3 Configuring Oracle WebCenter Content Applications

This chapter explains how to configure Oracle WebCenter Content applications in an Oracle WebLogic Server domain.

This chapter includes the following sections:

3.1 Preparing to Configure Oracle WebCenter Content Applications

After you have successfully run the Oracle Fusion Middleware 11g Oracle WebCenter Content Installer and created application schemas, you can deploy and configure the following Oracle WebCenter Content products as applications:

  • Oracle WebCenter Content (which includes Oracle WebCenter Content Server)

  • Oracle WebCenter Content: Inbound Refinery

  • Oracle WebCenter Content: Imaging (which includes the Imaging Viewer Cache and AXF for BPEL)

  • Oracle WebCenter Content: AXF for BPM

  • Oracle Information Rights Management

  • Oracle WebCenter Content: Records

To configure any of these applications, you need to create or extend an Oracle WebLogic Server domain, which includes a Managed Server for each deployed application and one Administration Server. Each of these servers is an Oracle WebLogic Server instance.

Notes:

  • For information about application schemas, see Section 2.2, "Creating Oracle WebCenter Content Schemas with the Repository Creation Utility."

  • Each of these applications needs to run in its own Managed Server or its own cluster of Managed Servers. You cannot deploy WebCenter Content, Inbound Refinery, Imaging, Oracle IRM, or Records to a Managed Server or cluster that already has another one of these applications deployed. Oracle WebCenter Content applications should not be deployed to the Administration Server.

  • Only one Managed Server for each of the Oracle WebCenter Content applications, such as WebCenter Content, can be configured in the same Oracle Weblogic Server domain. If you want to put multiple WebCenter Content Managed Servers on the same machine, you need to configure each Managed Server in a separate domain.

  • If you are using a DB2 database, before you start the Configuration Wizard for the first time to configure an Oracle Fusion Middleware product, you need to set the DB_DRIVER_CLASSPATH environment variable to include the full paths to db2jcc4.jar and db2jcc_license_cu.jar. If you do not do this, all DB2 connection tests will fail.

You can create a domain to include one or more of these applications (one Managed Server each). Or you can create a domain to include a Managed Server for at least one application and then extend the domain with Managed Servers for one or more other applications.

Notes:

  • WebCenter Content cannot be deployed to the same domain as Oracle Identity Manager and Oracle Identity Management.

  • Oracle WebCenter Content 11g does not support running WebCenter Content, Inbound Refinery, or Records as a service on a Windows operating system.

For Imaging to take advantage of Business Process Management (BPM) and Oracle BPEL Process Manager within an existing domain, the domain must be extended with Oracle BPM Suite. If you want to use Oracle BPEL Process Manager and not BPM, you can extend the domain with Oracle SOA Suite. For information about connecting to BPM or Oracle BPEL Process Manager as a workflow server, see Section 6.1.4, "Connecting to a Workflow Server."

Note:

The Imaging product deployment provides for up to 10 GB of disk space to be used to stage simultaneous document uploads through the user interface. This limit exists to provide an upper limit to thwart malicious server attacks.

If you have not successfully run the installer on your system, first see Chapter 2, "Installing Oracle WebCenter Content."

To create a domain for one or more Oracle WebCenter Content applications, follow the instructions in Section 3.2, "Creating an Oracle WebLogic Server Domain."

To extend an existing domain for one or more Oracle WebCenter Content applications, follow the instructions in Section 3.3, "Extending an Existing Domain."

Note:

You cannot extend a domain that has an Oracle WebCenter Content 11.1.1.2.1 or 11.1.1.3.0 application to include an Oracle WebCenter Content 11.1.1.7.0 application.

During the configuration, if you need additional help with any of the screens, either click the name of the screen in the instructions to see its description in Appendix B, "Configuration Screens for Oracle WebCenter Content," or click Help on the screen in the installer to access the online help.

After you create or extend a domain, you can configure Oracle Enterprise Manager Fusion Middleware Control for administration of Oracle WebCenter Content applications. Fusion Middleware Control is deployed to the Administration Server when a domain is created. You can use Fusion Middleware Control for additional configuration tasks.

For information about configuring Fusion Middleware Control for Oracle WebCenter Content on an IBM WebSphere Application Server, see "Using Oracle Enterprise Manager Fusion Middleware Control" in the Oracle Fusion Middleware Third-Party Application Server Guide.

3.2 Creating an Oracle WebLogic Server Domain

You can create an Oracle WebLogic Server domain for Oracle WebCenter Content with Fusion Middleware Configuration Wizard. When you create a domain for Oracle WebCenter Content, you configure one or more of its applications.

Note:

If you plan to use Oracle SOA Suite with Imaging, such as for the Oracle Application Extension Framework (AXF), you need to install and configure Oracle SOA Suite first. For information about installing and configuring Oracle SOA Suite, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

If you create the domain with Oracle SOA Suite, you can extend the domain with Oracle WebCenter Content, as described in Section 3.3, "Extending an Existing Domain."

The configuration wizard is in the following directory. WCC_ORACLE_HOME represents the WebCenter Content Oracle home directory, where Oracle WebCenter Content is installed. The WebCenter Content Oracle home was specified in the Oracle Home Directory field on the Specify Installation Location screen of the installer (default Oracle_ECM1).

  • UNIX path: WCC_ORACLE_HOME/common/bin

  • Windows path: WCC_ORACLE_HOME\common\bin

To create a log file of your configuration session, start Fusion Middleware Configuration Wizard with the -log option:

  • UNIX script:
    WCC_ORACLE_HOME
    /common/bin/config.sh -log=log_file_name

    Your log file will be created in the location from which you start the configuration wizard.

  • Windows script:
    WCC_ORACLE_HOME
    \common\bin\config.cmd -log=log_file_name

    Your log file will be created in your inventory_location\logs\installActions\logs directory. The default inventory_location value follows:

    %PROGRAMFILES%\Oracle\Inventory
    

Table 3-1 describes the steps for creating a domain and provides some links to screen descriptions in Appendix B, "Configuration Screens for Oracle WebCenter Content."

Table 3-1 Procedure for Creating a New Domain

Screen When This Screen
Appears
Description and Action to Take

None

 

Start Fusion Middleware Configuration Wizard:

  • UNIX script:
    WCC_ORACLE_HOME/common/bin
    /config.sh[-log=
    log_file_name]

  • Windows script:
    WCC_ORACLE_HOME\common\bin
    \config.cmd[-log=
    log_file_name]

Welcome

Always

Select Create a new WebLogic Domain.

Click Next to continue.

Select Domain Source

Always

Select Generate a domain configured automatically to support the following products, and then select one or more of these product templates:

  • Oracle WebCenter Content: AXF for BPM

  • Oracle WebCenter Content: Imaging

  • Oracle Universal Records Management

    (for Oracle WebCenter Content: Records)

  • Oracle Universal Content Management - Inbound Refinery

    (for Oracle WebCenter Content: Inbound Refinery)

  • Oracle Universal Content Management - Content Server

    (for Oracle WebCenter Content)

  • Oracle Information Rights Management

   

For WebCenter Content:

Select Oracle WebCenter Content - Content Server.

   

For Imaging:

When you select Oracle WebCenter Content: Imaging, you also need to select Oracle WebCenter Content - Content Server.

   

For Imaging Viewer Cache

When you select Oracle WebCenter Content: Imaging, Oracle WebCenter Content: Imaging Viewer Cache is automatically selected.

   

For AXF for BPEL:

Imaging includes AXF for BPEL. Select Oracle WebCenter Content: Imaging and Oracle WebCenter Content - Content Server.

   

For AXF for BPM:

If you are going to use AXF for BPM with Imaging, you need to select the following product templates (some of these are automatically selected):

  • Oracle BPM Suite

  • Oracle SOA Suite

  • Oracle WebCenter Content: AXF for BPM

  • Oracle WebCenter Content: Imaging Viewer Cache

  • Oracle WebCenter Content: Imaging

  • Oracle Universal Content Management - Content Server

  • Oracle Enterprise Manager

  • Oracle WSM Policy Manager

  • Oracle JRF

   

For AXF for BPM or AXF for BPEL with Oracle SOA Suite on a different domain or machine:

If you are going to use AXF for BPM or AXF for BPEL with Imaging, and Oracle SOA Suite is deployed to a different domain or installed on a different machine, you will need to run WCC_ORACLE_HOME\common\config.cmd on the Oracle SOA Suite machine and select the following product templates:

  • Oracle SOA Suite

  • Oracle WSM Policy Manager

  • Oracle Enterprise Manager

   

For Site Studio for External Applications:

If you want a remote deployment of a Site Studio for External Applications website, you can select Oracle Universal Content Management - SSXA Server (for Oracle WebCenter Content - SSXA Server) to create an Oracle WebLogic Server domain with a Managed Server that has the files required to run the website.

   

For Oracle WSM Policy Manager:

To create a domain that includes Oracle Web Services Manager (Oracle WSM) Policy Manager, select Oracle WSM Policy Manager.

   

For Oracle Enterprise Manager and Oracle JRF

When you select any Oracle WebCenter Content application on the Select Domain Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle WebCenter Content application will also be deselected.

   

Click Next to continue.

Specify Domain Name and Location

Always

Enter the name of the domain you want to create in the Domain name field.

The default location for the domain follows (MW_HOME represents the Middleware home directory):

  • UNIX path: MW_HOME/user_projects/domains

  • Windows path: MW_HOME\user_projects\domains

You can specify a different location in the Domain location field.

Note: Record the domain name and location from this screen because you will need them later to start the Administration Server.

You can specify the location of the Oracle WebCenter Content application in the Application location field. The default location is MW_HOME/user_projects/applications/.

Click Next to continue.

Configure Administrator User Name and Password

Always

The User name field has the default administrator user name, weblogic. You can specify a different administrator user name.

In the User password field, enter the password for the administrator user.

Note: Record the administrator user name and password from this screen because you will need them later to start the Managed Servers and to access the domain through the Oracle WebLogic Server Administration Console or Fusion Middleware Control.

Click Next to continue.

Configure Server Start Mode and JDK

Always

Under WebLogic Domain Startup Mode, Development Mode is the default mode. For a production system, select Production Mode.

Under JDK Selection, you can leave Available JDKs and the default JDK selected, or you can change them. The default JDK for development mode is Sun SDK 1.6.0_version, and the default JDK for production mode is JRockit SDK 1.6.0_version, except on a 64-bit system, where the default JDK is the one you installed. To specify a different JDK, select Other JDK, and enter its location.

Click Next to continue.

Configure JDBC Component Schema

Always

Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), by selecting a schema checkbox and then completing the following fields:

  • Component Schema: Select a component schema row.

  • Vendor: Select a database vendor from the list.

  • Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list.

  • Schema Owner: Enter the user name of the application schema owner, specified during schema creation with RCU.

  • Schema Password: Enter the schema password, specified during schema creation with RCU.

  • DBMS/Service: Enter the name of the database instance if Oracle's Driver (Thin) for Instance connections is selected in the Driver field, or enter the service name (global database name) if Oracle's Driver (Thin) for Service connections is selected in the Driver field. For Microsoft SQL Server or IBM DB2, you must enter a database name because there is no service name.

    Specify the database that contains the application schema or schemas.

    For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: sales.example.com.

  • Host Name: Specify the name of the machine on which your database resides, in the format host.example.com. For Oracle RAC databases, specify the Virtual IP name or one of the node names as the host name.

  • Listen Port: Specify the database listen port number. The default port number is 1521 for an Oracle Database instance, 1433 for Microsoft SQL Server, or 50000 for IBM DB2.

Click Next to continue.

Test Component Schema

Always

The configuration wizard automatically tests the connection to the JDBC component schema.

If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection.

After the test succeeds, click Next to continue.

Select Optional Configuration

Always

Optionally, select any or all of these options for configuring the Administration Server and Managed Servers:

  • Administration Server

  • JMS Distributed Destination

  • Managed Servers, Clusters and Machines

  • Deployments and Services

  • RDBMS Security Store

Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it.

For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services.

Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

Click Next to continue to the configuration screens for the selected option or, if you did not select any options, to the Configuration Summary screen.

Configure the Administration Server

If you selected Administration Server on the Select Optional Configuration screen

The default listen port number for the Administration Server is 7001, which you can change.

If you want to change the configuration of SSL for the Administration Server, you can select SSL enabled. The SSL port is set to 7002 by default in the SSL Listen Port field. If SSL enabled is selected, you can change the SSL listen port value.

Note: If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of the wlst.sh file or set them in the CONFIG_JVM_ARGS environment variable:

-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName

KeyStoreName is the name of the keystore in use (DemoTrust for the built-in demonstration certificate). The wlst.sh file is in the bin subdirectory of the common directory in the WebCenter Content Oracle home directory.

Click Next to continue.

Select JMS Distributed Destination Type

If you selected Oracle WebCenter Content: Imaging on the Select Domain Source screen

Accept the default (UDD), and click Next. Click OK in the override warning.

Configure Managed Servers

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen

Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value. For increased security, you can specify a nondefault port number.

Table 3-2 lists the default port values for the Managed Servers that run Oracle WebCenter Content applications.

If you want to change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value.

For Oracle IRM, SSL is enabled by default, with port number 16101. SSL needs to be configured so that Content application server Desktop does not show prompts to accept certificates when it contacts the Managed Server. The certificate used must be trusted by Microsoft Internet Explorer on computers running Rights Desktop.

Click Next to continue.

Configure Clusters

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.

Optionally, configure one or more clusters.

Notes:

  • To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

  • If you decide to configure a cluster, then you must assign a cluster address.

Click Next to continue.

Assign Servers to Clusters

If you configured any clusters on the Configure Clusters screen

Assign two or more of the Managed Servers in the domain to each cluster.

Click Next to continue.

Create HTTP Proxy Applications

If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster

Create a proxy application for each Managed Server that you did not assign to a cluster in the domain.

Click Next to continue.

Configure Machines

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen

Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine.

Click Next to continue.

Assign Servers to Machines

If you added any machines on the Configure Machines screen

Assign at least one server to each machine.

Click Next to continue.

Target Deployments to Clusters or Servers

If you selected Deployments and Services on the Select Optional Configuration screen

Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers.

Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses persistent-store-type as replicated_if_clustered. If the Oracle IRM web application is deployed on a clustered server, the in-effect persistent-store-type value will be replicated. Otherwise, memory is the default.

When deploying Oracle IRM to a cluster, make sure that the Oracle IRM application is deployed to all nodes.

Click Next to continue.

Target Services to Clusters or Servers

If you selected Deployments and Services on the Select Optional Configuration

Optionally, modify how your services are targeted to servers or clusters.

Click Next to continue.

Configure RDBMS Security Store Database

If you selected RDBMS Security Store on the Select Optional Configuration screen

Optionally, make changes to your RDBMS security store.

Click Next to continue.

Configuration Summary

Always

Review your configuration and make any corrections or updates by following the instructions on the screen.

You can click Previous on each screen to go back to a screen where you want to change the configuration.

When the configuration is satisfactory, click Create to create the domain.

Creating Domain

Always

On a Windows operating system, you can select Start Admin Server to start the Administration Server as soon as the configuration is done.

When the domain is created successfully, click Done.


Table 3-2 lists the default port values for the Managed Servers that run Oracle WebCenter Content applications.

Table 3-2 Default Ports for Managed Servers

Managed Server Default Listen Port Default SSL Port Port Range

Imaging

16000

16001

16000-16099

Oracle IRM

16100

16101

16100-16199

WebCenter Content

16200

16201

16200-16299

Inbound Refinery

16250

16251

16200-16299

Records

16300

16301

16300-16399


The following operations should have completed successfully:

  • Creation of an Oracle WebLogic Server domain, with an Administration Server

  • Creation of a Managed Server for each application that you selected on the Select Domain Source screen

  • Deployment of each application to its Managed Server

    An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 9.2, "Starting Managed Servers."

3.3 Extending an Existing Domain

You can extend an existing Oracle WebLogic Server domain to configure one or more Oracle WebCenter Content applications. Fusion Middleware Configuration Wizard is in the following directory:

  • UNIX path: WCC_ORACLE_HOME/common/bin

  • Windows path: WCC_ORACLE_HOME\common\bin

Notes:

  • WebCenter Content cannot be deployed to the same domain as Oracle Identity Manager and Oracle Identity Management.

  • You cannot extend a domain that has an Oracle Enterprise Content Management Suite or Oracle WebCenter Content application from an earlier release to include an Oracle WebCenter Content 11.1.1.7.0 application.

You can also extend a domain to include other applications in the same domain. For example, you could extend an Oracle WebCenter Content domain to include an Oracle IRM Managed Server. Or you could extend an Imaging domain to include Oracle SOA Suite.

Note:

Before you extend a domain to include Oracle SOA Suite on an AIX platform, you need to confirm that the soa-ibm-addon.jar file is in the SOA_ORACLE_HOME/soa/modules directory. Make sure that the file is there, and add the following entry to the SOA_ORACLE_HOME/bin/ant-sca-compile.xml file at line 65:

 <include name="soa-ibm-addon.jar"/>

Table 3-3 describes the steps for extending a domain and provides some links to screen descriptions in Appendix B, "Configuration Screens for Oracle WebCenter Content."

Table 3-3 Procedure for Extending an Existing Domain

Screen When This Screen
Appears
Description and Action to Take

None.

Always

Start Fusion Middleware Configuration Wizard:

  • UNIX script:
    WCC_ORACLE_HOME/common/bin
    /config.sh [-log=
    log_file_name]

  • Windows script:
    WCC_ORACLE_HOME\common\bin
    \config.cmd [-log=
    log_file_name]

Welcome

Always

Select Extend an existing WebLogic Domain.

Click Next to continue.

Select a WebLogic Domain Directory

Always

Select a directory for adding your applications or services, or both.

Click Next to continue.

Select Extension Source

Always

Select Extend my domain automatically to support the following added products, and then select one or more of these product templates:

  • Oracle WebCenter Content: AXF for BPM

  • Oracle WebCenter Content: Imaging

  • Oracle Universal Records Management

    (for Oracle WebCenter Content: Records)

  • Oracle Universal Content Management - Inbound Refinery

    (for Oracle WebCenter Content: Inbound Refinery)

  • Oracle Universal Content Management - Content Server

    (for Oracle WebCenter Content)

  • Oracle Information Rights Management

   

For WebCenter Content:

Select Oracle WebCenter Content - Content Server.

   

For Imaging:

When you select Oracle WebCenter Content: Imaging, you also need to select Oracle WebCenter Content - Content Server if WebCenter Content is not already configured in the domain.

   

For Imaging Viewer Cache

When you select Oracle WebCenter Content: Imaging, Oracle WebCenter Content: Imaging Viewer Cache is automatically selected.

   

For AXF for BPEL:

Imaging includes AXF for BPEL. Select Oracle WebCenter Content: Imaging and Oracle WebCenter Content - Content Server.

   

For AXF for BPM:

If you are going to use AXF for BPM with Imaging, you need to select the following product templates (some of these are automatically selected):

  • Oracle BPM Suite

  • Oracle SOA Suite

  • Oracle WebCenter Content: AXF for BPM

  • Oracle WebCenter Content: Imaging Viewer Cache

  • Oracle WebCenter Content: Imaging

  • Oracle Universal Content Management - Content Server

  • Oracle Enterprise Manager

  • Oracle WSM Policy Manager

  • Oracle JRF

   

For AXF for BPM or AXF for BPEL with Oracle SOA Suite on a different domain or machine:

If you are going to use AXF for BPM or AXF for BPEL with Imaging, and Oracle SOA Suite is deployed to a different domain or installed on a different machine, you will need to run WCC_ORACLE_HOME\common\config.cmd on the Oracle SOA Suite machine and select the following product templates:

  • Oracle SOA Suite

  • Oracle WSM Policy Manager

  • Oracle Enterprise Manager

   

For Site Studio for External Applications:

If you want a remote deployment of a Site Studio for External Applications website, you can select Oracle Universal Content Management - SSXA Server (for Oracle WebCenter Content - SSXA Server) to extend an Oracle WebLogic Server domain with a Managed Server that has the files required to run the website.

   

For Oracle WSM Policy Manager:

To extend a domain with Oracle Web Services Manager (Oracle WSM) Policy Manager, select Oracle WSM Policy Manager.

   

Oracle Enterprise Manager and Oracle JRF

When you select any Oracle WebCenter Content application, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle WebCenter Content application will also be deselected.

   

Click Next to continue.

Configure JDBC Component Schema

Always

Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), in the following fields:

  • Component Schema: Select a component schema row.

  • Vendor: Select a database vendor from the list.

  • Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list.

  • Schema Owner: Enter the user name of the application schema owner, specified during schema creation with RCU.

  • Schema Password: Enter the schema password, specified during schema creation with RCU.

  • DBMS/Service: Enter the name of the database instance if Oracle's Driver (Thin) for Instance connections is selected in the Driver field, or enter the service name (global database name) if Oracle's Driver (Thin) for Service connections is selected in the Driver field. For Microsoft SQL Server, you must enter a database name because there is no service name.

    Specify the database that contains the application schema or schemas.

    For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: sales.example.com.

  • Host Name: Specify the name of the machine on which your database resides, in the format host.example.com. For Oracle RAC databases, specify the Virtual IP name or one of the node names as the host name.

  • Listen Port: Specify the database listen port number. The default port number is 1521 for an Oracle Database instance, 1433 for Microsoft SQL Server, or 50000 for IBM DB2.

Click Next to continue.

Test Component Schema

Always

The configuration wizard automatically tests the connection to the JDBC component schema.

If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection.

After the test succeeds, click Next to continue.

Select Optional Configuration

Always

Optionally, select any or all of these options for configuring Managed Servers:

  • JMS Distributed Destination

  • Managed Servers, Clusters and Machines

  • Deployments and Services

  • RDBMS Security Store

Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it.

Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services.

If you are extending a domain that already includes WebCenter Content with Imaging and plan to use WebCenter Content 11g as the Imaging repository, select Managed Servers, Clusters and Machines so you can configure a separate machine for running the Imaging Managed Server.

Click Next to continue to the configuration screens for the selected option, or if you did not select any options, to the Configuration Summary screen.

Select JMS Distributed Destination Type

If you selected Oracle WebCenter Content: Imaging on the Select Extension Source screen

Accept the default (UDD), and click Next. Click OK in the override warning.

Configure Managed Servers

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen

Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value or, for increased security, specify a nondefault port number.

Table 3-2 lists the default port values for the Managed Servers that run Oracle WebCenter Content applications.

To change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value.

For Oracle IRM, SSL is enabled by default, with port number 16101. SSL needs to be configured so that Rights Desktop does not show prompts to accept certificates when it contacts the Managed Server. The certificate used must be trusted by Microsoft Internet Explorer on computers running Rights Desktop.

Click Next to continue.

Configure Clusters

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen

Optionally, change the cluster configuration.

Notes:

  • To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

  • If you decide to configure a cluster, then you must assign a cluster address. You need an Oracle WebLogic Server Enterprise Edition license to use clusters.

Click Next to continue.

Assign Servers to Clusters

If you configured any clusters on the Configure Clusters screen

Assign two or more of the Managed Servers in the domain to each cluster.

Click Next to continue.

Create HTTP Proxy Applications

If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster

Create a proxy application for each Managed Server in the domain that you did not assign to a cluster.

Click Next to continue.

Configure Machines

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen

Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine.

If you are extending a domain that already includes WebCenter Content with Imaging and plan to use WebCenter Content 11g as the Imaging repository, configure a separate machine and assign the Imaging Managed Server to it.

Click Next to continue.

Assign Servers to Machines

If you added any machines on the Configure Machines screen

Assign at least one server to each machine.

Click Next to continue.

Target Deployments to Clusters or Servers

If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen

Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers.

Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses persistent-store-type as replicated_if_clustered. If the Oracle IRM web application is deployed on a clustered server, the in-effect persistent-store-type value will be replicated. Otherwise, memory is the default.

Make sure that the Oracle IRM application is not deployed to one of the servers in a cluster.

Click Next to continue.

Target Services to Clusters or Servers

If you selected Deployments and Services on the Select Optional Configuration

Optionally, modify how your services are targeted to servers or clusters.

Click Next to continue.

Configuration Summary

Always.

When the configuration is satisfactory, click Extend to extend the domain.

Extending Domain

Always

On a Windows operating system, you can select Start Admin Server to start the Administration Server as soon as the configuration is done.

When the domain is successfully extended, click Done.


The following operations should have completed successfully:

  • Extension of an existing Oracle WebLogic Server domain to include the application or applications that you selected on the Extend Domain Source screen

  • Creation of a Managed Server for each application that you selected

  • Deployment of each application to its Managed Server

    An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 9.2, "Starting Managed Servers."

3.4 Extending a Domain in an SSL Environment

If your Oracle WebLogic Server domain connects to a database through an SSL port, you need to back up your data source and SSL parameters and remove the SSL configuration from the data source before running Fusion Middleware Configuration Wizard to extend the domain. After you have successfully extended the domain, you can restore the SSL configuration to your data source.

To extend a domain in an SSL environment with Fusion Middleware Configuration Wizard:

  1. In the Oracle WebLogic Server Administration Console, select your data source, and save a backup of all SSL parameters.

    Back up the URL, javax.net.ssl.trustStorePassword, javax.net.ssl.trustStore, javax.net.ssl.trustStoreType, and any other SSL parameters that have been configured for the data source.

  2. Temporarily replace the SSL configuration for the data source with a non-SSL configuration.

    Use a non-SSL URL and remove all SSL properties. You should end with something like this configuration:

    • URL:

      :  jdbc:oracle:thin:@myhost.example.com:1521:db11107
      
    • Properties:

      • user=MAR20SSL_OCS

      • oracle.net.CONNECT_TIMEOUT=10000

      • sendStreamAsBlob=true

  3. Using Fusion Middleware Configuration Wizard, extend the domain, as described in Table 3-3.

  4. After successfully extending the domain, restore the SSL configuration to your data source. You should end with something like this configuration:

    • URL:

      jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.example.com)(PORT=2490)))(CONNECT_DATA=(SERVICE_NAME=db11107.example.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=myhost.example.com,OU=QA,O=ECM,L=RedwoodShores,ST=California,C=US"))) 
      
    • Properties:

      • javax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase

      • user=MAR20SSL_OCS

      • javax.net.ssl.trustStore=/mw_home/wlserver_10.3/server/lib/DemoTrust.jks

      • oracle.net.CONNECT_TIMEOUT=10000

      • javax.net.ssl.trustStoreType=JKS

      • javax.net.ssl.trustStoreType=JKS

      • sendStreamAsBlob=true

  5. If during step 3 you updated your domain with a new product that creates its own data source, you may need to add SSL configuration to it as well.

3.5 Increasing the Java VM Heap Size for Managed Servers

You need to increase the size of the heap allocated for the Java Virtual Machine (VM) on which each Managed Server runs to at least 1 GB (1024 MB). If you do not increase the Java VM heap size, then Oracle support and development will not accept any escalation of runtime issues, especially out-of-memory issues.

For a Managed Server using the Sun JDK, you need to set the size of the heap allocated for the Java VM to 512 MB rather than 1 GB so that programs configured to use all available space will not fail at initialization. Address space must be reserved for permanent objects, and the MaxPermSize setting for each Managed Server reduces the space available for the rest of the heap.

There are two common ways to adjust the runtime memory parameters for a Managed Server:

3.5.1 Setting Server Startup Parameters for Managed Servers with the Administration Console

You can set server startup parameters with the Oracle WebLogic Server Administration Console. This is the preferred approach for setting startup parameters because it ensures that the parameters are correctly pushed to each server, and it avoids problems that might occur during manual editing of server startup scripts. To increase the Java VM heap size, you set the value of the -Xmx parameter.

To set server startup parameters for Managed Servers with the Administration Console:

  1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 9.1, "Starting the Administration Server."

  2. Log in to the Oracle WebLogic Server Administration Console at this URL:

    http://adminServerHost:adminServerPort/console
    

    For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

    http://myhost.example.com:7001/console
    

    To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

  3. Click Environment under Domain Structure, on the left.

  4. Click Servers on the Summary of Environment page.

  5. Set the memory parameters for each Managed Server:

    1. Click the name of a Managed Server in the Servers table.

    2. On the Configuration tab, in the second row of tabs, click Server Start.

    3. In the Arguments box, paste a string that specifies the memory parameters.

      Table 3-4 shows parameters to specify for Sun and JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.

      Table 3-4 Java VM Memory Parameters

      Java VM Operating System Parameters

      Sun

      UNIX

      -Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m

      Sun

      Windows

      -Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m

      JRockit

      UNIX

      -Xms256m -Xmx1024m -XnoOpt

      JRockit

      Windows

      -Xms256m -Xmx1024m -XnoOpt


    4. Save the configuration changes.

  6. Restart any running Managed Servers, as described in Section 9.3, "Restarting a Managed Server."

3.5.2 Setting the USER_MEM_ARGS Environment Variable for a Managed Server

You can set server startup parameter for a Managed Server by setting the USER_MEM_ARGS environment variable in its startup script or command file. To increase the Java VM heap size, you set the value of the -Xmx parameter.

To set the USER_MEM_ARGS Environment Variable for a Managed Server:

  • UNIX shell script (.sh) entry

    export USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
    
  • UNIX C shell script (.csh) entry

    setenv  USER_MEM_ARGS "-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
    
  • Windows command file (.cmd) entry

    set USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
    

Note:

Table 3-4 shows parameters to specify for Sun and JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.

3.6 Setting Up Fonts on a UNIX System

On a UNIX operating system, you need to make sure TrueType fonts are set up for Imaging, Inbound Refinery, and WebCenter Content Dynamic Converter. If you are using a language other than English, you also need to set up fonts for national language support.

3.6.1 Setting Up TrueType Fonts on a UNIX System

For Imaging and WebCenter Content Dynamic Converter to work correctly on a UNIX operating system, you need to set up TrueType fonts on the machine where Imaging, Inbound Refinery, or the Dynamic Converter is running. If these fonts are not available on your system, you need to install them. For information about configuring the path to the font directory for Imaging once the fonts are installed, see Section 6.1.5, "Configuring the GDFontPath MBean for a UNIX System."

Some standard font locations on different UNIX platforms follow:

  • Solaris SPARC: /usr/openwin/lib/X11/fonts/TrueType

    Note:

    For document conversions on a Solaris SPARC platform, Imaging requires the GNU Compiler Collection (GCC) package 3.4.2 or later in the /usr/local/packages directory.

    Install this package on the Solaris operating system that will run Imaging. You can download GCC from the Sunfreeware website at

    http://www.sunfreeware.com
    

    You also need to set the LD_LIBRARY_PATH environment variable to /usr/local/packages/gcc-3.4.2/lib before starting the Imaging Managed Server. If you are using a later version of GCC, set that version instead of 3.4.2.

  • AIX: /usr/lpp/X11/lib/X11/fonts/TrueType

  • HP-UX Itanium: /usr/lib/X11/fonts/TrueType

  • Linux: /usr/lib/X11/fonts/TrueType

3.6.2 Installing Fonts for National Language Support on a UNIX System

For languages other than English, the following installation steps need to be done on a UNIX operating system before you start a Managed Server:

  • Copy MW_HOME/oracle_common/jdk/jre/lib/fonts to the /jre/lib/fonts directory in the Sun JDK installation directory for the Middleware home.

  • Copy MW_HOME/oracle_common/jdk/jre/lib/fonts to the /jre/lib/fonts directory in the Oracle JRockit JDK directory for the Middleware home.

3.7 Installing Libraries and Setting Environment Variables for Outside In Technology

WebCenter Content, Inbound Refinery, Imaging, and the Imaging Advanced Viewer for clients use Outside In Technology (OIT), which requires certain libraries that are not part of Oracle WebCenter Content. Before a WebCenter Content, Inbound Refinery, or Imaging Managed Server is started, you need to install the libraries for your platform. For a UNIX platform, you also need to set an environment variable to reference the libraries in the library path for the user who will start the Managed Server.

3.7.1 Installing Libraries for Outside In Technology on UNIX Platforms

Before you start a WebCenter Content, Inbound Refinery, or Imaging Managed Server, the libraries required for your platform need to be available on your system.

Many of the required libraries are normally installed on the machine, including the C, math, X11, dynamic loader, and pthreads libraries, among others. The libgcc_s and libstdc++ libraries are part of the GNU Compiler Collection (GCC) package.

OIT requires the following libraries for the specified UNIX platform. The libraries in bold are part of the GCC package 3.4.2 or later.

Solaris SPARC 32-bit or 64-bit requires GCC package 3.4.2 or later, which you can download from the Sunfreeware website at

http://www.sunfreeware.com

HPUX Itanium requires GCC package 3.3.6, which you can download through the following website:

http://gcc.gnu.org

If a libgcc_s or libstdc++ library is required for your platform, install the GCC package in the /usr/local/packages/gcc-3.4.2/lib directory in a Solaris SPARC system or the /usr/local/packages/gcc-3.3.6/lib or directory in an HPUX ia64 system, on the machine where Imaging or WebCenter Content will run. If you are using a later version of GCC, specify that version instead of 3.4.2 or 3.3.6.

OIT requires the following libraries for the specified UNIX platform. The libraries in bold are part of the GCC package.

  • Solaris SPARC 32-bit or 64-bit

    /usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1 
    libICE.so.6 
    libSM.so.6 
    libX11.so.4 
    libXext.so.0 
    libXm.so.4 
    libXt.so.4 
    libc.so.1 
    libdl.so.1 
    libgcc_s.so.1 
    libgen.so.1 
    libm.so.1 
    libmp.so.2 
    libnsl.so.1 
    libpthread.so.1 
    libsocket.so.1 
    libstdc++.so.6 
    libthread.so.1 
    
  • HPUX ia64

    libCsup.so.1 
    libICE.so.1 
    libSM.so.1 
    libX11.so.1 
    libXext.so.1 
    libXm.so.1 
    libXp.so.1 
    libXt.so.1 
    libc.so.1 
    libdl.so.1 
    libgcc_s_hpux64.so.0 
    libm.so.1 
    libpthread.so.1 
    libstd_v2.so.1 
    libstdc++.so.5 
    libuca.so.1 
    libunwind.so.1
    
  • AIX 32-bit

    /usr/lib/libC.a(ansi_32.o) 
    /usr/lib/libC.a(shr.o) 
    /usr/lib/libC.a(shr2.o) 
    /usr/lib/libC.a(shr3.o) 
    /usr/lib/libICE.a(shr.o) 
    /usr/lib/libIM.a(shr.o) 
    /usr/lib/libSM.a(shr.o) 
    /usr/lib/libX11.a(shr4.o) 
    /usr/lib/libXext.a(shr.o) 
    /usr/lib/libXi.a(shr.o) 
    /usr/lib/libXm.a(shr_32.o) 
    /usr/lib/libXt.a(shr4.o) 
    /usr/lib/libc.a(shr.o) 
    /usr/lib/libcrypt.a(shr.o) 
    /usr/lib/libgaimisc.a(shr.o) 
    /usr/lib/libgair4.a(shr.o) 
    /usr/lib/libi18n.a(shr.o) 
    /usr/lib/libiconv.a(shr4.o) 
    /usr/lib/libodm.a(shr.o) 
    /usr/lib/libpthreads.a(shr.o) 
    /usr/lib/libpthreads.a(shr_comm.o) 
    /usr/lib/libpthreads.a(shr_xpg5.o) 
    /usr/lib/libpthreads_compat.a(shr.o) 
    
  • HPUX PA/RISC 32-bit

    /lib/libCsup.2 
    /lib/libCsup_v2.2 
    /lib/libX11.3 
    /lib/libXm.4 
    /lib/libXt.3 
    /lib/libc.2 
    /lib/libcl.2 
    /lib/libm.2 
    /lib/libstd.2 
    /lib/libstd_v2.2 
    /lib/libstream.2 
    /usr/lib/libCsup.2 
    /usr/lib/libCsup_v2.2 
    /usr/lib/libX11.3 
    /usr/lib/libXm.4 
    /usr/lib/libXt.3 
    /usr/lib/libc.2 
    /usr/lib/libcl.2 
    /usr/lib/libdld.2 
    /usr/lib/libisamstub.1 
    /usr/lib/libm.2 
    /usr/lib/libstd.2 
    /usr/lib/libstd_v2.2 
    /usr/lib/libstream.2 
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libICE.2
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libSM.2
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libX11.3
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXext.3
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXp.2
    /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXt.3
    
  • SUSE Linux

    For an SUSE Linux operating system, the file /usr/lib/libstdc++.so.5 is required. You can find this file in the compat-libstdc++ or libstdc++33 package.

  • Linux variants

    For Linux variants, the file /lib/libz.so.1 is required.

3.7.2 Setting Library Paths in Environment Variables on UNIX Platforms

Before Inbound Refinery or the WebCenter Content Dynamic Converter uses Outside In Technology for document and image conversions, the following environment variables must be set for the WebCenter Content Managed Server on the specified UNIX platforms:

  • Environment variables for library paths for Imaging

    • Solaris SPARC:

      LD_LIBRARY_PATH=/usr/local/packages/gcc-3.4.2/lib:"$LD_LIBRARY_PATH"
      

      If you are using a later version of GCC, specify that version instead of 3.4.2.

    • AIX:

      LIBPATH=DomainHome/oracle/imaging/imaging-server
      
    • HP-UX Itanium:

      LD_PRELOAD=/usr/lib/hpux64/libpthread.so.1
      LD_LIBRARY_PATH=DomainHome/oracle/imaging/imaging-server:"$LD_LIBRARY_PATH"
      
  • Environment variables for library paths for WebCenter Content with Dynamic Converter and Inbound Refinery

    • Solaris SPARC:

      LD_LIBRARY_PATH=/usr/local/packages/gcc-3.4.2/lib:"$LD_LIBRARY_PATH"
      

      If you are using a later version of GCC, specify that version instead of 3.4.2.

      Add the following line to the Inbound Refinery intradoc.cfg file at DomainHome/ucm/ibr/bin:

      ContentAccessExtraLibDir=/usr/local/packages/gcc-3.4.2/lib
      

      Then restart Inbound Refinery, as described in Section 9.3, "Restarting a Managed Server."

    • HP-UX Itanium:

      export LD_LIBRARY_PATH=/opt/hp-gcc/3.3.6/lib/:/opt/hp-gcc/3.3.6/lib/hpux64:"$LD_LIBRARY_PATH"
      

      The Dynamic Converter on HP-UX Itanium needs the 3.3.6 version of the GCC libraries installed before the WebCenter Content server is started.

  • DISPLAY environment variable

    On a UNIX operating system running XWindows, when redirecting the display to a system with suitable graphic capabilities, export DISPLAY to a valid X Server before starting the Imaging or Inbound Refinery Managed Server or the WebCenter Content Dynamic Converter.

3.7.3 Downloading Visual C++ Libraries for a Windows Operating System

Outside In Technology requires the Visual C++ libraries included in the Visual C++ Redistributable Package for a Windows operating system. Three versions of this package (x86, x64, and IA64) are available from the Microsoft Download Center at

http://www.microsoft.com/downloads

Search for and download the version of the package that corresponds to the version of your Windows operating system:

  • vcredist_x86.exe

  • vcredist_x64.exe

  • vcredist_IA64.exe

The required version of each of these downloads is the Microsoft Visual C++ 2005 SP1 Redistributable Package. The redistributable module that Outside In requires is msvcr80.dll.

The WinNativeConverter has some vb.Net code, so it also requires Microsoft .NET Framework 3.5 Service Pack 1.

3.8 Configuring SSL for Oracle WebCenter Content Applications

You can configure Single Sign-ON SSL for Oracle WebCenter Content applications running in a production or development environment.

Note:

If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of the wlst.sh file or set them in the CONFIG_JVM_ARGS environment variable:

-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName

KeyStoreName is the name of the keystore in use (DemoTrust for the built-in demonstration certificate). The wlst.sh file is in the bin subdirectory of the common directory in the WebCenter Content Oracle home directory.

3.8.1 Configuring SSL for a Production Environment

Oracle IRM requires SSL to be enabled on the front-end application, whether it is Oracle HTTP Server (OHS) or a Managed Server running Oracle IRM as an application deployed to Oracle WebLogic Server. Communication between Rights Desktop and the Oracle IRM server application must be over SSL because sensitive information such as passwords are communicated.

Other uses of SSL, such as between OHS and Managed Servers, the Administration Server, and the LDAP authentication provider are optional.

For information about configuring SSL for a production environment, see "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

3.8.2 Configuring SSL for a Development Environment

For a development environment, you can also configure one-way SSL with a server-specific certificate. One-way SSL means that only the server certificate passes from the server to the client but not the other way around. After you configure one-way SSL for a development environment on the server, you have to configure every client to accept the server certificate.

3.8.2.1 Configuring One-Way SSL for a Development Environment

For a development environment, you might want to configure SSL, but it is not required. The application will work correctly without SSL configuration, but if you are using basic authentication or form-based authentication, credentials will be transferred from the client to the server unencrypted.

You can configure one-way SSL with a server certificate for the Managed Server so that the client application can be configured to trust the certificate.

In the following procedure, the keystore commands relate only to SSL and not to Oracle IRM encryption keys.

To configure one-way SSL for a development environment:

  1. Run the setWLSEnv script to set the environment:

    • UNIX script:
      MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh

    • Windows script:
      MW_HOME
      \wlserver_10.3\server\bin\setWLSEnv.cmd

    For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib or MW_HOME\wlserver_10.3\server\lib directory.

  2. Use the CertGen utility to create a server-specific, private key and certificate, as follows (in a single command line):

    java utils.CertGen -selfsigned 
                       -certfile MyOwnSelfCA.cer
                       -keyfile MyOwnSelfKey.key 
                       -keyfilepass mykeypass
                       -cn "hostname"
                       -keyusagecritical false
                       -keyusage digitalSignature,keyEncipherment,keyCertSign
    

    The last two lines are not needed for pure certificate use, but are needed if the certificate is also to be used for Java applications using Oracle Web Services over SSL.

    For mykeypass, substitute a password for the key, and for hostname, substitute the name of the machine that hosts the Managed Server to which the application is deployed. You should use the same name while accessing Oracle Web Services. For example, to generate the server certificate for a machine named myhost.us.example.com, the command would be as follows (in a single command line):

    java utils.CertGen -selfsigned 
                       -certfile MyOwnSelfCA.cer
                       -keyfile MyOwnSelfKey.key 
                       -keyfilepass mykeypass
                       -cn "myhost.us.example.com"
                       -keyusagecritical false
                       -keyusage digitalSignature,keyEncipherment,keyCertSign
    

    This command will generate a server certificate for the machine myhost.us.example.com.

    The parameter -cn "machine-name" must be set to the fully qualified domain name of the Managed Server to which the application is deployed. Oracle IRM will use this name to connect to the machine. Verify that the certificate has been issued to the machine name you specified.

    CertGen creates a unique and secret Private Key and a Self-Signed Root Certificate.

  3. Run the ImportPrivateKey utility to package the Private Key and Self-Signed Root Certificate into a key store, as follows (in a single command line):

    java utils.ImportPrivateKey 
                       -keystore MyOwnIdentityStore.jks
                       -storepass identitypass
                       -keypass keypassword
                       -alias trustself
                       -certfile MyOwnSelfCA.cer.pem
                       -keyfile MyOwnSelfKey.key.pem
                       -keyfilepass mykeypass
    

    Substitute an identity store password for identitypass, a key password for keypassword, and a key-file password for mykeypass.

  4. Run the keytool utility to package the key and certificate into a separate key store named Trust Keystore.

    In the following keytool commands (each a single command line), JAVA_HOME represents the location of the JDK. For information about the JAVA_HOME environment variable, see Section 2.3, "Installing an Application Server and Oracle Fusion Middleware."

    • UNIX operating system

      JAVA_HOME/bin/keytool -import -trustcacerts -alias trustself 
              -keystore TrustMyOwnSelf.jks 
              -file MyOwnSelfCA.cer.der -keyalg RSA
      
    • Windows operating system

      JAVA_HOME\bin\keytool -import -trustcacerts -alias trustself 
              -keystore TrustMyOwnSelf.jks 
              -file MyOwnSelfCA.cer.der -keyalg RSA
      
  5. Click Next

    On a Windows operating system, follow the instructions on the wizard screens.

  6. Set Up a Custom Identity Keystore and Trust Store:

    1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 9.1, "Starting the Administration Server."

    2. Log in to the Oracle WebLogic Server Administration Console, at this URL:

      http://adminServerHost:adminServerPort/console
      

      For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

      http://myHost.example.com:7001/console
      

      To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

    3. Select Environment under your domain from Domain Structure.

    4. Select Servers from Environment.

    5. From Summary of Servers, select the server for which to enable SSL.

    6. Click the Keystores tab on the Settings for servername page.

    7. In the Keystores field, select Custom Identity and Custom Trust.

      If the server is in production mode, you need to click the Lock & Edit button before you can make changes.

    8. Enter values in the following fields on the Keystores tab:

      Custom Identity Keystore

      Custom Identity Keystore Type

      Custom Identity Keystore Passphrase

      Confirm Custom Identity Keystore Passphrase

      Custom Trust Keystore

      Custom Trust Keystore Type

      Custom Trust Keystore Passphrase

      Confirm Custom Trust Keystore Passphrase

    9. Save the changes.

    10. Click the SSL tab.

    11. In the Identity and Trust Locations field, select Keystores.

    12. Enter values in the other fields on the SSL tab:

      Private key alias

      Private key passphrase

      Confirm Private key passphrase

    13. Save the changes.

      If the server is running in development mode, then the changes need to be activated.

3.8.2.2 Configuring Clients to Accept the Server Certificate

After you create a server certificate to configure one-way SSL, you must install it on every machine running the client application. Then you can import the certificate into the client application so that it will trust the certificate and not show prompts when it connects to the Managed Server.

To configure clients to accept the server certificate:

  1. On the client machine, double-click the certificate file to open the Certificate window, and then click Install Certificate to start the Certificate Import Wizard.

    For a Windows operating system, the certificate file needs to be copied to the client machine that accesses this server through a browser.

    For a UNIX operating system that is accessing a website over SSL rather than using the client application on the machine, follow the procedure required for your operating system to trust the certificate.

  2. In the Certificate Import Wizard, explicitly select a certificate store for Trusted Root Certification Authorities. The root certificate must be trusted on all client computers that will access the server.

    On a Windows operating system, install the certificate under Trusted Root Certification Authorities in Internet Explorer.

3.9 Reassociating the Identity Store with an External LDAP Authentication Provider

In a production system, Oracle WebCenter Content applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. You need to reassociate the identity store for your application with one of the following external LDAP authentication providers before you complete the configuration of a Managed Server, before you connect a Managed Server to a repository, and before the first user logs in to the application:

  • Oracle Internet Directory

  • Oracle Virtual Directory

  • Third-party LDAP server

For an Imaging application, the user who logs in first to an Imaging Managed Server is provisioned with full security throughout the server. It is easier to reassociate the identity store for Imaging with an external LDAP authentication provider before the first user logs in, completes the configuration of the Imaging Managed Server, and connects it to the Oracle WebCenter Content repository.

For an AXF for BPM application, before you can access the AXF Solution Administration page, you need to set up an axfadmin group in the external LDAP authentication provider and assign the AXF users you want to the group.

For an Oracle IRM application, the Oracle IRM domain gets created the first time a user logs in to the Oracle IRM Management Console. An Oracle IRM domain is different from an Oracle WebLogic Server domain. The first user who logs in to the console is made the domain administrator for the Oracle IRM domain. Before you migrate user data for Oracle IRM, the users need to be in the target LDAP identity store. If you do not reassociate the identity store with an external LDAP authentication provider before the first user logs in to the Oracle IRM console, the general process for reassociating Oracle IRM users and migrating data follows:

  1. Back up existing data with the setIRMExportFolder script.

  2. Reassociate the identity store with an external LDAP directory.

  3. Verify that all users and groups exist in target LDAP identity store.

  4. Migrate data with the setIRMImportFolder script.

3.9.1 Reassociating the Identity Store with Oracle Internet Directory

You can reassociate the identity store for an Oracle WebLogic Server domain with Oracle Internet Directory and migrate users from the embedded LDAP directory to Oracle Internet Directory. The following procedure describes how to reassociate the identity store with Oracle Internet Directory.

You can use a similar procedure to reassociate the identity store with other LDAP authentication providers. Each provider has a specific authenticator type, and only that type should be configured. Table 3-5 lists the available authenticator types.

Table 3-5 LDAP Authenticator Types

LDAP Authentication Provider Authenticator Type

Microsoft AD

ActiveDirectoryAuthenticator

SunOne LDAP

IPlanetAuthenticator

Directory Server Enterprise Edition (DSEE)

IPlanetAuthenticator

Oracle Internet Directory

OracleInternetDirectoryAuthenticator

Oracle Virtual Directory

OracleVirtualDirectoryAuthenticator

EDIRECTORY

NovellAuthenticator

OpenLDAP

OpenLDAPAuthenticator

EmbeddedLDAP

DefaultAuthenticator


To reassociate the identity store with Oracle Internet Directory:

  1. Ensure that there is no user in Oracle Internet Directory with the same name as the administrator of the Oracle WebLogic Server domain, which is weblogic by default.

  2. Set both embedded and external LDAP providers to SUFFICIENT.

  3. For Oracle IRM, log in to the management console as a user from Oracle Internet Directory, to be the Oracle IRM domain administrator.

    Do not log in to the management console with the user name of the Oracle WebLogic Server domain administrator. The Oracle recommendation is to not use the weblogic user account as the Oracle IRM administration user account. If you use a different account for the Oracle IRM domain administrator, you can use the Oracle WebLogic Server domain administrator, weblogic by default, to start and stop Oracle WebLogic Server as well as to alter server settings. If you have a problem with Oracle Internet Directory, you will not need to fix it before you can do maintenance on Oracle WebLogic Server.

  4. For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the WebLogic Scripting Tool (WLST) setIRMExportFolder command before identity store reassociation.

    Use this command to set an export folder for exporting the user and group details referenced by Oracle IRM, which uses the export folder path to decide where to write out the user and group details. The Oracle IRM Managed Server must have write access to the folder path. The export folder must exist before you run the setIRMExportFolder command.

    The following example sets /scratch/irm-data as the export folder:

    cd WCC_ORACLE_HOME/common/bin 
    ./wlst.sh 
    > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort')
    > setIRMExportFolder('/scratch/irm-data')
    

    In the example, adminServerHost is the host name and adminServerPort is the port number for the Administration Server of the Oracle WebLogic Server domain.

    Note:

    If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of the wlst.sh file or set them in the CONFIG_JVM_ARGS environment variable:

    -Dweblogic.security.SSL.ignoreHostnameVerification=true
    -Dweblogic.security.TrustKeyStore=KeyStoreName
    

    KeyStoreName is the name of the keystore in use (DemoTrust for the built-in demonstration certificate). The wlst.sh file is in the bin subdirectory of the common directory in the WebCenter Content Oracle home directory.

    After the Oracle IRM Managed Server picks up this configuration change, normally right away, it will write out a series of XML documents in the export folder. This process is complete when a folder named accounts appears under the export folder. The accounts folder will contain one or more folders named batchXXX, with each batch folder containing a set of XML documents that include the user and group details. For example:

    /scratch
       /irm-data
           /accounts
               /batch1
                   user1.xml
                   user2.xml
                   group1.xml
    

    The batch folders are used to ensure that the operating system limit of the maximum number of files in a folder is not exceeded.

    After this process is complete, reset the export folder:

    setIRMExportFolder('')
    

    This reset ensures that Oracle IRM does not perform any further data exporting when the Managed Server restarts.

  5. Configure the Oracle Internet Directory authentication provider:

    1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 9.1, "Starting the Administration Server."

    2. Log in to the Oracle WebLogic Server Administration Console as the domain Administration user, at this URL:

      http://adminServerHost:adminServerPort/console
      

      For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

      http://myHost.example.com:7001/console
      

      To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

    3. Under Domain Structure on the left, select Security Realms.

    4. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

    5. Click the Providers tab, and then click New under the Authentication Providers table on the Authentication tab.

    6. In the Create a new Authentication Provider dialog box, enter a provider name in the Name field, change the type to OracleInternetDirectoryAuthenticator, and then click OK.

      For a list of authenticator types for different LDAP Authentication Providers, see Table 3-5.

    7. In the Authentication Providers table, click Reorder, move the provider you just created to the top of the list, and then click OK.

    8. Click DefaultAuthenticator, change the Control Flag value to OPTIONAL, and then click Save.

    9. Click Providers in the breadcrumb trail along the top of the page to navigate back to the Providers tab.

    10. Click the name of the authentication provider you just created to navigate to the Configuration tab for the provider.

      The Configuration tab has two tabs, Common and Provider Specific. On the Common tab, change the Control Flag value to SUFFICIENT, and then click Save.

      SUFFICIENT means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.

      REQUIRED means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL and Oracle Internet Directory has been set to REQUIRED, the embedded LDAP user is no longer valid.

    11. Click the Provider Specific tab.

      Set Provider Specific values in the following fields, and leave default values in the other fields:

      • Host: The host name or IP address of the LDAP server.

      • Port: The Oracle Internet Directory Port, 389 by default.

      • Principal: The Distinguished Name (DN) of the LDAP user that Oracle WebLogic Server should use to connect to the LDAP server; for example:

        cn=orcladmin
        
      • Credential: The credential used to connect to the LDAP server (usually a password).

      • Confirm Credential: The same value as for the Credential field.

      • User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users; for example:

        cn=users,dc=example,dc=com
        

        In Oracle Internet Directory, this is the value of the User Search Base attribute, which you can look up in the OIDDAS administration dialog.

        Note:

        Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.

      • Use Retrieved User Name as Principal: Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal value.

        Select this attribute for Oracle IRM.

      • Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups; for example:

        cn=groups,dc=example,dc=com
        

        In Oracle Internet Directory, this is the value of the Group Search Base attribute, which you can look up in the OIDDAS administration dialog.

        Note:

        Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.

      • Propagate Cause For Login Exception: Propagates exceptions thrown by Oracle Internet Directory, like password expired exceptions, to Oracle WebLogic Server so they show in the console and the logs.

        For Oracle IRM, select this attribute in the General area of the tab.

    12. Click Save.

  6. Restart the Administration Server, as described in Section 9.3, "Restarting a Managed Server."

    Note:

    Authentication providers in an Oracle WebLogic Server domain are chained. This means that user authentication needs to run successfully through all authentication providers. With the Control Flag value set to OPTIONAL for the default provider, it is allowed to fail without a server startup or user authentication failure.

  7. After the server is up again, log in to the Administration Console again, and click Security Realms under Domain Structure.

  8. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

  9. Click the Users and Groups tab to see a list of users contained in the configured authentication providers, on the Users subtab, and then click the Groups subtab to see a list of groups.

    You should see user names from the Oracle Internet Directory configuration, which implicitly verifies that the configuration is working.

  10. Check that you have switched the security provider successfully, with either or both of these basic tests:

    • After the creation of the new security provider is complete, verify that all the users in that security provider are listed in that same user-group presentation as the list from Step 3.

    • If your Managed Servers are already running and configured, access the Managed Server URL, and log in as any of the Oracle Internet Directory users.

      For information about accessing a Managed Server, see Section 9.2, "Starting Managed Servers."

  11. For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the setIRMImportFolder WLST command after identity store reassociation. Use this command to set the import folder to point to the export folder that was set before identity store reassociation.

    Note:

    You should take a backup of the export folder before performing the import process because the import process deletes the contents of the folder during successful processing of the user and group details.

    This operation should be performed with only one Managed Server running a deployed Oracle IRM application, to ensure that only one Managed Server performs the user and group processing. After the import process is complete, all Managed Servers running the Oracle IRM application can be started.

    The following example sets /scratch/irm-data as the import folder:

    cd WCC_ORACLE_HOME/common/bin 
    ./wlst.sh 
    > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort')
    > setIRMImportFolder('/scratch/irm-data')
    

    After the Oracle IRM Managed Server picks up this configuration change, it will read the contents of the folder and update the global user ID (GUID) values in the Oracle IRM system to reflect the values in the new identity store. When a user or group has been processed, the import process deletes the corresponding XML file. After the import process is complete, the import folder will be empty:

    /scratch
       /irm-data
    

    If an error occurs during the processing of a user or group, the import process writes the error to a file that matches the user or group name. For example, if the user details in user1.xml cause an error during processing, the import process writes the error details to the file user1.xml.fail:

    /scratch
       /irm-data
           /accounts
               /batch1
                   user1.xml
                   user1.xml.fail
    

    If you can fix the error, then rerun the setIRMImportFolder WLST command to rerun the import process. For example, if user or group processing fails because the user or group does not exist in the new identity store, adding the user or group to Oracle Internet Directory will fix the error, and you can rerun the import process:

    > connect('weblogic', 'password', 'adminServerHost:adminServerPort')
    > setIRMImportFolder('/scratch/irm-data')
    

    After this process is complete, reset the import folder:

    setIRMImportFolder('')
    

    This reset ensures that Oracle IRM does not perform any further data importing when the Managed Server restarts.

Note:

When reassociating an LDAP identity store, the Oracle IRM process for exporting user and group information has an issue if user and group names are identical. If a user and group have identical names, the export process will lose either the user or the group details during the export step. This is because the user or group name is used as the file name, so one file overwrites the other. A postreassociation workaround is to check user and group right assignments, and to manually reassign any that are missing.

After the reassociation of the identity store, users in Oracle Internet Directory have the same rights that their namesakes had in the Oracle WebLogic Server embedded LDAP server before the migration of user data. For example, if a user existed in the embedded LDAP server before the migration with the user name weblogic and an Oracle IRM role of Domain Administrator, then, after migration, the user in Oracle Internet Directory with the user name weblogic would have the Oracle IRM role of Domain Administrator.

3.9.2 Refreshing GUID Values in Imaging Security Tables

If you have already configured your Imaging Managed Server and you change the LDAP provider, the global user IDs (GUIDs) in the Imaging security tables will be invalid. Imaging caches the GUIDs from an external LDAP provider in its local security tables and uses these IDs for authentication. You can refresh the GUID values in the Imaging security tables with WLST commands or with Fusion Middleware Control.

Only users and groups that exist in both LDAP providers will have GUIDs refreshed. Imaging permissions assigned to users and groups from the previous LDAP will be refreshed to the users and groups that match in the new LDAP. If users and/or groups do not match any users and/or groups in the new LDAP provider, refreshIPMSecurity will ignore them.

Note:

During the refresh, users or groups for whom matching identifying information is not found are ignored. As security changes are made, invalid users or groups are removed from the Imaging database.

3.9.2.1 Refreshing GUID values in Imaging Security Tables with WLST

If you want to refresh GUID values from a command line, you can use the Oracle WebLogic Scripting Tool (WLST).

To refresh GUID values in Imaging security tables with WLST:

  1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 9.1, "Starting the Administration Server."

  2. Log in to the Oracle WebLogic Server Administration Server.

  3. Navigate to the Oracle WebCenter Content home directory: MW_HOME/WCC_ORACLE_HOME.

  4. Invoke WLST:

    cd common/bin
    ./wlst.sh
    
  5. At the WLST command prompt, enter these commands:

    wls:/offline> connect() 
    Please enter your username :weblogic 
    Please enter your password : XXXXXXXXXXXXX 
    Please enter your server URL [t3://localhost:7001] 
     :t3://host_name:16000 
    Connecting to t3://host_name:16000 with userid weblogic ... 
    Successfully connected to Managed Server 'IPM_server1' that belongs to domain 
    'domainName'. 
     
    Warning: An insecure protocol was used to connect to the 
    server. To ensure on-the-wire security, the SSL port or 
    Admin port should be used instead. 
     
    wls:/domainName/serverConfig> listIPMConfig()   <This is just to check 
    that the connection is to the right Imaging server> 
     
    wls:/domainName/serverConfig> 
    refreshIPMSecurity()  <This is the command that will refresh the GUIDs in the 
    Security tables.> 
     
    wls:/domainName/serverConfig> exit() 
    
  6. Log in to Imaging to verify user and group security.

3.9.2.2 Refreshing GUID values in Imaging Security Tables with Fusion Middleware Control

If you want to refresh GUID values through an MBean, you can use the System MBean Browser in Fusion Middleware Control.

To refresh GUID values in Imaging security tables with Fusion Middleware Control:

  1. Log in to Fusion Middleware Control.

  2. In the navigation tree on the left, expand WebLogic Domain, then the Oracle WebCenter Content domain folder, then IPM_Cluster, and then the name of the Imaging server, such as IPM_server1.

  3. On the right, click the WebLogic Server drop-down menu, and choose System MBean Browser.

  4. In the System MBean Browser navigation tree, expand Application Defined MBeans, then oracle.imaging, then Server: IPM_server1, and then cmd, and click cmd.

  5. Click refreshIPMSecurity on the right.

  6. Press the Invoke button.

  7. Log in to Imaging to verify user and group security.

3.10 Adding Users to Oracle Internet Directory

You can add users to Oracle Internet Directory with Oracle Directory Services Manager, which is part of Oracle Identity Management. To add an entry to the directory with Oracle Directory Services Manager, you must have write access to the parent entry, and you must know the Distinguished Name (DN) to use for the new entry.

Note:

When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

For information about adding a group entry, see "Managing Dynamic and Static Groups" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. For more information about entries, see "Managing Directory Entries" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

To add users to Oracle Internet Directory:

  1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server.

  2. From the task selection bar, select Data Browser.

  3. On the toolbar, select the Create a new entry icon. Alternatively, right-click any entry and choose Create.

    The Create New Entry wizard starts.

  4. Specify the object classes for the new entry.

    To select object class entries, click the Add icon and use the Add Object Class dialog box. Optionally, use the search box to filter the list of object classes. To add the object class, select it, and then click OK. (All the superclasses from this object class through top are also added.)

    Note:

    You must assign user entries to the inetOrgPerson object class for the entries to appear in the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services.

  5. In the Parent of the entry field, you can specify the full DN of the parent entry for the entry you are creating.

    You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.

  6. Click Next.

  7. Choose an attribute that will be the Relative Distinguished Name (RDN) value for this entry and enter a value for that attribute.

    You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson, attributes cn (common name) and sn (surname or last name) are required, even if neither of them is the RDN value.

  8. Click Next.

    The wizard displays the next page. (Alternatively, you can click Back to return to the previous page.)

  9. Click Finish.

  10. To manage optional attributes, navigate to the entry you have just created in the Data Tree.

  11. If the entry is a person, click the Person tab and use it to manage basic user attributes.

    Click Apply to save your changes or Revert to discard them.

    If the entry is a group, see "Managing Dynamic and Static Groups" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions.

  12. If this is a person entry, you can upload a photograph.

    To upload a photograph, click Browse, navigate to the photograph, then click Open.

    To update the photograph, click Update and follow the same procedure.

    To delete the photograph, click the Delete icon.

  13. Click Apply to save your changes or Revert to discard them.

3.11 Configuring Single Sign-On (SSO)

You can configure one of these single sign-on (SSO) solutions for an Oracle WebCenter Content product:

  • Oracle Access Manager 11g SSO

  • Oracle Access Manager 10g SSO

  • Oracle Single Sign-On (OSSO)

  • Windows Native Authentication (WNA)

Table 3-6 shows which SSO solutions you can use with which Oracle WebCenter Content applications. The sections that follow provide references to information about using SSO with these applications.

Table 3-6 Single Sign-On Solutions for Oracle WebCenter Content Applications

Application Oracle Access
Manager 11g
Oracle Access
Manager 10g
OSSO WNA

WebCenter Content, with Content Server

Supported

Supported

Supported

Supported

Imaging

Supported

Supported

Supported

Supported

Oracle IRM Web Interface

Supported

Not supported

Supported

Supported

Rights Desktop

Not supported

Supported (limited)

Not supported

Supported

Records

Supported

Supported

Supported

Supported


For an overview of Oracle WebLogic Server authentication providers, see "Configuring Authentication Providers" in the Oracle Fusion Middleware Securing Oracle WebLogic Server.

3.11.1 Configuring Oracle Access Manager Single Sign-On

Oracle Access Manager enables users to seamlessly gain access to web applications and other IT resources across your enterprise. Oracle IRM supports Basic authentication with Oracle Access Manager, which contains an authorization engine that grants or denies access to particular resources based on properties of the user requesting access as well as on the environment from which the request was made.

For information about configuring Oracle Access Manager single sign-on (SSO) for Oracle IRM, see Section 7.4, "Integrating Rights with Oracle Access Manager 11g." For information about configuring it for Imaging, see the Oracle WebCenter Content Administrator's Guide for Imaging. For information about configuring it for WebCenter Content, Inbound Refinery, or Records, see "Configuring WebCenter Content for Single Sign-On" in Oracle Fusion Middleware Administering Oracle WebCenter Content.

For more information, see "Deploying the Oracle Access Manager Solutions" in the Oracle Fusion Middleware Application Security Guide.

Table 3-7 shows where to get more information about configuring Oracle Access Manager 11g for Oracle WebCenter Content applications.

Table 3-8 shows where to get more information about configuring Oracle Access Manager 10g for Oracle WebCenter Content applications.

3.11.2 Configuring Oracle Single Sign-On

For an overview of Oracle Single Sign-On (OSSO), see "Introduction to Single Sign-On in Oracle Fusion Middleware" in the Oracle Fusion Middleware Application Security Guide.

Table 3-9 shows where to get more information about configuring OSSO for Oracle WebCenter Content applications.

3.11.3 Configuring Windows Native Authentication

For information about configuring Windows Native Authentication (WNA), see "Configuring Single Sign-On with Microsoft Clients" in the Oracle Fusion Middleware Securing Oracle WebLogic Server.

Table 3-10 shows where to get more information about configuring WNA for Oracle WebCenter Content applications.

3.12 Integrating Oracle Web Tier with WebCenter Content

Oracle recommends using Oracle Web Tier (Oracle HTTP Server) for Content Server integration with Site Studio, single sign-on (SSO), and clusters. You can install and configure Oracle Web Tier (OHS) 11g as an alternative to the Oracle Weblogic Server HTTP listener.

For information about installing and Oracle Web Tier (OHS), see "Installing and Configuring the Oracle HTTP Server" in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

3.13 Configuring Managed Server Clusters

For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple Oracle WebLogic Server instances running simultaneously and working together to provide increased scalability and reliability. In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing.

A single domain can contain multiple Oracle WebLogic Server clusters, as well as multiple Managed Servers that are not configured as clusters. The key difference between clustered and nonclustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.

Note:

To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.

For an overview of clusters, see "Understanding WebLogic Server Clustering" in the Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.

If you select Managed Servers, Clusters, and Machines on the Select Optional Configuration screen, you will see the screens that Table 3-11 describes.

Table 3-11 Managed Servers, Clusters, and Machines Advanced Settings Screens

Screen Description and Action Required

Configure Managed Servers

Add new Managed Servers, or edit and delete existing Managed Servers.

Click Next to continue.

Configure Clusters

Create clusters if you are installing in a high availability environment. For more information, see the Oracle Fusion Middleware High Availability Guide.

Click Next to continue.

Assign Servers to Clusters

If you configured any clusters on the Configure Clusters screen

Click Next to continue.

Create HTTP Proxy Applications

If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster

Click Next to continue.

Configure Machines

Configure the machines that will host the Managed Servers in a cluster, and assign each Managed Server to a machine.

Click Next to continue.

Target Deployments to Clusters or Servers

Assign your Managed Servers to clusters or servers in your domain.

Click Next to continue.

Target Services to Clusters or Servers

Use this screen to target your services (such as JMS and JDBC) to servers or clusters so that your applications can use the services.

Click Next to continue.


You can add a Managed Server to a cluster later, with the Oracle WebLogic Server Administration Console or Fusion Middleware Control. For more information, see "Scaling Your Environment" in the Oracle Fusion Middleware Administrator's Guide.

3.14 Setting Up Oracle Web Services Manager Security

To set up Oracle Web Services Manager (Oracle WSM) security policies for Oracle WebCenter Content, you need to do these tasks:

  1. Installing Oracle WebLogic Server and Oracle WebCenter Content

  2. Creating an Oracle WSM MDS Schema with the Repository Creation Utility

  3. Configuring Oracle WebCenter Content Applications and Oracle WSM Policy Manager in an Oracle WebLogic Server Domain

  4. Configuring the Server Socket Port and Incoming Socket Connection Address Security Filter for Oracle WSM

  5. Securing Web Services with a Key Store and Oracle WSM Policies

3.14.1 Installing Oracle WebLogic Server and Oracle WebCenter Content

Install Oracle WebLogic Server with the Typical option, which also installs Oracle Coherence and the Sun and JRockit JDKs. For information about how to install Oracle WebLogic Server, see Section 2.3, "Installing an Application Server and Oracle Fusion Middleware."

The installation of Oracle WebLogic Server creates an Oracle Fusion Middleware home, where you can install Oracle WebCenter Content, which creates a WebCenter Content Oracle home. Oracle WSM can be installed from Oracle WebCenter Content. The Middleware home includes an Oracle Common home, where the Oracle WSM files are installed. For information about how to install Oracle WebCenter Content, with the files necessary for deploying Oracle WebCenter Content, applications, see Section 2.4, "Using the Installer for Oracle WebCenter Content."

3.14.2 Creating an Oracle WSM MDS Schema with the Repository Creation Utility

Make the following selection on the RCU Select Components screen to create the MDS schema, which you need for setting up Oracle WSM security:

Metadata Services under AS Common Schemas

The selection is for creating an Oracle WSM Policy Manager schema. This schema will provide a back-end repository for WebCenter Content, with Content Server and the Oracle WSM Policy Manager. If an MDS schema already exists in your database, you can reuse the schema.

For more information about creating the Oracle WSM MDS schemas with RCU, see Section 2.2, "Creating Oracle WebCenter Content Schemas with the Repository Creation Utility."

3.14.3 Configuring Oracle WebCenter Content Applications and Oracle WSM Policy Manager in an Oracle WebLogic Server Domain

To configure one or more Oracle WebCenter Content applications and Oracle WSM Policy Manager, you need to create or extend an Oracle WebLogic Server domain. For information about creating a domain to include Oracle WSM Policy Manager, see Section 3.2, "Creating an Oracle WebLogic Server Domain." For information about extending a domain with Oracle WSM Policy Manager, see Section 3.3, "Extending an Existing Domain."

3.14.4 Configuring the Server Socket Port and Incoming Socket Connection Address Security Filter for Oracle WSM

During post-installation configuration of a Managed Server, you can configure the Server Socket Port and Incoming Socket Connection Address Security Filter values for Oracle WSM.

Make sure that the following settings exist along with other default settings:

  • Server socket port: 4444

    This value is stored in the configuration file for the Managed Server as IntradocServerPort=4444.

  • Incoming Socket Connection Address Security Filter: *.*.*|0:0:0:0:0:0:0:1

    This value is stored in the configuration file for the Managed Server as SocketHostAddressSecurityFilter=*.*.*.*|0:0:0:0:0:0:0:1.

Before any changes to these settings take effect, you need to restart the Managed Server, as described in Section 9.3, "Restarting a Managed Server."

For more information about the post-installation configuration of a Managed Server, see one or more of these sections:

3.14.5 Securing Web Services with a Key Store and Oracle WSM Policies

To secure web services, you can set up a key store and apply Oracle WSM policies to the web services.

3.14.5.1 Setting Up a Key Store

The keytool command will generate a key store, which requires a password to open. Inside the key store, a key will be stored, and access to the key requires an additional password.

The suggested location for the key store is in a directory under the domain home:

  • UNIX path:
    MW_HOME/user_projects/domains/DomainHome/config/fmwconfig

  • Windows path:
    MW_HOME\user_projects\domains\DomainHome\config\fmwconfig

Placing the key store in this location ensures that the key store file is backed up when the domain and corresponding credential store files are backed up.

To set up a key store:

  1. Creating the key store and key alias orakey:

    JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA \
                           -dname "CN=orakey, O=oracle C=us" \
                           -keystore default-keystore.jks -storepass welcome
    
  2. Copy default-keystore.jks to the domain's fmwconfig directory:

    cp default-keystore.jks DomainHome/config/fmwconfig
    
  3. Save the credentials in a credential store (using WLST commands):

    MW_HOME/WCC_ORACLE_HOME/common/bin/wlst.sh
    connect()
    createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome1")
    createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome")
    createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1")
    

    This step creates a file, cwallet.sso, under DomainHome/config/fmwconfig.

Both default-keystore.jks and cwallet.sso are needed for the client to access the server.

For more information about setting up a key store, see Section 7.1.2, "Configuring a Key Store for Oracle IRM."

3.14.5.2 Applying Oracle WSM Policies to Web Services

You can use Oracle Enterprise Manager 11g Fusion Middleware Control to apply Oracle WSM policies to web services. For more information, see "Attaching Policies to Web Services" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.