17 Configuring Fusion Middleware Security for Content Server

This chapter provides security configuration information and procedures for integrating Oracle Fusion Middleware, Oracle WebLogic Server, and Oracle authentication and authorization software with Oracle WebCenter Content and Content Server.

This chapter includes the following topics:

For more information about Oracle Fusion Middleware and Oracle WebLogic Server security, see the documentation listed in Table 17-1.

17.1 LDAP Authentication Providers

The Oracle WebLogic Server domain includes an embedded Lightweight Directory Access Protocol (LDAP) server that acts as the default security provider data store for the Default Authentication, Authorization, Credential Mapping, and Role Mapping providers. WebCenter Content provides the default JpsUserProvider to communicate with Oracle WebLogic Server. For information on the embedded LDAP server, see "Managing the Embedded LDAP Server" in Oracle Fusion Middleware Securing Oracle WebLogic Server, and "Configure the Embedded LDAP Server" in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.

In almost all cases, a WebCenter Content production system identity store must be reassociated with an external LDAP authentication providers rather than use the embedded LDAP server. Once the new LDAP authentication provider is configured, then you migrate users from the embedded LDAP provider to the new LDAP provider. For information on WebCenter Content configuration for external LDAP providers, see Oracle WebCenter Content Installation Guide.

Note:

As of 11g Release 1 (11.1.1.6.0) Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use two Oracle Internet Directory (OID) providers as sources of user and role information. For information on multi-LDAP configuration in Oracle WebLogic Server, see Oracle Fusion Middleware Application Security Guide.

Table 17-1 lists some of the LDAP providers that can be configured for user authentication.

Table 17-1 LDAP Authenticator Types

LDAP Authentication Provider Authenticator Type

Microsoft AD

ActiveDirectoryAuthenticator

SunOne LDAP

IPlanetAuthenticator

Directory Server Enterprise Edition (DSEE)

IPlanetAuthenticator

Oracle Internet Directory

OracleInternetDirectoryAuthenticator

Oracle Virtual Directory

OracleVirtualDirectoryAuthenticator

EDIRECTORY

NovellAuthenticator

OpenLDAP

OpenLDAPAuthenticator

EmbeddedLDAP

DefaultAuthenticator


17.2 Configuring Oracle WebCenter Content to Use SSL

You can configure Oracle Fusion Middleware to secure communications with WebCenter Content using SSL, which is an industry standard for securing communications. Oracle Fusion Middleware supports SSL version 3, as well as TLS version 1.

This section covers the following topics:

For additional information, see "Configuring SSL" in Oracle Fusion Middleware Securing Oracle WebLogic Server. For information on Web Tier configuration, see "SSL Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.

17.2.1 Configuring WebCenter Content for Two-Way SSL Communication

WebCenter Content uses both the Oracle WebLogic Server and Sun secure socket layer (SSL) stacks for two-way SSL configurations.

  • For the inbound Web service bindings, WebCenter Content uses the Oracle WebLogic Server infrastructure and, therefore, the Oracle WebLogic Server libraries for SSL.

  • For the outbound Web service bindings, WebCenter Content uses JRF HttpClient and, therefore, the Sun JDK libraries for SSL.

Due to this difference, start Oracle WebLogic Server with the following JVM option:

  1. Open the following file:

    • On UNIX operating systems, open $MIDDLEWARE_HOME/user_projects/domains/domain_name/bin/setDomainEnv.sh.

    • On Window operating systems, open MIDDLEWARE_HOME\user_projects\domains\domain_name\bin\setDomainEnv.bat.

  2. Add the following lines in the JAVA_OPTIONS section, if the server is enabled for one-way SSL (server authorization only):

    -Djavax.net.ssl.trustStore=your_truststore_location
    

    For two-way SSL, the keystore information (location and password) is not required.

To enable two-way SSL for WebCenter Content to invoke another application:

Note:

Both the server and client are assumed to have been configured for SSL with mutual authentication.

  1. On the client side, provide the keystore location.

    1. From the SOA Infrastructure menu, choose SOA Administration, then Common Properties.

    2. At the bottom of the page, click More SOA Infra Advanced Configuration Properties.

    3. Click KeystoreLocation.

    4. In the Value column, enter the keystore location.

    5. Click Apply.

    6. Click Return.

  2. On the client side, provide the keystore location in DOMAIN_HOME\config\soa-infra\configuration\soa-infra-config.xml.

    <keystoreLocation>absolute_path_to_the_keystore_location_and_the_file_name
    </keystoreLocation> 
    
  3. During design time in Oracle JDeveloper, update the reference section in the composite.xml file with the oracle.soa.two.way.ssl.enabled property.

    <reference name="Service1" 
       ui:wsdlLocation=". . ."> 
       <interface.wsdl interface=". . ."/> 
         <binding.ws port=". . ."> 
          <property name="oracle.soa.two.way.ssl.enabled">true</property> 
      </binding.ws> 
     </reference> 
    
  4. In Oracle Enterprise Manager Fusion Middleware Control Console, select WebLogic Domain, then domain_name.

  5. Right-click domain_name and select Security, then Credentials.

  6. Click Create Map.

  7. In the Map Name field, enter a name (for example, SOA), and click OK.

  8. Click Create Key.

  9. Enter the following details:

    Field Description

    Select Map

    Select the map created in Step 7 (for this example, SOA).

    Key

    Enter the key name (KeystorePassword is the default).

    Type

    Select Password.

    User Name

    Enter the keystore user name (KeystorePassword is the default).

    Password

    Enter the password that you created for the keystore.


    Note:

    When you set up SSL on an Oracle WebLogic Server domain, a key alias is required. You must enter mykey as the alias value. This value is required.

  10. Set the keystore location in Oracle Enterprise Manager Fusion Middleware Control Console. See Step 1 for instructions.

  11. Modify the composite.xml syntax to use https and sslport to invoke Oracle WebCenter Content. For example, change the syntax shown in bold:

    <?xml version="1.0" encoding="UTF-8" ?> 
    <!-- Generated by Oracle SOA Modeler version 1.0 at [4/1/09 11:01 PM]. --> 
    <composite name="InvokeEchoBPELSync" 
    revision="1.0" 
    label="2009-04-01_23-01-53_994" 
    mode="active" 
    state="on" 
    xmlns="http://xmlns.example.com/sca/1.0" 
    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
    xmlns:orawsp="http://schemas.example.com/ws/2006/01/policy" 
    xmlns:ui="http://xmlns.example.com/soa/designer/"> 
    <import 
    namespace="http://xmlns.example.com/CustomApps/InvokeEchoBPELSync/BPELProcess1"
      location="BPELProcess1.wsdl" importType="wsdl"/>
    <import namespace="http://xmlns.example.com/CustomApps/EchoBPELSync/
    BPELProcess1"location="http://hostname:port/soa-infra/services/default/EchoBPEL
    Sync/BPELProcess1.wsdl"
    importType="wsdl"/>
    

    to use https and sslport:

    location="https://hostname:sslport/soa-infra/services/default/EchoBPELSync
    /BPELProcess1.wsdl"
    

17.2.2 Invoking References in One-Way SSL Environments in Oracle JDeveloper

When invoking a Web service as an external reference from WebCenter Content in one-way SSL environments, ensure that the certificate name (CN) and the host name of the server exactly match. This ensures a correct SSL handshake.

For example, if a Web service is named adfbc and the certificate has a server name of host, the following results in a SSL handshake exception.

<import namespace="/adfbc1/common/"
location="https://host.example.com:8002/CustomApps-adfbc1-context-root/AppModuleService?WSDL"
          importType="wsdl"/> 
<import namespace="/adfbc1/common/" location="Service1.wsdl" 
          importType="wsdl"/> 

If you switch the order of import, the SSL handshake passes.

<import namespace="/adfbc1/common/" location="Service1.wsdl" 
          importType="wsdl"/> 
<import namespace="/adfbc1/common/" 
location="https://host.example.com:8002/CustomApps-adfbc1-context-root/AppModuleService?WSDL" 
          importType="wsdl"/> 

Note the following restrictions around this issue:

  • There are no options for ignoring host name verification in Oracle JDeveloper as exist with the Oracle WebLogic Server Administration Console. This is because the SSL kit used by Oracle JDeveloper is different. Only the trust store can be configured from the command line. All other certificate arguments are not passed.

  • In the WSDL file, https://hostname must match with that in the certificate, as described above. You cannot perform the same procedures as you can with a browser. For example, if the host name is host.example.com in the certificate's CN, then you can use host, host.example.com, or the IP address from a browser. In Oracle JDeveloper, always use the same name as in the certificate (that is, host.example.com).

17.2.3 Configuring WebCenter Content, Oracle HTTP Server for SSL Communication

Follow these procedures to configure SSL communication between WebCenter Content and Oracle HTTP Server.

For addition information, see "Configuring SSL for the Web Tier" in Oracle Fusion Middleware Administrator's Guide.

To configure Oracle HTTP Server for SSL communication:

  1. Append ssl.conf with the <Location /cs> location directive, where port is the port number of the target managed server.

    <Location /cs>
          WebLogicPort 8002
          SetHandler weblogic-handler
          ErrorPage http://host.example.com:port/error.html
    </Location>
    
  2. Start the Oracle WebLogic Server as described in Section 17.2.1.

To configure certificates for Oracle Client, Oracle HTTP Server, and Oracle WebLogic Server:

  1. Export the user certificate from the Oracle HTTP Server wallet.

    orapki wallet export -wallet . -cert cert.txt  -dn 'CN=\"Self-Signed Certificate for ohs1 \",OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US'
    
  2. Import the above certificate into the Oracle WebLogic Server truststore as a trusted certificate.

    keytool -file cert.txt -importcert -trustcacerts -keystore DemoTrust.jks
    
  3. Export the certificate from the Oracle WebLogic Server truststore.

    keytool -keystore DemoTrust.jks -exportcert -alias wlscertgencab -rfc -file
    certgencab.crt
    
  4. Import the above certificate to the Oracle HTTP Server wallet as a trusted certificate.

    orapki wallet add -wallet . -trusted_cert -cert certgencab.crt -auto_login_only
    
  5. Restart Oracle HTTP Server.

  6. Restart the Oracle WebLogic Server as described in Section 17.2.1.

17.2.4 Switching from Non-SSL to SSL Configurations for WebCenter Content

Switching from non-SSL to SSL configurations for WebCenter Content requires the Frontend Host and Frontend HTTPS Port fields to be set in the Oracle WebLogic Server Administration Console. Not doing so results in exception errors when you attempt to create to-do tasks.

  1. Log in to the Oracle WebLogic Server Administration Console.

  2. In the Environment section, select Servers.

  3. Select the name of the managed server (for example, UCM_server1).

  4. Select Protocols, then select HTTP.

  5. In the Frontend Host field, enter the host name on which the WebCenter Content domain is located.

  6. In the Frontend HTTPS Port field, enter the SSL listener port.

  7. Click Save.

17.2.5 Configuring SSL Between the WebCenter Content Instance and Oracle WebCache

The Test Web Service page, in an Oracle WebCache and Oracle HTTP Server environment, may require communication back through Oracle WebCache. Therefore, SSL must be configured between the WebCenter Content instance and Oracle WebCache (that is, export the user certificate from the Oracle WebCache wallet and import it as a trusted certificate in the Oracle WebLogic Server truststore).

See "Enabling SSL for Oracle Web Cache Endpoints" in Oracle Fusion Middleware Administrator's Guide.

17.2.6 Using a Custom Trust Store for One-Way SSL

To invoke WebCenter Content over HTTPS when using a custom trust store created with a tool such as keytool or orapki, perform the following actions in Oracle JDeveloper:

  1. To fetch a WSDL file in the reference section, set the trust store information in Tools, then Preferences, then Http Analyzer, then HTTPS Setup, then Client Trusted Certificate Keystore.

  2. During deployment to a SSL-enabled server, use the JSSE property at the command line:

    jdev -J-Djavax.net.ssl.trustStore=your_trusted_location
    

17.2.7 Enabling an Asynchronous Process to Invoke an Asynchronous Process

To enable an asynchronous process deployed to a SSL-enabled, managed server to invoke another asynchronous process over HTTP, start by assuming you create the following environment:

  • Asynchronous BPEL process A that invokes asynchronous BPEL process B

  • Asynchronous BPEL process A is deployed to a one-way SSL enabled, managed server

  • All WSDL reference and bindings use plain HTTP

At run time, the WSDL is looked for over HTTPS, and the callback message from asynchronous BPEL process B fails.

To resolve this issue, the callbackServerURL property must be passed at the reference binding level in the composite.xml file. This explicitly indicates the value of the callback URL for the given reference invocation. If the client composite is running in a SSL-managed server, then the callback defaults to SSL.

<reference name="Service1" ui:wsdlLocation="http://localhost:8000/soa-infra/services/default/
                AsyncSecondBPELMTOM/BPELProcess1.wsdl"> 
    <interface.wsdl interface="http://xmlns.example.com/Async/AsyncSecondBPELMTOM/BPELProcess1# 
                wsdl.interface(BPELProcess1)" callbackInterface="http://xmlns.example.com/Async/ 
                AsyncSecondBPELMTOM/BPELProcess1#wsdl.interface(BPELProcess1Callback)"/> 
    <binding.ws port="http://xmlns.example.com/Async/AsyncSecondBPELMTOM/BPELProcess1#
                wsdl.endpoint(bpelprocess1_client_ep/BPELProcess1_pt)" 
        location="http://localhost:8000/soa-infra/services/default/AsyncSecondBPELMTOM 
                /bpelprocess1_client_ep?WSDL"> 
            <wsp:PolicyReference URI="oracle/wss_username_token_client_policy" 
                orawsp:category="security" orawsp:status="enabled"/>
            <wsp:PolicyReference URI="oracle/wsaddr_policy"  orawsp:category="addressing"
                orawsp:status="enabled"/> 
            <property name="callbackServerURL">http://localhost:8000/</property> 
    </binding.ws> 
    <callback> 
            <binding.ws port="http://xmlns.example.com/Async/AsyncSecondBPELMTOM/BPELProcess1#
                wsdl.endpoint(bpelprocess1_client_ep/BPELProcess1Callback_pt)"> 
              <wsp:PolicyReference URI="oracle/wss_username_token_service_policy"
                  orawsp:category="security" orawsp:status="enabled"/> 
            </binding.ws> 
    </callback> 
</reference> 

17.2.8 Configuring RIDC SSL for Valid Certificate Path

To use Remote Intradoc Client (RIDC) and self-signed certificates, you must import the certificate into your local JVM certificate store so the certificate will be trusted.

  1. Retrieve the key from the Content Server instance. For example:

    openssl s_client -connect host.example.com:7045 2>/dev/null
    
    CONNECTED(00000003)
    ---
    Certificate chain
      
     0 s:/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN=hostname 
    i:/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN=CertGenCAB
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIB6zCCAZUCEItVMwHDFXAnYG//RoVbXQgwDQYJKoZIhvcNAQEEBQAweTELMAkG
    A1UEBhMCVVMxEDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15VG93bjEXMBUG
    A1UEChMOTXlPcmdhbml6YXRpb24xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9OTFkx
    EzARBgNVBAMTCkNlcnRHZW5DQUIwHhcNMDkwMzI5MjM0NDM0WhcNMjQwMzMwMjM0
    NDM0WjB5MQswCQYDVQQGEwJVUzEQMA4GA1UECBYHTXlTdGF0ZTEPMA0GA1UEBxYG
    TXlUb3duMRcwFQYDVQQKFg5NeU9yZ2FuaXphdGlvbjEZMBcGA1UECxYQRk9SIFRF
    U1RJTkcgT05MWTETMBEGA1UEAxYKZGFkdm1jMDAyMjBcMA0GCSqGSIb3DQEBAQUA
    A0sAMEgCQQCmxv+h8kzOc2xyjMCdPM6By5LY0Vlp4vzWFKmPgEytp6Wd87sG+YDB
    PeFOz210XXGMx6F/14/yFlpCplmazWkDAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBn
    uF/s6EqCT38Aw7h/406uPhNh6LUF7XH7QzmRv3J1sCxqRnA/fK3JCXElshVlPk8G
    hwE4G1zxpr/JZu6+jLrW
    -----END CERTIFICATE-----
    subject=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING
    ONLY/CN=host
    issuer=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING
    ONLY/CN=CertGenCAB
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 625 bytes and written 236 bytes
    ---
    New, TLSv1/SSLv3, Cipher is RC4-MD5
    Server public key is 512 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
       Protocol  : TLSv1
       Cipher    : RC4-MD5
       Session-ID: 23E20BCAA4BC780CE20DE198CE2DFEE4
       Session-ID-ctx:
       Master-Key:
    4C6F8E9B9566C2BAF49A4FD91BE90DC51F1E43A238B03EE9B700741AC7F4B41C72D2990648DE103
    BB73B3074888E1D91
       Key-Arg   : None
       Start Time: 1238539378
       Timeout   : 300 (sec)
       Verify return code: 21 (unable to verify the first certificate)
    ---
    
  2. Copy and paste the Server Certificate including the surrounding -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Save the certificate into a new file. For example:

    /tmp/host.pem:
    
    -----BEGIN CERTIFICATE-----
    MIIB6zCCAZUCEItVMwHDFXAnYG//RoVbXQgwDQYJKoZIhvcNAQEEBQAweTELMAkG
    A1UEBhMCVVMxEDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15VG93bjEXMBUG
    A1UEChMOTXlPcmdhbml6YXRpb24xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9OTFkx
    EzARBgNVBAMTCkNlcnRHZW5DQUIwHhcNMDkwMzI5MjM0NDM0WhcNMjQwMzMwMjM0
    NDM0WjB5MQswCQYDVQQGEwJVUzEQMA4GA1UECBYHTXlTdGF0ZTEPMA0GA1UEBxYG
    TXlUb3duMRcwFQYDVQQKFg5NeU9yZ2FuaXphdGlvbjEZMBcGA1UECxYQRk9SIFRF
    U1RJTkcgT05MWTETMBEGA1UEAxYKZGFkdm1jMDAyMjBcMA0GCSqGSIb3DQEBAQUA
    A0sAMEgCQQCmxv+h8kzOc2xyjMCdPM6By5LY0Vlp4vzWFKmPgEytp6Wd87sG+YDB
    PeFOz210XXGMx6F/14/yFlpCplmazWkDAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBn
    uF/s6EqCT38Aw7h/406uPhNh6LUF7XH7QzmRv3J1sCxqRnA/fK3JCXElshVlPk8G
    hwE4G1zxpr/JZu6+jLrW
    -----END CERTIFICATE-----
    
  3. Import the certificate into the local JVM certificate store. You will need the keystore password. For example (the password is changeit):

    sudo /opt/java/jdk1.6.0_12/bin/keytool -import -alias host -keystore 
    /opt/java/jdk1.6.0_12/jre/lib/security/cacerts -trustcacerts -file 
    /tmp/host.pem
    
    Enter keystore password: changeit 
    Owner: CN=host, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown,
    ST=MyState, C=US
    Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown,
    ST=MyState, C=US
    Serial number: -74aaccfe3cea8fd89f9000b97aa4a2f8
    Valid from: Sun Mar 29 16:44:34 PDT 2009 until: Sat Mar 30 16:44:34 PDT 2024
    Certificate fingerprints:
        MD5:  94:F9:D2:45:7F:0D:E3:87:CF:2B:32:7C:BF:97:FF:50
        SHA1: A8:A5:89:8B:48:9B:98:34:70:56:11:01:5C:14:32:AC:CB:18:FF:1F
        Signature algorithm name: MD5withRSA
        Version: 1
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    

17.3 Configuring WebCenter Content for Single Sign-On

Oracle provides several single sign-on solutions. Oracle Access Manager (OAM) is the recommended single sign-on (SSO) solution for Oracle Fusion Middleware enterprise-class installations including WebCenter Content. OAM is part of Oracle's suite of enterprise-class products for identity management and security. For more information, see "Choosing the Right SSO Solution for Your Deployment" in Oracle Fusion Middleware Application Security Guide.

If your enterprise-class installation uses Microsoft desktop logins that authenticate with a Microsoft domain controller with user accounts in Active Directory, then configuring Windows Native Authentication (WNA) single sign-on may be an option. For more information about WNA, see Section 17.3.6.

Note:

WebDAV (/dav) is protected by basic authentication per WebDAV protocol and is not protected by SSO, which typically requires form-based login. If you want to use a custom SSO solution for WebDAV, then a custom component is necessary.

Configuration information is provided in the following sections:

17.3.1 Configuring Oracle Access Manager 11g with WebCenter Content

This section describes how to integrate WebCenter Content with Oracle Access Manager (OAM) 11g. Configuration information is provided for Oracle WebCenter Content: Content Server (CS), Oracle WebCenter Content: Records (URM), Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

Before you can configure OAM 11g, install the software using the instructions provided in "Installing the Oracle Identity Management 11g Software" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  1. Configure OAM 11g, Oracle HTTP Server (OHS), and WebGate as described in "Setting Up OAM Agents" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

    1. Append entries to the mod_wl_ohs.conf file to add WebCenter Content Uniform Resource Identifiers (URIs) to forward. Use the appropriate location entries from the following example. Each entry in the example maps the incoming path to the appropriate Oracle WebLogic Server on which the corresponding application resides.

      In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

      Note:

      The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr, /urm.

      For Site Studio, the URI to forward is configured by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

      Caution:

      The Content Server location /cs can be customized, so the /cs designation can not guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.

      # Content Server
      <Location /cs>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # Content Server authentication
      <Location /adfAuthentication>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # WebCenter online help
      <Location /_ocsh>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # IBR
      <Location /ibr>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # URM
      <Location /urm>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # SS
      <Location /customer-configured-site-studio
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
    2. Use the OAM 11g remote registration tool (oamreg) to register an OAM Agent, specifying Oracle WebCenter Content URIs to protect and to make public. See "Provisioning an OAM Agent with Oracle Access Manager 11g" in Oracle Fusion Middleware Application Security Guide.

      For more information, see "Setting Up OAM Agents" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

      Note:

      The URIs you protect and make public depend on the WebCenter Content functionality that you have installed: Content Server (CS), Inbound Refinery (IBR), Records (URM), Site Studio (SS).

      For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

      Functionality Type URI

      CS

      Protect

      /adfAuthentication

      CS

      Public

      /cs

      CS

      Public

      /_ocsh

      IBR

      Protect

      /ibr/adfAuthentication

      IBR

      Public

      /ibr

      URM

      Protect

      /urm/adfAuthentication

      URM

      Public

      /urm

      SS

      Protect

      /customer_configured_site_studio


    3. Add the URL /oamsso/logout.html to the logout URL setting for the AccessGate so the single sign-on logout works properly. For details, see topics on configuring a single sign-on logout URL and AccessGate configuration parameters in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

  2. Configure the WebCenter Content domain by ensuring you perform these tasks. See "Deploying the Oracle Access Manager 11g SSO Solution" in Oracle Fusion Middleware Application Security Guide.

    1. Configure the OAM Identity Asserter. The control flag for the OAM Identity Asserter must be set to REQUIRED, and both OAM_REMOTE_USER and ObSSOCookie must be selected as Active Types.

      See "Identity Asserter for Single Sign-on Function," and "Configuring Identity Assertion for SSO with Oracle Access Manager 11g" in Oracle Fusion Middleware Application Security Guide.

    2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OAM is using OID, then an OID Authentication provider must be added to the WebCenter Content domain.

      Note:

      When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Section 17.3.4.

      See "Installing the Authentication Provider with Oracle Access Manager 11g" and "Setting Up Providers for Oracle Access Manager Identity Assertion" in Oracle Fusion Middleware Application Security Guide.

      See Oracle Fusion Middleware Application Security Guide for information on the differences when deploying the Authentication Provider with OAM 10g versus OAM 11g.

    3. Configure the OPSS (OAM) Single Sign-On provider.

      See "Configuring Oracle WebLogic Server for a Web Application Using ADF Security, OAM SSO, and OPSS SSO" in the Oracle Fusion Middleware Application Security Guide.

  3. After installing and configuring OAM 11g, check that you can access all of the configured applications, and that the login is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout where available and make sure you are logged out of all other related applications.

    For more information, see "Configuring Centralized Log Out for Oracle Access Manager 11g" in the Oracle Fusion Middleware Application Security Guide and the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

17.3.2 Configuring Oracle Access Manager 10g with WebCenter Content

This section describes how to integrate WebCenter Content with Oracle Access Manager (OAM) 10g. Configuration information is provided for Oracle WebCenter Content Server (CS), Oracle WebCenter Content: Records (URM), Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

Before you can configure OAM, install the software. See information on OAM integrationin Oracle Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter Content, and information on installing the OAM 10g software in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  1. Configure OAM 10g, Oracle HTTP Server (OHS), and WebGate as described in "Deploying SSO Solutions with Oracle Access Manager 10g" in Oracle Fusion Middleware Application Security Guide.

    1. Append entries to the mod_wl.conf file to add WebCenter ContentUniform Resource Identifiers (URIs) to forward. Use the appropriate location entries from the following example. The entries in the following Location list map the incoming paths to the appropriate Oracle WebLogic Server on which the corresponding applications reside.

      In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

      Note:

      The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr, /urm.

      For Site Studio, the URI to forward is defined by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

      Caution:

      The Content Server location /cs can be customized, so the /cs designation can not guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.

      # Content Server
      <Location /cs>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # Content Server authentication
      <Location /adfAuthentication>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # WebCenter online help
      <Location /_ocsh>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # IBR
      <Location /ibr>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # URM
      <Location /urm>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # SS
      <Location /customer-configured-for-site-studio>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portname>
      </Location>
      
    2. Use the OAM 10g Configuration tool (oamcfgtool) to specify WebCenter Content URIs to protect.

      The OAM Configuration tool is a command-line utility, which you can use to launch a series of scripts to request information and set up the required profiles and policies in OAM. For details about oamCtgTool, see Oracle Fusion Middleware Application Security Guide.

      Note:

      The URIs you protect depend on the WebCenter Content functionality that you have installed: Oracle WebCenter Content (CS), Inbound Refinery (IBR), Records (URM), Site Studio (SS).

      For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

      Functionality URI

      CS

      /adfAuthentication

      IBR

      /ibr/adfAuthentication

      URM

      /urm/adfAuthentication

      SS

      /customer_configured_site_studio


      Note:

      If the URL for WebCenter Content does not link correctly after completing the OAM configuration, you might need to change the server host and server port values. For more information, see Section 17.3.5.

    3. Configure the WebGate to handle the end_url in order to complete the setup for OAM global logout. Without this additional configuration, you are logged out, but not redirected to the end URL because end_url is not processed. For information about the configuration procedure, see Oracle Fusion Middleware Application Security Guide.

    4. Add the URL /oamsso/logout.html to the logout URL setting for the AccessGate so the single sign-on logout works properly. For details, see topics on configuring a single sign-on logout URL and AccessGate configuration parameters in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

      Note:

      Deploying WebCenter Content version 11gR1 in an environment using OAM version 10g requires additional configuration to process logout requests properly. For detailed information, see the section "Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates" in the Oracle Fusion Middleware Application Security Guide.

  2. Configure the WebCenter Content domain by performing the following tasks. For details, see "Deploying SSO Solutions with Oracle Access Manager 10g" in Oracle Fusion Middleware Application Security Guide.

    1. Configure the OAM Identity Asserter. The control flag for the OAM Identity Asserter must be set to REQUIRED.

      See "Configuring OAM Identity Assertion for SSO with Oracle Access Manager 10g" in Oracle Fusion Middleware Application Security Guide.

    2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OAM is using OID, then an OID Authentication provider must be added to the Oracle WebCenter Content domain.

      Note:

      When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Section 17.3.4.

      See "Installing and Setting Up Authentication Providers for OAM 10g" and "Configuring the Authenticator for Oracle Access Manager 10g" in Oracle Fusion Middleware Application Security Guide.

      See Oracle Fusion Middleware Application Security Guide for information on the differences when deploying the Authentication Provider with OAM 10g versus OAM 11g.

    3. Configure the OPSS (OAM) Single Sign-On provider.

      See "Configuring Single Sign-On Using Oracle Access Manager 10g" in Oracle Fusion Middleware Application Security Guide.

  3. After installing and configuring OAM 10g, check that you can access all of the configured applications, and that the login is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout where available and make sure you are logged out of all other related applications.

    For more information, see "Configuring Global Logout for Oracle Acce Manager 10g and 11g WebGates" in Oracle Fusion Middleware Application Security Guide, and Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

17.3.3 Configuring Oracle Single Sign-On for WebCenter Content

Oracle Single Sign-On (OSSO) is part of the 10g Oracle Application Server suite. OSSO is an enterprise-level single sign-on solution that works with the OC4J application server in conjunction with Oracle Internet Directory and Oracle HTTP Server (OHS) 11g.

If OSSO is already in place as the enterprise solution for your existing Oracle deployment, Oracle Fusion Middleware continues to support the existing OSSO as a solution. However, Oracle recommends that you consider upgrading to OAM 11g Single Sign-On solution.

This section provides information for integrating WebCenter Content with OSSO. Configuration information is provided for Oracle WebCenter Content Server (CS), Oracle WebCenter Content: Records (URM), and Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

See also Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, Oracle Fusion Middleware Application Security Guide, Oracle Fusion Middleware Upgrade Planning Guide, and Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

Before you can configure OSSO, ensure that the software is installed. OSSO and Oracle Delegated Administration Service are not part of the 11g release. Customers must download the 10.1.4.* versions of these products, which are compatible with 11g Oracle Internet Directory and Oracle Directory Integration Platform, to form what was known in 10g as the Application Server Infrastructure. For deployment instructions on these 10g products, read Chapter 4 "Installing and Configuring JAZN-SSO/DAS" in the Oracle Application Server Enterprise Deployment Guide (B28184-02) for Oracle Identity Management release 10.1.4.0.1. This manual is available on Oracle Technology Network at:

http://download.oracle.com/docs/cd/B28196_01/core.1014/b28184/toc.htm

  1. Configure OSSO. For details, see Oracle Fusion Middleware Application Security Guide.

    1. Append WebCenter Content Uniform Resource Identifier (URI) entries to the mod_wl_ohs.conf file. Use the appropriate location entries from the following example. Each entry in the example maps the incoming path to the appropriate Oracle WebLogic Server on which the corresponding application resides.

      In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

      Note:

      The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr, /urm.

      For Site Studio, the URI to forward is configured by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

      Caution:

      The Content Server location /cs can be customized, so the /cs designation can not guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.

      # Content Server
      <Location /cs>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # Content Server authentication
      <Location /adfAuthentication>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # WebCenter online help
      <Location /_ocsh>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # IBR
      <Location /ibr>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # URM
      <Location /urm>
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
      # SS
      <Location /customer-configured-site-studio
            SetHandler weblogic-handler
            WebLogicHost <hostname>
            WebLogicPort <portnumber>
      </Location>
      
    2. Modify the mod_osso.conf file (at ORACLE_HOME/ohs/conf/) to include WebCenter Content Uniform Resource Identifiers (URIs) to protect.

      Note:

      The URIs you protect depend on the WebCenter Content functionality that you have installed: Content Server (CS), Inbound Refinery (IBR), Records (URM), and Site Studio (SS).

      For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

      Functionality URI

      CS

      /adfAuthentication

      IBR

      /ibr/adfAuthentication

      URM

      /urm/adfAuthentication

      SS

      /customer_configured_site_studio


  2. Configure the WebCenter Content domain by ensuring you perform these tasks. See "Configuring Single Sign-On using OracleAS SSO 10g" in Oracle Fusion Middleware Application Security Guide.

    1. Add and configure the OSSO Identity Asserter for the Oracle WebLogic Server for WebCenter Content. Oracle recommends the following Authentication Providers: OSSO Identity Asserter, OID Authenticator, Default Authenticator.

      The OID Authenticator provider is for the Oracle Internet Directory server, which is used in production-level systems. The Default Authenticator provider is for the Oracle WebLogic Server embedded LDAP server.

      Ensure that OSSOIdentityAsserter is set as the primary provider authenticator for the domain, so that user profiles can be retrieved from the associated Oracle Internet Directory server. If necessary, reorder the providers so they appear in the following order, with control flags set as listed:

      OSSOIdentityAsserter (REQUIRED)

      OIDAuthenticator (SUFFICIENT)

      DefaultAuthenticator (SUFFICIENT)

      Note:

      When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Section 17.3.4.

    2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OSSO is using OID, then an OID Authentication provider must be added to the WebCenter Content domain.

Note:

If the URL for WebCenter Content does not link correctly after completing the OSSO configuration, you might need to change the server host and server port values. For more information, see Section 17.3.5.

17.3.4 Configuring the First Authentication Provider

When the Oracle WebLogic Server domain for WebCenter Content is configured to use an authentication provider other than its default authentication provider for user authentication (such as Oracle Internet Directory or another LDAP provider), the primary provider must be the first authentication provider listed in the security realm configuration, or login authentication will fail.

If the primary provider is not listed first (for example, it is listed below the Oracle WebLogic Server provider, DefaultAuthenticator), then WebCenter Content will fail to successfully load users' Group membership and therefore fail to load any user privileges. You can use the Oracle WebLogic Server Administration Console to change the order in which the configured authentication providers are called. For details, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

Note:

When you use Oracle Internet Directory, all WebCenter Content administrator and other users must be defined in Oracle Internet Directory.

Note:

Content Server assigns a Content Server administrator role to administrative users defined in the internal Oracle WebLogic Server user store. This is true regardless of whether Oracle Internet Directory is used or not used. However, if you use Oracle Internet Directory and the Oracle Internet Directory Authentication provider is not listed first, then any request by the Content Server instance to retrieve the roles of the Oracle WebLogic Server defined administrative users will fail.

Note:

As of 11g Release 1 (11.1.1.6.0) Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use both Oracle Internet Directory (OID) and Active Directory as sources of user and role information. For more information about multi-LDAP configuration in Oracle WebLogic Server, see Oracle Fusion Middleware Application Security Guide.

17.3.5 Configuring the WebCenter Content URL for Single Sign-On

When you configure an Oracle application for use with Single Sign-On (SSO) and have set up Oracle Access Manager (OAM) or Oracle Single Sign-On (OSSO), the WebCenter Content GET_ENVIRONMENT service provides the server name, server port, and relative webroot to the application service call (for example, the WebCenter Content Doclib service). However, the values provided by GET_ENVIRONMENT might not be correct for your SSO configuration.

If you want to redirect the application service to use the OHS server host and server port (because both OAM and OSSO solutions require front-end applications with OHS), you must modify the Content Server host and server port configuration values.

You can use either of the following two methods to modify the Content Server host and server port values:

  • Use the Oracle WebLogic Server Administration Console.

  • Use the WebCenter Content standalone System Properties application.

    1. Go to the WebCenter Content domain directory.

    2. Change the directory to ucm/cs/bin

    3. Run the standalone application: ./SystemProperties

    4. In the System Properties window, select the Internet tab.

    5. Update the HTTP Server address to the OHS (or Load Balancer) server host and server port values.

    6. Exit the System Properties window.

    7. Restart the Oracle WebLogic Server domain.

17.3.6 Configuring WebCenter Content and Single Sign-On for WNA

Setting up WebCenter Content and single sign-on (SSO) with Microsoft clients for Windows Native Authentication (WNA) requires configuring the Microsoft Active Directory, the client, and the Oracle WebLogic Server domain. Details including system requirements for SSO with Microsoft clients are provided in "Configuring Single Sign-On with Microsoft Clients" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

As part of configuring SSO with Microsoft clients, you must specify a LDAP authentication provider to access the external Microsoft Active Directory. Oracle WebLogic Server offers the Active Directory Authentication provider. See "Configuring LDAP Authentication Providers" in Oracle WebLogic Server Securing Oracle WebLogic Server.

Note:

When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Section 17.3.4.

As part of configuring SSO with Microsoft clients, you must configure the Negotiate Identity Assertion provider in Oracle WebLogic Server security realm. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. Use the Oracle WebLogic Server Administration Console to add a new provider in the appropriate security realm in the domain structure, assign it a name, then select NegotiateIdentityAsserter for its Type. Activate the changes and restart the Oracle WebLogic Server. Now your server can use the Kerberos ticket it receives from the browser.

You must redeploy each WebCenter Content application (Content Server, Inbound Refinery, Records) that will be used in the Windows Native Authentication (Kerberos) environment, using an associated deployment plan. A deployment plan is a XML document. Oracle provides a plan for each of the three WebCenter Content applications: cs-deployment-plan.xml, ibr-deployment-plan.xml, and urm-deployment-plan.xml. You also can implement a deployment plan using the Oracle WebLogic Scripting Tool.

  1. Log in to the Oracle WebLogic Server Administration Console.

  2. Click Deployments in the Domain Structure navigation tree.

  3. In the Control tab, click Next until you see the WebCenter Content deployment you want to change:

    • Oracle WebCenter Content Server

    • Oracle WebCenter Content: Inbound Refinery

    • Oracle WebCenter Content: Records

  4. Select the check box to the left of the deployment to be changed.

  5. Click Update.

  6. Under the Deployment plan path, select Change Path.

  7. Navigate to and select the appropriate plan file:

    • cs-deployment-plan.xml (for Content Server)

    • ibr-deployment-plan.xml (for Inbound Refinery)

    • urm-deployment-plan.xml (for Records)

  8. Verify that Redeploy this application using the following deployment files is selected.

  9. Click Next.

  10. Click Finish.

  11. To verify that SSO with Microsoft clients is configured properly, point a browser to the Microsoft Web application or Web service you want to use. If you are logged in to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web service without providing a user name or password.

cs-deployment-plan.xml

Use the provided cs-deployment-plan.xml file, or create a .xml file and name it cs-deployment-plan.xml.

<deployment-plan
<?xml version='1.0' encoding='UTF-8'?>
    xmlns="http://xmlns.example.com/weblogic/deployment-plan"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.example.com/weblogic/deployment-plan http://xmlns.example.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"
    global-variables="false">
  <application-name>cs.ear</application-name>
  <variable-definition>
   <variable>
      <name>http-only</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>cs.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>http-only</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-http-only</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

ibr-deployment-plan.xml

Use the provided ibr-deployment-plan.xml file, or create a .xml file and name it ibr-deployment-plan.xml.

<deployment-plan
<?xml version='1.0' encoding='UTF-8'?>
    xmlns="http://xmlns.example.com/weblogic/deployment-plan"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation= "http://xmlns.example.com/weblogic/deployment-plan
http://xmlns.example.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"
    global-variables="false">
  <application-name>ibr.ear</application-name>
  <variable-definition>
   <variable>
      <name>http-only</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>ibr.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>http-only</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-http-only</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

urm-deployment-plan.xml

Use the provided urm-deployment-plan.xml file, or create a .xml file and name it urm-deployment-plan.xml.

<deployment-plan
<?xml version='1.0' encoding='UTF-8'?>
    xmlns="http://xmlns.example.com/weblogic/deployment-plan"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.example.com/weblogic/deployment-plan http://xmlns.example.com/weblogic/deployment-plan/1.0/deployment-plan.xsd" 
    global-variables="false">
  <application-name>urm.ear</application-name>
  <variable-definition>
   <variable>
      <name>http-only</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>urm.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <xpath>/weblogic-web-app/session-descriptor/cookie-http-only</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

17.4 Configuring Oracle Infrastructure Web Services

Oracle Infrastructure Web services provide the ability to create and attach policy sets to subjects on a global scope (domain, server, application, or SOA composite). Oracle Infrastructure Web services are implemented according to the Web services for Java EE 1.2 specification, which defines the standard Java EE runtime architecture for implementing Web services in Java. The specification also describes a standard Java EE Web service packaging format, deployment model, and runtime services, all of which are implemented by Oracle Infrastructure Web services.

For information on applying OWSM security to Web services, see "Attaching Policies to Web Services" in Oracle Fusion Middleware Security and Administrator's Guide for Web Serices.

Differences in behavior, and any limitations, for Oracle Infrastructure Web services supported on IBM WebSphere are described in "Managing Web Services on IBM WebSphere" in Third-Party Application Server Guide.