This chapter provides introductory information on Oracle WebCenter Content security as it is integrated with other Oracle products, and its own internal security features and supplemental security options.
This chapter includes the following topics:
A Content Server instance is deployed on a WebCenter Content domain, which is deployed on an Oracle WebLogic Server domain in Oracle Fusion Middleware. Security is supported at multiple levels including the Content Server instance, the WebCenter Content domain, the Oracle WebLogic Server domain, and Oracle Platform Security Services (OPSS).
Access to content in the Content Server repository requires a Content Server administrator to manage content, users, and groups, as well as roles, permissions, and accounts. An Oracle WebLogic Server administrator functions as the Content Server administrator. An Oracle WebLogic Server administrator must log in to the Content Server instance and set up the primary Content Server administrator account and password, if no such user was configured during deployment. After the Content Server administrator is configured, management tasks can be performed on the Content Server instance. For more information on the initial configuration of a WebCenter Content administrator, see Oracle WebCenter Content Installation Guide.
Most user management tasks must be performed using the Oracle WebLogic Server Administration Console instead of the User Admin applet on the Content Server instance. By default, WebCenter Content uses the Oracle WebLogic Server user store to manage user names and passwords, and the credential store is leveraged to grant users access to the Content Server instance. For an enterprise-level system, Oracle Platform Security Services (OPSS) can be used instead of the default Oracle WebLogic Server user store to authenticate and authorize users. For more information on integrating WebCenter Content security with Oracle WebLogic Server and OPSS, see Chapter 17.
Content Server offers several levels of security for repository content: security groups (which are required) and accounts (which are optional). Each content item is assigned to a security group, and if accounts are enabled then content items can also be assigned to an account. Users are assigned a certain level of permission (Read, Write, Delete, or Admin) for each security group and account, which enables them to work with a content item only to the extent that they have permissions to the item's security group and account. For more information on users, groups, and accounts internal to Content Server, see Chapter 18, Chapter 19, and Chapter 20.
Access control lists (ACLs) can be configured for a Content Server instance to provide extended control of content access to users on an enterprise-level system. An access control list is a list of users, groups, or Enterprise roles with permission to access or interact with a content item. For more information, see Chapter 21.
The administrator sets up initial user and content security within Content Server by using the User Admin application to define user roles, permissions to groups, and accounts. Then the administrator uses the Oracle WebLogic Server Administration Console to create users and assign each user to one or more of the Content Server roles, which in turn are assigned specific permissions to security groups. If accounts are enabled in Content Server, the administrator can assign users specific permissions to certain accounts, which then limits the permissions the users might otherwise have through their assigned roles.
The following components also can be used to provide additional internal Content Server security:
Security can be customized for user access by using the ExtranetLook component, which is installed (disabled) with Content Server. For more information, see Section 23.1.
The ExtranetLook component is not applicable when the Oracle WebLogic Server domain is used as the web server for the Content Server instance. Modification of the security implementation is controlled through direct customization of the Oracle WebLogic Server domain and administrative configuration.
Security can be customized for user access and search results by using the NeedToKnow component. This component enables you to further configure user access restrictions, modify the display of search results, alter search behavior, and set up hit list roles. To use this component, you must install and enable it.
Be aware that Internet Explorer 7 supplies the following message to users logging in with basic authentication without a secure connection:
Warning: This server is requesting that your username and password be sent in an insecure manner
The behavior (sending user name and password in text) is not new for basic authentication and does not cause problems.
WebCenter Content can combine additional authentication methods. For example, you can define some users with the Oracle WebLogic Server Administration Console, allow some users to log in using their Microsoft domain identity, and grant other users access to the Content Server instance based on their external Lightweight Directory Access Protocol (LDAP) credentials. However, authentication is configured through Oracle WebLogic Server, so the combination of methods is limited. Users can authenticate against multiple authentication stores, but because of the Oracle Platform Security Services (OPSS) and Oracle WebLogic Server integration, only one of the configured user stores can be used to extract authorization (group) information.
As of 11g Release 1 (220.127.116.11.0) Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use both Oracle Internet Directory (OID) and Active Directory as sources of user and role information. For information on multi-LDAP configuration in Oracle WebLogic Server, see Oracle Fusion Middleware Application Security Guide.
The following options can be used to provide additional security:
Security can be customized to support encrypted socket communication and authentication by using the SecurityProviders component, which is installed (enabled) by default with WebCenter Content. This component enables a Secure Sockets Layer (SSL) provider, which can be configured to use certificates for socket or server authentication.
If you use SSL and HTTPS to connect to WebCenter Content, and are unable to connect through WebDAV, try connecting to the Content Server instance through the browser using the same URL you used in your WebDAV connection string. This lets you see if there is a problem with the certificate, which is used to encrypt communications. If you get a dialog box stating a problem with the certificate, resolve the issue and then try to connect through WebDAV again.
For users to access the Content Server instance using different web server front ends, when one server front end is HTTPS and the other is HTTP, you can customize the Content Server configuration using the BrowserUrlPath component. This component is installed (disabled) by default with WebCenter Content and supports a web server front end using HTTPS and a load balancer that forwards itself as the HTTP Host header. If you only use one access method (only HTTPS, or only HTTP), or you are not using a load balancer that blocks the "Host" parameter from the browser, then this component is unnecessary. For more information, see Section 23.2.
Extended security attributes can be assigned to external usersor to users for a specific application. The extended attributes are merged into pre-existing user attributes and enable additional flexibility in managing users. For more information, see Section 23.3.
In all environments, a comprehensive understanding of your organization's security needs and a thorough planning phase is crucial to a successful security integration.