This chapter explains how to complete the initial configuration of Oracle Information Rights Management (Oracle IRM) in an Oracle WebLogic Server domain.
This chapter includes the following sections:
Section 9.1, "Completing the Initial Oracle IRM Configuration"
Section 9.4, "Integrating Rights with Oracle Access Manager 11g"
Before logging in to the Oracle IRM Management Console or using Content application server Desktop, you need to complete the Oracle IRM configuration, as these topics describe:
Note:
In a production environment, Oracle WebCenter Content applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. If you want to reassociate the identity store for Oracle IRM with an external LDAP authentication provider, it is easier to do this before you complete the configuration of the Oracle IRM Managed Server. For more information, see Section 3.9, "Reassociating the Identity Store with an External LDAP Authentication Provider."
You can set the Server URL configuration parameter to an Oracle IRM Managed Server on the General Settings page for Oracle IRM in Oracle Enterprise Manager Fusion Middleware Control.
Caution:
The Server URL value is embedded into every sealed document, and Oracle IRM Desktop uses this value to identify and connect to an Oracle IRM server to retrieve licenses. This setting must not be changed after any documents have been sealed using this server, or no one will be able to access the documents.
For a simple installation where the Managed Server is directly accessible to Oracle IRM Desktop, this value will be the URL of the Oracle IRM Managed Server. For example:
https://managedServerHost:managedServerPort/irm_desktop
To set the Server URL configuration parameter:
Start Fusion Middleware Control at the following website:
http://adminServerHost:adminServerPort/em
For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:
http://myHost.example.com:7001/em
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
In the farm navigation tree on the left, expand WebCenter Content and Rights, and then click IRM.
From the IRM menu, select Administration and then General Settings.
Fusion Middleware Control displays the General Settings page.
In the Server URL field, enter the URL to access the Oracle IRM Managed Server.
For a simple installation where the Managed Server is directly accessible to Oracle IRM Desktop, this value will be the URL of the Oracle IRM Managed Server, ending in irm_desktop:
https://managedServerHost:managedServerPort/irm_desktop
The managedServerHost value is the name of the host where the Managed Server is running, such as myhost.example.com. The default SSL port for Oracle IRM (managedServerPort value) is 16101.
On the General Settings page, you can also specify other settings for Oracle IRM.
Click Apply.
The Oracle IRM Java EE application uses a cryptographic key to wrap (encrypt) and unwrap (decrypt) Oracle IRM sealed content keys stored in the database. This wrapping key, oracle.irm.wrap, must be generated and stored in a keystore before contexts can be created.
Access to the keystore requires a password, and access to the wrapping key requires an additional password. Both passwords are stored in the credential store.
To configure a keystore for Oracle IRM, you need to do the tasks described in these topics:
Due to algorithm restrictions with certain Java Cryptographic Extension (JCE) security providers, a number of different cryptographic algorithms and types of keystores are supported. You should choose the most appropriate cryptographic algorithm, key size, and keystore for the target platform. For most platforms, the Advanced Encryption Standard (AES) key wrapping algorithm should be used because it is the stronger encryption algorithm. Other platforms require an RSA key wrapping algorithm.
With the AES algorithm, the size of the wrapping key can be either 256 bits or 128 bits. To seal content using the AES 256 cryptographic schema, you should use a 256 bit wrapping key. To seal content using the AES 128 cryptographic schema, you can use a 128 bit or 256 bit wrapping key. The AES key wrap algorithm is typically faster than the RSA key wrap algorithm.
Note:
Before you can use AES with a 256-bit key size, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files need to be installed in the JRE directory of Oracle WebLogic Server. For more information about downloading the policy files, see the Java SE Downloads page on the Oracle Sun Technology Network at
http://www.oracle.com/technetwork/java/javase/downloads/index.html
The keytool command will generate a keystore, which requires a password to open. Inside the keystore, a key, oracle.irm.wrap, will be stored, and access to this key requires an additional password.
To create a keystore for Oracle IRM:
Run the setWLSEnv script to set the environment:
UNIX script:
MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
Windows script:
MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd
For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib or MW_HOME\wlserver_10.3\server\lib directory.
Setting the environment correctly results in keytool being in the user's PATH environment variable. This setting specifies the directory path to use for the keytool command in the rest of this procedure.
Run the keytool utility to generate an Oracle IRM keystore.
For AES, enter the following keytool command, on a single command line (the key size can be either 128 or 256):
keytool -genseckey -storetype JCEKS -alias oracle.irm.wrap
-keyalg AES -keysize 128 -keystore irm.jceks
When prompted by keytool, choose appropriate passwords for the keystore and the generated key.
For RSA, enter the following keytool command, on a single command line:
keytool -genkeypair -alias oracle.irm.wrap
-keyalg RSA -keysize 2048 -keystore irm.jks
When prompted by keytool for the certificate details, use the suggested default value, unknown. When prompted for passwords for the keystore and the generated key, choose appropriate values.
Copy the irm.jceks or irm.jks file to the domain's fmwconfig directory:
UNIX path:
MW_HOME/user_projects/domains/DomainHome/config/fmwconfig
Windows path:
MW_HOME\user_projects\domains\DomainHome\config\fmwconfig
The Rights Server configuration needs to be updated so that it can locate the keystore file. You can set the keystore location in the server configuration with either Fusion Middleware Control, on the Oracle IRM General Settings page, or with the WebLogic Scripting Tool (WLST) connect and setIRMKeyStore commands.
Note:
If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of the wlst.sh file or set them in the CONFIG_JVM_ARGS environment variable:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName
KeyStoreName is the name of the keystore in use (DemoTrust for the built-in demonstration certificate). The wlst.sh file is in the bin subdirectory of the common directory in the WebCenter Content Oracle home directory.
The suggested location for the keystore is in a directory under the domain home:
UNIX path:
MW_HOME/user_projects/domains/DomainHome/config/fmwconfig
Windows path:
MW_HOME\user_projects\domains\DomainHome\config\fmwconfig
Placing the keystore in this location ensures that the keystore file is backed up when the domain and corresponding credential store files are backed up.
To set the keystore location with Fusion Middleware Control:
Start Fusion Middleware Control at the following URL:
http://adminServerHost:adminServerPort/em
For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:
http://myHost.example.com:7001/em
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
In the farm navigation tree on the left, expand WebCenter Content and Rights, and then click IRM.
From the IRM menu, select Administration and then General Settings.
For the keystore type, enter one of the following values:
JCEKS if you are using an AES key
JKS if you are using an RSA key-pair
In the Keystore field on the General Settings page, enter one of the following keystore paths.
Keystore path for a JCEKS keystore:
UNIX path: MW_HOME/user_projects/domains
/DomainHome/config/fmwconfig/irm.jceks
Windows path: MW_HOME\user_projects\domains
\DomainHome\config\fmwconfig\irm.jceks
Keystore path for a JKS keystore:
UNIX path: MW_HOME/user_projects/domains
/DomainHome/config/fmwconfig/irm.jks
Windows path: MW_HOME\user_projects\domains
\DomainHome\config\fmwconfig\irm.jks
On the General Settings page, you can also specify other settings for Oracle IRM.
Click Apply.
To set the keystore location with WLST commands:
Enter the following WLST commands:
UNIX operating system
WCC_ORACLE_HOME/common/bin/wlst.sh connect('username','password','t3://adminServerHost:adminServerPort') setIRMKeyStore()
Windows operating system
WCC_ORACLE_HOME\common\bin\wlst.cmd connect('username','password','t3://adminServerHost:adminServerPort') setIRMKeyStore()
For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:
't3://myHost.example.com:7001'
You will be prompted for the keystore type and keystore path.
For the keystore type, enter one of the following values:
JCEKS if you are using an AES key
JKS if you are using an RSA key-pair
For the keystore path, enter one of the following values.
Keystore path for an AES keystore:
UNIX path: MW_HOME/user_projects/domains
/DomainHome/config/fmwconfig/irm.jceks
Windows path: MW_HOME\user_projects\domains
\DomainHome\config\fmwconfig\irm.jceks
Keystore path for an RSA keystore:
UNIX path: MW_HOME/user_projects/domains/
DomainHome/config/fmwconfig/irm.jks
Windows path: MW_HOME\user_projects\domains
\DomainHome\config\fmwconfig\irm.jks
You must add passwords for the Oracle IRM keystore to the credential store with WLST commands. A keystore password and a password for the generated key were set when the keystore was created. These passwords are required by the Rights.
To add keystore passwords to the credential store:
For an AES keystore, enter the following WLST commands:
UNIX operating system
WCC_ORACLE_HOME/common/bin/wlst.sh connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jceks","dummy","password") createCred("IRM","key:irm.jceks:oracle.irm.wrap","dummy","password")
Windows operating system
WCC_ORACLE_HOME\common\bin\wlst.cmd connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jceks","dummy","password") createCred("IRM","key:irm.jceks:oracle.irm.wrap","dummy","password")
Notes:
In the connect command, substitute the correct values for username and password.
In the createCred command, substitute for password the password that was used for creating the key and keystore.
The ”dummy” parameter passed to the createCred command is the user name parameter. The keystore does not use a user name, so this value is ignored. This is why the value is set as dummy.
It is normal for the creatCred command to return the text "Already in Domain Runtime Tree". This text does not signify an error.
For an RSA keystore, enter the following WLST commands:
UNIX operating system
WCC_ORACLE_HOME/common/bin/wlst.sh connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jks","dummy","password") createCred("IRM","key:irm.jks:oracle.irm.wrap","dummy","password")
Windows operating system
WCC_ORACLE_HOME\common\bin\wlst.cmd connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jks","dummy","password") createCred("IRM","key:irm.jks:oracle.irm.wrap","dummy","password")
Notes:
In the connect command, substitute the correct values for username and password.
In the createCred command, substitute for password the password that was used for creating the key and keystore.
The ”dummy” parameter passed to the createCred command is the user name parameter. The keystore does not use a user name, so this value is ignored. This is why the value is set as dummy.
It is normal for the creatCred command to return the text "Already in Domain Runtime Tree". This text does not signify an error.
Oracle IRM uses the Credential Store Framework of Oracle Platform Security Services (OPSS) to retrieve passwords for the Oracle IRM keystore. There are no specific configuration steps for Oracle IRM if the credential and policy stores are reassociated with an external LDAP authentication provider, as described in Section 3.9, "Reassociating the Identity Store with an External LDAP Authentication Provider."
When the Oracle IRM Managed Server is running, the Oracle IRM application is deployed to the Oracle WebLogic Server domain. You can validate that the configuration of the Managed Server was successful by accessing this URL:
https://managedServerHost:managedServerPort/irm_desktop
For example:
https://myhost.example.com:16101/irm_desktop
Oracle IRM uses OPSS to obtain user and group details from the external LDAP authentication provider. For information about configuring the identity store, see Section 3.9, "Reassociating the Identity Store with an External LDAP Authentication Provider."
Oracle Access Manager is the recommended single sign-on (SSO) solution for Oracle WebCenter Content applications. It provides flexible and extensible authentication and authorization, as well as audit services. You can integrate Oracle IRM with Oracle Access Manager by configuring both of them for the integration.
Oracle IRM supports Basic authentication with Oracle Access Manager, which contains an authorization engine that grants or denies access to particular resources based on properties of the user requesting access as well as on the environment from which the request was made.
Oracle IRM currently has limited support for SSO through Oracle Access Manager 11g, as described in this section.
Public URIs need to be specified for Oracle Access Manager 11g:
/irm_rights
/irm_rights/.../*
Oracle IRM Desktop does not support Oracle Access Manager 11g.
You also need to protect the following URI:
/irm_rights/faces
Implementation of single sign-on (SSO) with the Oracle IRM 11g server management console will enable access to applications as expected. Input of a valid user name and password combination during the same SSO session will be recognized.
Implementation of SSO for Oracle IRM Desktop with Oracle Access Manager 10g is possible but will not enable access to multiple applications in the same session by entry of a single username and password combination. Oracle IRM Desktop users will be prompted for a user name and password even if they have already supplied a valid user name and password within the same SSO session. This level of support for SSO is provided so that users can be shown a recognizable sign-on dialog that will indicate the correct user name and password combination to be entered.
Notes:
Oracle IRM Desktop is supported only with Oracle Access Manager 10g and not with Oracle Access Manager 11g for Release 11.1.1.6.0.
For information about Oracle Access Manager 10g, see the Oracle Access Manager Access Administration Guide.
For information about configuring Windows Native Authentication (WNA), see ”Configuring Single Sign-On with Microsoft Clients” in Oracle Fusion Middleware Securing Oracle WebLogic Server.
After you install and configure Oracle Access Manager 11g, you can configure it and Oracle IRM to work together.
Note:
The following procedure should be performed only after you have installed Oracle WebCenter Content (described in Chapter 2, "Installing Oracle WebCenter Content") and configured an Oracle IRM Managed Server (described in Chapter 3, "Configuring Oracle WebCenter Content Applications"). You should also have configured and tested any required connections.
To configure Oracle IRM and Oracle Access Manager 11g to work together:
Install Oracle Access Manager 11g, as described in "Installing Oracle Identity and Access Management (11.1.1.7.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Configure Oracle Access Manager 11g, as described in "Configuring Oracle Access Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Install and configure Oracle HTTP Server (OHS), as described in the Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
Install and configure WebGate, as described in ”Installing and Configuring Oracle HTTP Server 11g WebGate for OAM” in Oracle Fusion Middleware Installing Webgates for Oracle Access Manager.
Append Oracle WebCenter Content URIs to forward to the mod_wl_ohs.conf file, as in the following example:
# IRM management website
<Location /irm_rights>
SetHandler weblogic-handler
WebLogicHost managedServerHost
WebLogicPort managedServerPort
</Location>
In the preceding example, managedServerHost represents the host name of the machine hosting Oracle IRM, and managedServerPort represents the port number of the Oracle WebLogic Server instance hosting Oracle IRM.
Note:
The entries in the preceding Location element are used by the web server to forward requests that match the URL pattern (for example, /irm_rights) to the Oracle IRM Managed Server.
The Location element in the next example specifies a host and port number:
<Location /irm_rights> SetHandler weblogic-handler WebLogicHost irm.example.com WebLogicPort 16100 </Location>
Log in to the Oracle Access Manager console, as described in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service, and follow the instructions in the administrator's guide to do these tasks:
Create a new Application Domain called IRM Domain.
Select IRM Domain, then Resources, and then create entries for all the Oracle IRM URLs:
/irm_rights
/irm_rights/.../*
/irm_rights/faces
/irm_rights/faces/.../*
Select IRM Domain, then Authentication Policies, and then create a Protected Policy and a Public Policy.
In the Authentication Protected Policy, add these Oracle IRM resources:
/irm_rights/faces
/irm_rights/faces/.../*
In the Authentication Public Policy, add these Oracle IRM resources:
/irm_rights
/irm_rights/.../*
Select IRM Domain, then Authorization Policies, and then create a Protected Policy and a Public Policy.
Add the same Oracle IRM protected and public resources to the Protected Policy and the Public Policy, to match the Authentication policies.
Configure the Oracle WebCenter Content domain by performing these tasks:
Add and configure the Oracle Access Manager ID Asserter.
Add and configure Oracle Internet Directory.
Add the OPSS (Oracle Access Manager) SSO provider.
For more information about these tasks, see "Deploying the Oracle Access Manager 11g SSO Solution" in the Oracle Fusion Middleware Application Security Guide.
Test the Oracle Access Manager installation.
After installing and configuring Oracle Access Manager 11g, check that you can access all of the configured applications and that the global login and logout is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout, where available, and make sure you are logged out of all other related applications.
For example, if mod_wl_ohs.conf redirects /irm_rights to irm.example.com:16100 and if OHS is listening on the port oam.example.com:7778, then the IRM Rights application can be accessed through https://oam.example.com:7778/irm_rights, provided Oracle Access Manager has been set up correctly. After authentication, Oracle Access Manager will internally delegate requests to https://irm.example:16100/irm_rights.
To use Oracle RAC with an Oracle IRM instance, the Oracle IRM data source needs to be altered using the Oracle WebLogic Server Administration Console and the following procedure:
From Services, select JDBC, and then select DataSources
Select the Oracle IRM data source.
On the Transaction tab, check Supports Global Transactions, then check Emulate Two-Phase Commit.
Click Save.
This will set the global-transactions-protocol for Oracle IRM data sources for Oracle RAC to EmulateTwoPhaseCommit.