6
Oracle Internet Directory and Credential Management

This chapter discusses use of Oracle Internet Directory to authenticate users and the use of the Credential Manager Configuration Assistant to create credential managers. Topics include:

• Credential Managers Authenticate Users
• Using the Credential Manager Configuration Assistant

Credential Managers Authenticate Users

An Oracle Files service handles user authentication by means of a credential manager. A user's credentials prove, or "authenticate," the user to the system that user is attempting to use, in this case, any one of the many Oracle Files protocol servers. The credential manager associated with the service tells the service where and how to obtain the credential.

Services can use the native Oracle Files credential manager, which stores credential information in the Oracle Files schema. Or, services can use one or more Oracle Internet Directory (OID) instances for user authentication. Each Oracle Files service has a set of configuration properties that specify the credential managers used by that service. Only one IFS credential manager per service is allowed, but multiple OID credential managers are supported. You must add the OID credential managers to the service by using the Credential Manager Configuration Assistant, provided with Oracle Files.

Initial Configuration of Credential Managers

During configuration of Oracle Files, you selected either the IFS credential manager or Oracle Internet Directory. If you selected the IFS credential manager, an instance, "IfsCredentialManager," was created. If you chose Oracle Internet Directory, the Oracle 9iFS Configuration Assistant launched, enabling you to select an Oracle Internet Directory to be used with the credential manager. Then it created the OidCredentialManager instance.

When an OID credential manager is created during installation, it is created with these default characteristics:

• It can accept Cleartext, SMB Challenge/Response, HTTP Digest, or token credentials for authentication.
• Protocols that support Cleartext authentication (AFP, CUP, FTP, and IMAP) are required to use an Oracle Files-specific password, rather than the default Oracle Internet Directory password, for enhanced security.

Using the Credential Manager Configuration Assistant

You can use the Credential Manager Configuration Assistant to create credential managers of either type, or to delete or edit the settings for credential managers. Each service can use only one Oracle Files credential manager, but can use multiple OID credential managers, each associated with a different Oracle Internet Directory instance.

To identify and configure a specific OID instance for use with Oracle Files as an OID credential manager during configuration, Oracle Internet Directory must already be configured and running, and you must know the administrative user name and password.

The Credential Manager Configuration Assistant (ifscmca) is located in the $ORACLE_HOME/ifs/files/bin directory. To run the script, you must be logged on to the system as the user who installed and configured all other Oracle software (probably "oracle").

1. At the Welcome page, click Next to start the wizard.
2. On the Login to Oracle Files page, enter the schema name (default is IFSSYS), schema password, database host name, listener port number (typically 1521 for Oracle database server), and service name for the Oracle Files instance for which you want to manage credential managers.
3. Click Next. The Existing Credential Managers page displays.

   

   Text description of the illustration 6existcm.gif

   The page above shows that Oracle Files credential managers (IfsCredentialManagers) already exist for all three ServiceConfigurations. This means that whenever a SmallServiceConfiguration, MediumServiceConfiguration, or LargeServiceConfiguration is used to create the service at runtime, an IfsCredentialManager will also be created for the instance of the service type selected.

4. To create a new credential manager, select Create, then click Next to continue. The Create New Credential Manager page displays.

   

   Text description of the illustration 6createn.gif

5. Select the service configuration for which you want to define a credential manager.
6. From the Credential Manager Type list, select Oracle Internet Directory to define an OidCredentialManager or Internet File System to create an IfsCredentialManager.

Note: To make the newly added credential manager on a specific service configuration take effect, you must restart the nodes that use the service configuration. To use the new credential manager in Oracle Files Manager for creating new users, you must also add/register it to the Value Domain "Credential Managers."

7. Enter a name for the credential manager in the Credential Manager Name field. This name must be unique to the service configuration to which you are applying the entry, but it need not be unique across your domain.
8. Click Next to continue.
9. (OidCredentialManager Only) On the OiD Login page, enter the login information for the Oracle Internet Directory instance that you want to use for credential management.
   • Enter the hostname for the server on which Oracle Internet Directory is installed.
   • Accept the default port number for LDAP(389). Check SSL if single-signon is supported.
   • Accept the default Oracle Internet Directory super user name and password (cn=orcladmin/welcome)or change them only if appropriate.
   • Accept the default OiD root Oracle context (cn=OracleContext). Change this only if you changed the directory context in Oracle Internet Directory.

     

     Text description of the illustration 6oidlogo.gif

   See Oracle Internet Directory Administrator's Guide for complete information about Oracle Internet Directory.

10. Click Next to continue. The Supported Functions page displays.

    

    Text description of the illustration 6support.gif

11. Select checkboxes in the Supported Functions page according to your needs.
    • Do not select any functions if you use Oracle Internet Directory for other Oracle databases and applications in addition to Oracle Files.
    • Select all checkboxes if you use Oracle Internet Directory solely for Oracle Files and if you want to manage users through Oracle Files Manager (using the Users tab).

      Because Oracle Files Manager and APIs capture only a subset of the information managed by Oracle Internet Directory required for using Oracle Files, Oracle recommends that you use Oracle Internet Directory user management tools. (You can still use Oracle Files APIs to enable existing Oracle Internet Directory users for Oracle Files.) In addition, if you use Oracle Internet Directory for other Oracle databases and applications in addition to Oracle Files, you should definitely use Oracle Internet Directory management tools to manage users.

12. Click Next to continue. The Authentication Types page displays.

    

    Text description of the illustration 6authtyp.gif

13. Select the types of authentication mechanisms that you want this credential manager to support. (You can accept the default setting, which is to enable all authentication types.)
14. Click Next to continue. The Oracle Files Specific Passwords page displays.

    

    Text description of the illustration 6passwor.gif

15. Select protocols with which to associate Oracle Files-specific passwords. The protocol servers all send passwords in Cleartext, which means if one of these is intercepted it could potentially provide access to all systems controlled by OiD for that user. To provide more security, you can use an Oracle Files-specific password (rather than the default OiD password) to authenticate users of the selected protocol servers.

    If you select any protocol servers on this page, you must also create a private password for all users who will access these protocols. Otherwise, the protocol server will not work. See Oracle Collaboration Suite Installation Guide for details.

16. Click Next to continue. The Subscribers page displays.

    Oracle Internet Directory supports an application-service provider (ASP) or "hosted" model, in which multiple organizations can use the same directory service. If you are not working in such an environment, your company will be the only subscriber name listed on this page. This is the default subscriber.

    

    Text description of the illustration 6subscri.gif

17. Select the subscribers against which the credential manager should authenticate users.
18. Click Next to continue. The Summary page displays, listing the Create operation you specified.
19. Click Configure. A credential manager is created according to the specifications you entered.

    Post-configuration in Oracle Files Manager

    After you create a new credential manager using the Credential Manager Configuration Assistant, it is not immediately reflected in the Oracle Files Manager. First, you need to restart the HTTP node so its service can be initialized with the new credential manager. Second, to use this new Credential Manager for creating users, you need to register the new credential manager in the ValueDomain 'CredentialManagers'. Follow these steps:

    1. In the Oracle Files Manager, click the Advanced tab.
    2. In the side navigation bar, click Value Domains.
    3. Locate the value domain, Credential Managers, and click its name.
    4. Edit the value to contain the new credential manager you just created, and click OK.