For maximum security in production environments, Oracle recommends integrating Oracle WebCenter Sites with Oracle Access Management, for an advanced identity management solution and a seamless single sign-on user experience. You also have the option of integrating WebCenter Sites with an external LDAP authentication provider directory.
The following topics describe how to configure WebCenter Sites for authentication against either external identity management solution:
Parent topic: Configuring WebCenter Sites Components
This topic describes how to switch WebCenter Sites to authentication against an external LDAP authentication provider directory. This is a recommended solution for production environments if integration with Oracle Access Management is not viable.
ldap.caseAware
property value to true
, if the LDAP server you are using is case sensitive.
ldap.caseAware
is set to false
. Sign in will fail if you are using a case-sensitive LDAP server and this property is set to false
. To modify the ldap.caseAware
value to True
follow the steps:
Sign in to the WebCenter Sites Admin interface and navigate to Admin tree
tab>System Tools
>Property Management
option.
Search for ldap
and change the value from False
to True
.
Restart the Managed server.
Note:
During the integration of Sites with LDAP, if the users data in LDAP is separated by a comma the data does not get fetched. for example:test,user
. To retrieve the data, you need to change the syntax in the dir.ini
file located at ..sites/install
directory from "syntax.escape=
\\ to syntax.escape=\#"
.http://sites-host:sites-port/sites-context/ldapconfig
, follow the instructions on the screen, and enter the values for your environment.Now there is only manual LDAP integration. Nothing is written to your LDAP Server, only an LDIF file is created under the DOMAIN_HOME/wcsites/wcsites/config/ldap
folder (This is the default install location of WebCenter Sites application. All customizations and path modifications should be made after successful LDAP integration). The peopleparent
, groupparent
, username
, and other fields are not prepopulated, as in the previous release.
LDIF
file located in NEW_DOMAIN_HOME/wcsites/wcsites/config/
with values appropriate for your environment.
Because the fields are not prepopulated, follow this example for ORACLEDIR
:
ldap server type -- ORACLEDIR
ldap DSN -- dc=oracle,dc=com
ldap host -- localhost
ldap port -- 389
ldap username -- cn=orcladmin
ldap password -- password
ldap peopleParent -- cn=Users,dc=oracle,dc=com
ldap groupparent -- cn=Groups,dc=oracle,dc=com
LDIF
file, which you can import to your Oracle Internet Directory server and then create an adaptar in Oracle Virtual Directory to connect to the Oracle Internet Directory server.
You cannot import an LDIF file directly to an Oracle Virtual Directory LDAP server because it does not have a storage of its own.
LDIF
file into the external LDAP authentication provider.You can configureWebCenter Sites for authentication against Oracle Access Manager. This solution is recommended for production environments.
oamconsole
and some configuration changes in the Sites.oamconsole
, for example: http://<oam_host:oam_port>/<oam console>/
and configure a WebGate. See Integrating OAM with Oracle WebCenter Sites.oamlogin.war
and oamtoken.war
application files located under NEW_ORACLE_HOME/wcsites/webcentersites/sites-home
on the WebLogic domain containing the targetWebCenter Sites instance.wemsites_settings.properties
property file under DOMAIN_HOME/wcsites/wcsites/config/
.wemsites_settings.properties
file as follows:
Elements | Properties |
---|---|
oamredirect |
http://oam_server_host:oam_port/oam/server/auth_cred_submit |
oamlogout |
oamlogout=http://oam_server_host:oam_port/oam/server/logout |
forgotpassword |
helpdesk-email-address |
NEW_DOMAIN_HOME/wcsites/wcsites/config/SSOConfig.xml
. See Step 12 of Integration Steps.
Elements | Properties |
---|---|
serviceUrl |
http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST |
ticketUrl |
http://{oamtoken_server_host}:{oamtoken_port}/oamtoken |
signoutURL |
|
end_url |
For test (staging) and production (delivery) environments: |
dbUsername |
Name of theWebCenter Sites general Administrator user account. |
dbPassword |
Password for the WebCenter Sites general Administrator user account. |
Note:
Theohs_server
host and ohs_port
can be WebLogic host and port or any other HTTP server host and port depending on your configuration. For more information on OHS configuration, see Step 2 to Step 9 of Integration Steps. Add the below example for configuration in OAM OHS
, mod_wl_ohs.conf
file.
<IfModule weblogic_module> <Location /oamlogin> SetHandler weblogic-handler WebLogicHost SITES_HOST WebLogicPort SITES_PORT </Location> </IfModule> <IfModule weblogic_module> <Location /sites> SetHandler weblogic-handler WebLogicHost SITES_HOST WebLogicPort SITES_PORT </Location> </IfModule>
obAccsessClient.xml
and cwallet.sso
files from your Oracle Access Manager instance into the NEW_DOMAIN_HOME/wcsites/wcsites/config/oblix/lib/
directory on the targetWebCenter Sites instance.
Note:
These files are auto-generated after the WebGate is configured.oamtoken.xml
file in the sites-config
directory by setting the compatibility mode and oblix
path. The compatibility mode should be set to 11g
and the oblix
path to the sites-config
folder under which you have the oblix/lib
folder.Figure 13-1 List of Protected, Public, and Excluded Resources for WebCenter Sites
oamtoken.war
application, edit the jps-config.xml
file for the WebCenter Sites domain. By default, the WebLogic domain runs with this file, which is part of the WebLogic Server 12 c startup script:
-Doracle.security.jps.config=NEW_ORACLE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/jps-config.xml
jsp-config.xml
file:
<serviceInstance name="credstore.oamtoken" provider="credstoressp" location="./oamtoken">
<description>File Based Credential Store Service Instance</description>
<property name="location" value="./oamtoken"/>
</serviceInstance>
location
is the path to the directory that contains the cwallet.sso
file. The preceding example sets this path with reference to the current jsp-config.xml
file. Make sure the omtoken
folder is created with respect to the current directory and the cwallet.sso
file is placed there. The location
value can also be an absolute path to where the cwallet.sso
file is placed<serviceInstanceRef ref="credstore.oamtoken"/>
under <jpsContext name="default">
.<jpsContext>
element under <jpsContexts default="default">
:
<jpsContext name="OAMASDK">
<serviceInstanceRef ref="credstore.oamtoken"/>
</jpsContext>
oamtoken.war
can be used.
wlst.sh
script:
cd NEW_ORACLE_HOME/oracle_common/common/bin/
./wlst.sh
connect('user-name','password','sites-host:admin-port')
grantPermission(codeBaseURL="file:/scratch/idc/newoam/rend/Oracle_Home/user_projects/domains/renddomain/servers/wcsites_server1/tmp/_WL_user/oamtoken/-",
permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",permTarget="context=SYSTEM,mapName=OAMAgent,keyName=*",permActions="*")
oamtoken.war
application.oamticketcache
cache.
cas-cache.xml
where oamticketcache is configured by default.oamticketcache
the section appear as:
<cacheEventListenerFactory class="net.sf.ehcache.distribution.RMICacheReplicatorFactory" properties="replicateAsynchronously=true, replicatePuts=true, replicateUpdates=true, replicateUpdatesViaCopy=false, replicateRemovals=true"/> <bootstrapCacheLoaderFactory class="net.sf.ehcache.distribution.RMIBootstrapCacheLoaderFactory" properties="bootstrapAsynchronously=false, maximumChunkSizeBytes=5000000" propertySeparator="," />
cacheManagerPeerProviderFactory
as follows, make sure port is unique.
<cacheManagerPeerProviderFactory class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory" properties="peerDiscovery=automatic, multicastGroupAddress=230.0.0.8, multicastGroupPort=40002, timeToLive=1" />
cacheManagerPeerProviderFactory
and cacheManagerPeerListenerFactory
as specified in the earlier steps.SSOConfig.xml
file, follow the steps:
SSOConfig.xml
file of theWebCenter Sites deployment. This file controls the loaded authentication classes and the properties that are required by those classes.SSOConfig.xml
file located in the WEB-INF/classes
directory of the deployed WebCenter Sites application.
/u01/software/Apps/OraMiddleware/user_projects/domains/OAMSitesDomain/wcsites/wcsites/config/SSOConfig.xml
.SSOConfig.xml
as follows:
Note:
Further steps explains on setting properties for the following:serviceUrl
, ticketUrl
, signoutURL
, dbUsername
, and dbPassword
. See Step 5.signoutUrl
property specifies the URL to be used when invoking WebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by OAM.dbUsername
and dbPassword
properties, you can enter the credentials of the WebCenter Sites general administrator, which by default is fwadmin/xceladmin. The values for these properties will be encrypted on startup of the WebCenter Sites application.
Note:
In the code example below, you will set the following properties:csServerUrl
, serviceUrl
, ticketUrl, signoutURL
, dbUsername
, dbPassword
. See Step 5.
<?xml version="1.0" encoding="UTF-8"?> <!-- Copyright (c) 2010 FatWire Corporation. All Rights Reserved. Title, ownership rights, and intellectual property rights in and to this software remain with FatWire Corporation. This software is protected by international copyright laws and treaties, and may be protected by other law. Violation of copyright laws may result in civil liability and criminal penalties. --> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"> <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" /> <!-- Root Context: defines shared resources visible to all other web components --> <jdbc:initialize-database data-source="dataSource" enabled="true" ignore-failures="ALL"> <!-- For installer the first jdbc:script will opened. Installer will configure it automatically --> <jdbc:script location="classpath:crawler_oracle_db.sql" /> <!--jdbc:script location="classpath:crawler_hsql_db.sql" /--> <!--jdbc:script location="classpath:crawler_sql_server_db.sql" /--> <!--jdbc:script location="classpath:crawler_oracle_db.sql" /--> <!--jdbc:script location="classpath:crawler_db2_db.sql" /--> </jdbc:initialize-database> <!-- Section# 1 Installer will consume below configuration to configure a datasource name created on the appservers --> <bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean"> <property name="jndiName" value="wcsitesDS"/> </bean> <!-- Single Sign On provider --> <bean id="ssoprovider" class="com.fatwire.wem.sso.oam.OAMProvider"> <property name="config" ref="ssoconfig" /> </bean> <!--It is invoked by the OAM filter to resolve an OAM authenticated user against a remote Site CS instance.--> <bean id="oamIdentity" class="com.fatwire.auth.identity.RemoteUsernameResolver" > <property name="csServerUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/custom/customCsResolver.jsp"/> </bean> <!-- Single Sign On filter --> <bean id="ssofilter" class="com.fatwire.wem.sso.oam.filter.OAMFilter"> <property name="config" ref="ssoconfig" /> <property name="provider" ref="ssoprovider" /> <property name="identityResolver" ref="oamIdentity" /> <!-- Set "trustConfigured" to "true" in case of trust relationship configured between WebGate and WLS. It will turn off check for OAM_ASSERTION header. --> <property name="trustConfigured" value="false" /> </bean> <!-- Single Sign On listener --> <bean id="ssolistener" class="com.fatwire.wem.sso.oam.listener.OAMListener"> </bean> <!-- Single Sign On configuration --> <bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig"> <!-- URL prefix for REST service endpoint --> <property name="serviceUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST" /> <!-- URL prefix for Token Service servlet --> <property name="ticketUrl" value="http://{oamtoken_server_host}:{oamtoken_port}/oamtoken" /> <!-- URL to be called when WEM logout is required. --> <property name="signoutUrl" value="http://{oam_server_host}:{oam_port}/oam/server/logout?end_url=http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome"/> <!-- Do not proxy tickets, tt's the last server in thecall chain --> <property name="proxyTickets" value="false" /> <!-- Database Credentials needed by user lookup inOAMFilter --> <property name="dbUsername" value="fwadmin" /> <property name="dbPassword" value="xceladmin"/> <!-- Your application protected resources (relative to applicationUrl) --> <property name="protectedMappingIncludes"> <list> <value>/__admin</value> <value>/__admin/**</value> </list> </property> <!-- Your application protected resources excludes (relative to applicationUrl) --> <property name="protectedMappingExcludes"> <list> <value>/__admin/layout</value> </list> </property> <property name="applicationProxyCallbackPath" value="/sso/proxycallback" /> <property name="gateway" value="false" /> </bean> <context:component-scan base-package="com.fatwire.crawler.remote.dao" /> <context:component-scan base-package="com.fatwire.crawler.remote.support" /> <context:component-scan base-package="com.fatwire.crawler.remote.di" /> <context:component-scan base-package="com.fatwire.crawler.remote.resources.support" /> </beans>