This chapter describes how to reassociate the policy store for the domain with Oracle Internet Directory and the identity store with an external Lightweight Directory Application Protocol (LDAP) provider. The policy store contains security artifacts, including policies and credentials. The identity store contains global user IDs (GUIDs).
This chapter includes the following sections:
Section 10.2, "Reassociating the Policy Store with Oracle Internet Directory"
Section 10.3, "Reassociating the Identity Store with an External LDAP Authentication Provider"
Oracle Fusion Middleware allows using different types of policy stores in an Oracle WebLogic Server domain. A domain can use a store based on an XML file, which is the default policy store, or on Oracle Internet Directory or Oracle Database. For the enterprise deployment topology, a centralized LDAP store is required for policies and credentials. This chapter describes how to reassociate the policy store with Oracle Internet Directory.
For a production system, the identity store must be reassociated with an external LDAP authentication provider, which can be Oracle Internet Directory, Oracle Virtual Directory, or a third-party LDAP provider. This chapter describes how to reassociate the identity store with Oracle Internet Directory for the Oracle WebCenter Content domain.
Table 10-1 Steps for Configuring the Policy Store and Identity Store for the Domain
| Step | Description | More Information |
|---|---|---|
|
Reassociate the policy store with Oracle Internet Directory |
Configure Oracle Internet Directory to store the policies and credentials for the domain. |
Section 10.2, "Reassociating the Policy Store with Oracle Internet Directory" |
|
Reassociate the identity store with Oracle Internet Directory or another external LDAP authentication provider. |
Configure Oracle Internet Directory, Oracle Virtual Directory, or a third-party LDAP authentication provider as the identity store for the domain. Add the |
Section 10.3, "Reassociating the Identity Store with an External LDAP Authentication Provider" |
The following sections describe how to reassociate the policy store, which contains the policies and credentials for the domain, from the WebLogic Server default XML store to Oracle Internet Directory:
Section 10.2.1, "About Reassociating the Policy Store with Oracle Internet Directory"
Section 10.2.2, "Preparing to Use Oracle Internet Directory As the Policy Store"
Section 10.2.4, "Cataloging Oracle Internet Directory Attributes"
When a domain uses an LDAP store, all policy and credential data is kept and maintained in a centralized store. When a domain uses an XML policy store, however, the changes made on Managed Servers are not propagated to the Administration Server unless they use the same domain home. The enterprise deployment topology for Oracle WebCenter Content uses different domain homes for the Administration Server and the Managed Servers, which means that Oracle WebCenter Content requires the use of an LDAP store to contain all the policies and credentials for integrity and consistency.
By default, a WebLogic Server domain uses an XML file for the policy store. The following sections describe the steps required to change the default store to an Oracle Internet Directory LDAP store for policies and credentials.
Note:
The backend repository for the policy store and credential store must use the same kind of LDAP server. To preserve this coherence, reassociating one store implies reassociating the other one; that is, the reassociation of both the policy store and the credential store is accomplished as a unit. For more information, see Section 10.2.3, "Reassociating the Policy Store."
The domain policy store is the repository of system and application-specific policies. In a given domain, there is one store that stores all policies that all applications deployed in the domain may use.
Reassociating the policy store consists of migrating policy data from a file-based or LDAP-based repository to an LDAP-based repository; that is, reassociation changes the repository and preserves the integrity of the data stored. For each policy in the source policy store, reassociation searches the target LDAP directory and, if it finds a match, it updates the matching policy as appropriate. If no match is found, reassociation simply migrates the policy as is.
At any time after a domain policy store has been instantiated, a file-based or LDAP-based policy store can be reassociated into an LDAP-based policy store that stores the same data. To support it, the domain has to be configured, as appropriate, to use an LDAP policy store.
The following sections provide the steps to configure Oracle Internet Directory with a policy store that contains the policy store for the Oracle WebCenter Content enterprise deployment topology. For more details about policy store configuration, see the Oracle Fusion Middleware Application Security Guide.
The policy store for the Oracle WebLogic Server domain includes the credential store. A credential store is a repository of security data (credentials). A credential can hold user name and password combinations, tickets, or public key certificates. Credentials are used during authentication, when principals are populated in subjects, and further, during authorization, for determining what actions a subject can perform.
The following sections provide steps to configure Oracle Internet Directory with a policy store that contains the credential store for the Oracle WebCenter Content enterprise deployment topology. For more information about credential store configuration, see "Configuring the Credential Store" in the Oracle Fusion Middleware Application Security Guide.
To ensure the proper access to Oracle Internet Directory used as a policy store, an Oracle Internet Directory administrator must set a node in the LDAP server directory.
To create a node in the Oracle Internet Directory server:
Create an LDIF file (jpstestnode.ldif in this example), and specify the following DN and CN entries:
dn: cn=jpsroot_ecm cn: jpsroot_ecm objectclass: top objectclass: OrclContainer
The distinguished name of the root node (illustrated by the string jpsroot_ecm in the entries) must be distinct from any other distinguished name. Multiple WebLogic Server domains can share one root node. It is not required that this node be created at the top level, as long as read and write access to the subtree is granted to the Oracle Internet Directory administrator.
Import this data into the Oracle Internet Directory server using the ldapadd command, as illustrated in the following example:
ORACLE_HOME/bin/ldapadd -h ldap_host -p ldap_port -D cn=orcladmin -w password -c -v -f PATH/jpstestnode.ldif
Verify that the node has been successfully inserted by using the ldapsearch command on the Oracle Internet Directory server, as illustrated in the following example:
ORACLE_HOME/bin/ldapsearch -h ldap_host -p ldap_port -D cn=orcladmin -w password -b "cn=jpsroot_ecm" objectclass="orclContainer"
If you are using Oracle Internet Directory as the LDAP-based policy store, run the oidstats.sql utility in the Oracle Internet Directory database hosts to generate database statistics for optimal database performance:
ORACLE_HOME/bin/sqlplus
Enter ODS as a user name. When prompted, enter the credentials for the ODS user. Then, in SQL*Plus, enter the command to gather the statistics info:
@ORACLE_HOME/ldap/admin/oidstats.sql
The oidstats.sql utility must be run just once after the initial provisioning.
For more information about the oidstats.sql utility, see "Oracle Internet Directory Administration Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management.
To reassociate the policy store with Oracle Internet Directory, use the Oracle WebLogic Scripting Tool (WLST) reassociateSecurityStore command.
To reassociate the policy store:
From WCCHOST1, start the wlst shell:
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
Connect to the WebLogic Server Administration Server using the following wlst connect command.
Syntax:
connect("admin_user","admin_password","t3://hostname:port")
For example:
connect("weblogic","password","t3://ADMINVHN:7001")
Run the reassociateSecurityStore command, as follows:
Syntax:
reassociateSecurityStore(domain="domain_name",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAP_HOST:LDAP_PORT",servertype="OID", jpsroot="cn=jpsroot_ecm")
For example:
wls:/domain_name/serverConfig>reassociateSecurityStore(domain="domain_name", admin="cn=orcladmin",password="password",ldapurl="ldap://oid.mycompany.com:389",servertype="OID",jpsroot="cn=jpsroot_ecm")
The output for the command follows:
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) Starting Policy Store reassociation. LDAP server and ServiceConfigurator setup done. Schema is seeded into LDAP server Data is migrated to LDAP server Service in the server after migration has been tested to be available Update of jps configuration is done Policy Store reassociation done. Starting credential Store reassociation LDAP server and ServiceConfigurator setup done. Schema is seeded into LDAP server Data is migrated to LDAP server Service in LDAP server after migration has been tested to be available Update of jps configuration is done Credential Store reassociation done Starting keystore reassociation The server and ServiceConfigurator setup done. Schema is seeded into the server Data is migrated to the server Service in the server after migration has been tested to be available Update of jps configuration is done keystore reassociation done Jps Configuration has been changed. Please restart the server.
Restart the Administration Server after the command completes successfully, as follows:
Start the Oracle WebLogic Scripting Tool (WLST):
cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
In the WLST shell, connect to Node Manager with the nmConnect command and the Node Manager credentials (make sure Node Manager is up and running), and start the Node Manager using nmStart:
wls:/offline>nmConnect("node_admin_user","node_admin_password", "WCCHOST1","5556","domain_name","ORACLE_BASE/admin/domain_name/aserver/domain_name")
wls:/nm/domain_name> nmStart("AdminServer")
Notes:
WCCHOST1 is the address of the node where the domain was created, not the listen address of the Administration Server.
The values of node_admin_user and node_admin_password are the Node Manager credentials. For more information about the credentials, see Section 9.4.3, "Starting the Administration Server on WCCHOST1."
Stop the Administration Server, using either the Administration Console or, as follows, the Node Manager nmKill command:
wls:/nm/domain_name>nmKill("AdminServer")
Start the Administration Server using nmstart:
wls:/offline>nmConnect("node_admin_user","node_admin_password", "WCCHOST1","5556","domain_name","ORACLE_BASE/admin/domain_name/aserver/domain_name")
wls:/nm/domain_name> nmStart("AdminServer")
An Oracle Internet Directory attribute used in a search filter must be indexed. The indexing is an optional procedure used to enhance performance. If not done yet in this Oracle Internet Directory, use the catalog tool to index attributes:
catalog connect="orcl" add=true attribute="orclrolescope" verbose="true"
Optionally, the attribute names can be placed in a file and processed in a batch as follows:
orclrolescope orclassignedroles orclApplicationCommonName orclAppFullName orclCSFAlias orclCSFKey orclCSFName orclCSFDBUrl orclCSFDBPort orclCSFCredentialType orclCSFExpiryTime modifytimestamp createtimestamp orcljpsassignee
For more information on indexing Oracle Internet Directory attributes, see "Tasks and Examples for catalog" in the Oracle Fusion Middleware Reference for Oracle Identity Management.
The following sections describe how to reassociate the identity store from the Oracle WebLogic Server default embedded LDAP store with Oracle Internet Directory, Oracle Virtual Directory, or a third-party external LDAP authentication provider:
To be safe, before you create the LDAP authentication provider, you should first back up the relevant configuration files:
ORACLE_BASE/admin/domain_name/aserver/domain_name/config/config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/jps-config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/system-jazn-data.xml
Also back up the boot properties file for the Administration Server:
ORACLE_BASE/admin/domain_name/aserver/domain_name/servers/AdminServer/security/boot.properties
You can use the Oracle WebLogic Server Administration Console to set up the proper authenticator.
To create the LDAP authentication provider:
Log in to the Administration Console.
Click the Security Realms link on the left.
Click the myrealm default realm entry to configure it.
Open the Providers tab within the realm.
Observe that there is a DefaultAuthenticator provider configured for the realm.
Click Lock & Edit.
Click the New button to add a new provider.
Enter a name for the provider such as OIDAuthenticator for Oracle Internet Directory.
Select the OracleInternetDirectoryAuthenticator type from the list of authenticators.
Click OK.
In the Providers screen, click the newly created Authenticator.
Set the control flag to SUFFICIENT.
This indicates that if a user can be authenticated successfully by this authenticator, then it should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT; in particular, check DefaultAuthenticator and set it to SUFFICIENT.
Click Save to save this setting.
Open the Provider Specific tab to enter the details for the LDAP server.
Enter the details specific to your LDAP server, as shown in the following table.
| Parameter | Value | Value Description |
|---|---|---|
|
Host |
For example: |
The LDAP server's server ID. |
|
Port |
For example: |
The LDAP server's port number. |
|
Principal |
For example: |
The LDAP user DN used to connect to the LDAP server. |
|
Credential |
NA |
The password used to connect to the LDAP server. |
|
SSL Enabled |
Checked |
Specifies whether SSL protocol is used when connecting to LDAP server. |
|
User Base DN |
For example: |
Specify the DN under which your Users start. |
|
Group Base DN |
For example: |
Specify the DN that points to your |
|
Use Retrieved User Name as Principal |
Checked |
Must be turned on. |
Click Save when done.
Click Activate Changes to propagate the changes.
Reorder the Oracle Internet Directory Authenticator and Default Authenticator, and ensure that the control flag for each authenticator is set in the following order:
Oracle Internet Directory LDAP Authenticator: SUFFICIENT
Default Authenticator: SUFFICIENT
To set the order of providers:
Log in to the WebLogic Server Administration Console, if not already logged in.
Click Lock & Edit.
Navigate to SecurityRealms, then the default realm name, and then Providers.
Click Reorder and ensure that the control flags for the Oracle Internet Directory Authenticator, and Default Authenticator are set as follows:
Oracle Internet Directory LDAP Authenticator: SUFFICIENT
Default Authenticator: SUFFICIENT
Click Save.
Click Activate Changes to propagate the changes.
Restart the Administration Server, as described in step 4 in Section 10.2.3, "Reassociating the Policy Store."
At this point in the enterprise topology setup, the Oracle WebCenter Content domain does not include any Managed Servers. If you have configured any Managed Servers in the domain, you also need to restart them. Stop them before you restart the Administration Server, and then start them after you restart it.
This section provides details for provisioning a new administrator user and group for managing the Oracle WebCenter Content WebLogic Server domain in the enterprise deployment topology. This section describes the following tasks:
Section 10.3.4.1, "Provisioning Administrator Users and Groups in an LDAP Directory"
Section 10.3.4.2, "Assigning the Admin Role to the Admin Group"
Section 10.3.4.3, "Updating the boot.properties File and Restarting the System"
As mentioned in the introduction to this section, users and groups from multiple WebLogic Server domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic Server administration user may have access to all the domains within an enterprise. This is not a desirable situation. To avoid this, the users and groups provisioned must have a unique, distinguished name within the directory tree. After setting up and testing the entire enterprise deployment topology, you might want to set up a different system administrator with appropriate roles for each application.
For setting up the Oracle WebCenter Content WebLogic Server domain, provision a new system administrator named weblogic_ecm in the LDAP identity store with the following DNs:
Admin User DN:
cn=weblogic_ecm,cn=Users,dc=us,dc=mycompany,dc=com
Admin Group DN:
cn=ECM Administrators,cn=Groups,dc=us,dc=mycompany,dc=com
To provision the administration user and administration group in Oracle Internet Directory:
Create an LDIF file named admin_user.ldif with the following contents, and then save the file:
dn: cn=weblogic_ecm, cn=Users, dc=us, dc=mycompany, dc=com
orclsamaccountname: weblogic_ecm
givenname: weblogic_ecm
sn: weblogic_ecm
userpassword: password
mail: weblogic_ecm
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
uid: weblogic_ecm
cn: weblogic_ecm
description: Admin User for the Oracle WebCenter Content Domain
Run the ldapadd command on the Oracle Internet Directory host located under the ORACLE_HOME/bin/ directory to provision the user in Oracle Internet Directory.
Note:
The Oracle home used here is the Oracle home for the Oracle Identity Management installation where Oracle Internet Directory resides.
For example:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/admin_user.ldif
Create an LDIF file named admin_group.ldif with the following contents, and then save the file:
dn: cn=ECM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com displayname: ECM Administrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_ecm, cn=Users, dc=us, dc=mycompany, dc=com cn: ECM Administrators description: Administrators Group for the Oracle WebCenter Content Domain
Run the ldapadd command on the Oracle Internet Directory host located under the ORACLE_HOME/bin/ directory to provision the group in Oracle Internet Directory:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/admin_group.ldif_file
Create an LDIF file named administrators_group.ldif with the following contents, and then save the file:
dn: cn=Administrators, cn=Groups, dc=us, dc=mycompany, dc=com displayname: Default WLS Administrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup cn: Administrators description: WL Administrators Group
Note:
Create the Administrators group only if it does not exist in Oracle Internet Directory.
Run the ldapadd command on the Oracle Internet Directory host located under the ORACLE_HOME/bin/ directory to provision the Administrators group in Oracle Internet Directory:
ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/administrators_group.ldif
Create an LDIF file named modify_administrators_group.ldif with the following contents, and then save the file:
dn: cn=Administrators, cn=Groups, dc=us, dc=mycompany, dc=com changetype: modify add: uniqueMember uniqueMember: cn=ECM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com
Run the ldapmodify command on the Oracle Internet Directory host located under the ORACLE_HOME/bin/ directory to modify the Administrators group in Oracle Internet Directory:
ORACLE_HOME/bin/ldapmodify -h oid.mycompany.com -p 389 -D "cn=orcladmin" -w password -c -v -f PATH/modiify_administrators_group.ldif
After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic Server domain security realm. This enables all users that belong to the group to be administrators for that domain.
To assign the Admin role to the Admin group:
Log in to the WebLogic Administration Server Console.
In the navigation tree on the left, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, open the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to bring up the Global Roles page.
On the Global Roles page, click the Admin role to bring up the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, specify ECM Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Rule page.
The Role Conditions table now shows the ECM Administrators Group as an entry.
Click Save to finish adding the Admin Role to the ECM Administrators Group.
Validate that the changes were successful by bringing up the Administration Console using a web browser. Log in using the credentials for the weblogic_ecm user.
Note:
Each Oracle application in the Oracle WebCenter Content enterprise deployment topology may have its own predefined roles and groups defined for administration and monitoring purposes. By default, the Administrators group will allow these operations. However, this group may be too broad. For example, it may be undesirable that Oracle SOA Suite administrators are also administrators for the WebLogic Server domain where Oracle WebCenter Content applications are running. This is why it may be desirable, as suggested in this section, to create a more specific group such as ECM Administrators. For the various applications to allow the ECM Administrators group to administer the different systems, you need to add the required roles to that group. For example, for SOA Worklistapp's administration, add the SOAAdmin role. Refer to each component's specific roles for the required roles in each case.
The boot.properties file for the Administration Server should be updated with weblogic_ecm, the WebLogic Server administration user created in Oracle Internet Directory.
To update the boot.properties file:
On WCCHOST1, go the following directory:
cd ORACLE_BASE/admin/domain_name/aserver/domain_name/servers/AdminServer/security
Rename the existing boot.properties file:
mv boot.properties boot.properties.backup
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=weblogic_ecm
password=password
Save the file.
Restart the Administration Server, as described in step 4 in Section 10.2.3, "Reassociating the Policy Store."