Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) Part No. B14013-01 |
|
![]() Previous |
![]() Next |
This chapter discusses configuring the LDAP-based provider. It contains the following sections:
Some LDAP properties affect the entire OC4J instance; these properties are discussed in "Specifying Bootstrap OracleAS JAAS Provider Settings" .
You normally associate OC4J with infrastructure at the time of installation.However, you can also associate OC4J with infrastructure using Oracle Enterprise Manager 10g Application Server Control Console. See the Oracle Enterprise Manager 10g help screen "Application Server- Infrastructure Page"
When you associate an OC4J instance with an Oracle Application Server Infrastructure (including the Oracle Internet Directory), your application can leverage the LDAP-based provider for central management of users.
If you specify the LDAP-based provider globally in the application.xml
configuration file, then you must set up certain users, groups, and permissions in Oracle Delegated Administration Services:, and then grant these users and groups the appropriate permissions.
You can set up the appropriate groups and users by using the tool oracle.security.jazn.util.LoadOidData
, which is part of the jazncore
library supplied inJ2EE_HOME
.. You run the tool with the command line:
java -cp ./jazncore.jar oracle.security.jazn.util.LoadOidData
The syntax for this tool is:
LoadOidData [-h ldaphost] [-p ldapport] [-D binddn] [-w passwd] [-f filename [-oc4jAdminPwd passwd] [-ignoreError [true|false]
The supported options are:
-h
ldaphost
—The LDAP hostname
-p
ldapport
—The port of the LDAP server
-D
binddn
—The distinguished name for the Oracle Internet Directory administrator
-w
password
—The password for the Oracle Internet Directory administrator
-f
filename
—The file containing the entries to be loaded; this should always be J2EE_HOME
/jazn/install/oidConfigForOc4j.sbs
-oc4jAdminPwd
password
—The password that will be assigned to OC4J administrator
-ignoreError
boolean
—If set to false
, the default, the tool stops as soon as it encounters an error; if set to true
, the tool continues after reporting the error.
For example, assume the password for the Oracle database administrator is welcome1
and the password for the OC4J admin user is welcome2
. The command line would be:
java -cp $J2EE_HOME/jazncore.jar oracle.security.jazn.util.LoadOidData -h oidhost -p oidport -D cn=orcladmin -w welcome1 -f $J2EE_HOME/jazn/install/oidConfigForOc4j.sbs -oc4jAdminPwd welcome2
After you run this tool, your default Oracle Identity Management realm will contain the following:
An administrators
group
An admin
user that is a member of the administrators
group
The administrators
group will have the following permissions:
com.evermind.server.AdministrationPermission ("administration")
com.evermind.server.rmi.RMIPermission("login")
Finally, you must set the ldap.user
property to admin
and the ldap.password
property to the admin password; see "Configuring LDAP SSL Properties" for instructions.
Before beginning development, you must ensure that the operating-system-specific environment variable controlling loading of dynamic libraries (for example, LD_LIBRARY_PATH
in Solaris) is set appropriately. See Table 2-5 for details.
When you manage OC4J with Oracle Enterprise Manager, it sets this variable automatically.
To create users and groups when using the LDAP-based provider, you use the Oracle Delegated Administration Services tools. For details, see Oracle Identity Management Guide to Delegated Administration.