration file for the Managed Server as SocketHostAddressSecurityFilter=*.*.*.*|0:0:0:0:0:0:0:1.

Before any changes to these settings take effect, you need to restart the Managed Server.

For more information about the post-installation configuration of a Managed Server, see any of these sections:

4.14.5 Securing Web Services with a Key Store and Oracle WSM Policies

To secure web services, you can set up a key store and apply Oracle WSM policies to the web services.

4.14.5.1 Setting Up a Key Store

The keytool command will generate a key store, which requires a password to open. Inside the key store, a key will be stored, and access to the key requires an additional password.

The suggested location for the key store is in a directory under the domain home:

  • UNIX operating system

    MW_HOME/user_projects/domains/DomainHome/config/fmwconfig
    
  • Windows operating system

    MW_HOME\user_projects\domains\DomainHome\config\fmwconfig
    

Placing the key store in this location ensures that the key store file is backed up when the domain and corresponding credential store files are backed up.

To set up a key store:

  1. Creating the key store and key alias orakey:

    JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA \
                           -dname "CN=orakey, O=oracle C=us" \
                           -keystore default-keystore.jks -storepass welcome
    
  2. Copy default-keystore.jks to the domain's fmwconfig directory:

    cp default-keystore.jks DOMAIN_HOME/config/fmwconfig
    
  3. Save the credentials in a credential store (using WLST commands):

    MW_HOME/ECM_ORACLE_HOME/common/bin/wlst.sh
    connect()
    createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome")
    createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome")
    createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome")
    

    This step creates a file, cwallet.sso, under DOMAIN_HOME/config/fmwconfig.

Both default-keystore.jks and cwallet.sso are needed for the client to access the server.

For more information about setting up a key store, see Section 8.1.2, "Configuring a Key Store for Oracle IRM."

4.14.5.2 Applying Oracle WSM Policies to Web Services

The following procedure shows how to apply a policy to the Oracle UCM web services IdcWebLoginService and GenericSoapService. The policy to be applied is oracle/wss11_saml_token_with_message_protection_service_policy

You can use the Oracle WebLogic Server Administration Console to handle the application of Oracle WSM policies to web services

To apply an Oracle WSM policy to a web service:

  1. Log in to the Administration Console as the Oracle WebLogic Server administrator.

  2. Click Deployments in the navigation tree on the left.

  3. In the Deployments table, page to Oracle UCM Native Web Services, and expand it.

  4. Click IdcWebLoginService.

  5. On the Settings for IdcWebLoginService page, click Configuration.

  6. Select the WS-Policy tab.

  7. Apply the OWSM policy oracle/wss11_saml_token_with_message_protection_service_policy to IdcWebLoginPort.