| Oracle® Communication and Mobility Server Administrator Guide Release 10.1.3 Part Number B31497-01 |
|
|
View PDF |
| Oracle® Communication and Mobility Server Administrator Guide Release 10.1.3 Part Number B31497-01 |
|
|
View PDF |
This document, through the following sections, describes how to configure Oracle Internet Directory (OID), the LDAP data store used by Oracle WebCenter Suite, as the user provisioning repository for an OCMS deployment:
For OCMS to support authentication and authorization services for users provisioned to OID requires the following configuration for both OCMS and OID:
Using the OID data store requires the following:
A properly installed and configured instance of OCMS.
An instance of OID, Version 10.1.4.0.1.
You must enable reversible password encryption for the LDAP realms employed for user authentication by selecting Userpassword Reversible Encryption. For more information, see Oracle Internet Directory Administrator's Guide.
Note:
OID is only supported for standalone OCMS deployments and OCMS deployments on Version 10.1.3.2 or higher of Oracle Application Server. OCMS does not support OID on. See Oracle Communication and Mobility Server Installation Guide for further hardware and software requirements and installation options.In addition to configuring reversible password encryption (described in "Prerequisites for OID Support"), you must also configure the following OID LDAP attributes for the OID LDAP backend:
orclcommonnicknameattribute (See "Mapping JAAS Usernames to LDAP User Entries".)
orclsubscribernicknameattribute (See "Mapping JAAS Realms to LDAP Subscribers".)
orclcommonnamingattribute (See "Mapping JAAS Roles to LDAP Groups".)
JAAS (Java Authentication and Authorization Service) user names are mapped to LDAP Users based on value of the orclcommonnicknameattribute under the node cn=Common, cd=Products, cn=OracleContext for each of the provisioned LDAP realms. For example, setting this attribute to uid for a given realm implies that SIP or Web users authenticating against OID must provide their corresponding LDAP UID as their username during authentication.
JAAS realms are mapped to LDAP Realm entries based on the value given to orclsubscribernicknameattribute under the root cn=Common, cn=Products, cn=OracleContext node for an OID deployment. For example, setting the value of orclsubscribernicknameattribute to o for an OID deployment implies that SIP or Web users authenticating against OID must belong to the JAAS realm identified by the value of the o attribute. As a result, user sip.user@company.com is challenged under the realm, company. The mapping of SIP domains to JAAS realms is exposed through the SipServletContainer's DomainsAndRealms attribute. In this example, the SIP domain, company.com, is mapped to the JAAS realm, company. The JAAS realm, company, is then mapped to the LDAP Subscriber for whom the value for the attribute in orclsubscribernicknameattribute (that is, the o attribute) is set to company. See also "SIP Servlet Container".
Group membership determines the JAAS roles for a specific user. Mapping LDAP groups to JAAS roles is based on the value given to orclcommonnamingattribute under the node cn=Common, cn=Products, cn=OracleContext for each of the provisioned LDAP Realms. For example, if a user belongs to an LDAP group with the distinguished name of cn=Location Service, cn=groups, dc=us, dc=com and the orclcommonnamingattribute is set to cn, then that JAAS user is populated with the "Location Service" JAAS role.
Configuring OCMS to support OID requires that Subscriber Data Services (subscriberdataservices.ear) and its child applications be undeployed from the OCMS OC4J instance. Before the application and its child applications can be re-deployed, the user service and security service EJB configuration must be altered by adding the following LDAP configuration parameters to the ejb-jar.xml files for securityservice.jar and userservice.jar:
java.naming.security.principal
java.naming.provider.url
java.naming.security.protocol (an optional parameter)
The user service EJB configuration also exposes the SipUriLdapAttribute, which defines the LDAP user attribute where the SIP URI is stored. This attribute defaults to mail if no value is defined.
To configure the Subscriber Data Services application with OID as the user provisioning store:
Copy the EAR file of the Subscriber Data Services application (subscriberdataservices.ear) as well as its child applications to a temporary directory.
Undeploy the Subscriber Data Services application and its child applications from the OC4J instance. See "Deploying, Undeploying, and Redeploying SIP Servlet Applications with Application Server Control".
Expand the Subscriber Data Services application in the temporary directory.
Expand securityservice.jar
Edit ejb-jar.xml (located under META-INF) by replacing the following entry with the entry listed in Example B-1 that includes the java.naming.security.principal, java.naming.provider.url, and the java.naming.security.protocol parameters.
<env-entry>
<description><![CDATA[Datasource for Service activationfacades]]></description>
<env-entry-name>SecurityServiceDSN</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[java:jdbc/OcmsSsDs]]></env-entry-value>
</env-entry>
<env-entry>
<env-entry-name>SecurityDAOImpl</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[com.hotsip.securityservice.dao.timesten.SecurityDAOImpl]]>
</env-entry-value>
</env-entry>
Example B-1 ejb-jar.xml Entries
<env-entry>
<description><![CDATA[LDAP Admin User]]></description>
<env-entry-name>java.naming.security.principal</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[LDAP Admin User Credentials]]></description>
<env-entry-name>java.naming.security.credentials</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[!welcome1]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[LDAP Provider URL]]></description>
<env-entry-name>java.naming.provider.url</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[ldap://ldapusers.company.com:636]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[Security Protocol (e.g. ssl)]]></description>
<env-entry-name>java.naming.security.protocol</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[ssl]]></env-entry-value>
</env-entry>
<env-entry>
<env-entry-name>SecurityDAOImpl</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[com.hotsip.securityservice.dao.ldap.SecurityDAOImpl]]>
</env-entry-value>
</env-entry>
Note:
Thejava.naming.security.principal, java.naming.security.credentials and java.naming.provider.url environment entries must be updated with the LDAP server's configuration. In addition, the optional entry, java.naming.security.protocol, must be set to "ssl" for SSL-based connections to the OID LDAP server.Repackage securityservice.jar.
Expand the userservice.jar.
Edit the ejb-jar.xml under META-INF by replacing the following entry with the entry described in Example B-2 that includes the java.naming.security.principal, java.naming.provider.url, java.naming.security.protocol, and SipUriLdapAttribute parameters.
<env-entry>
<description><![CDATA[Datasource for Service activation facades]]></description>
<env-entry-name>UserServiceDSN</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[java:jdbc/OcmsUsDs]]></env-entry-value>
</env-entry>
<env-entry>
<env-entry-name>UserDAOImpl</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[oracle.sdp.userservice.dao.timesten.UserDAOImpl]]>
</env-entry-value>
</env-entry>
<env-entry>
<env-entry-name>StoreHashedCredentials</env-entry-name>
<env-entry-type>java.lang.Boolean</env-entry-type>
<env-entry-value><![CDATA[True]]></env-entry-value>
</env-entry>
Example B-2 userservice.jar Entries
<env-entry>
<description><![CDATA[LDAP Admin User]]></description>
<env-entry-name>java.naming.security.principal</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[cn=orcladmin,cn=Users,dc=us,dc=oracle,dc=com]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[LDAP Admin User Credentials]]></description>
<env-entry-name>java.naming.security.credentials</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[welcome1]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[LDAP Provider URL]]></description>
<env-entry-name>java.naming.provider.url</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[ldap://ldapusers.company.com:636]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[The LDAP user attribute containing the user's SIP URI.]]></description>
<env-entry-name>SipUriLdapAttribute</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[mail]]></env-entry-value>
</env-entry>
<env-entry>
<description><![CDATA[Security Protocol (e.g. ssl)]]></description>
<env-entry-name>java.naming.security.protocol</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[ssl]]></env-entry-value>
</env-entry>
<env-entry>
<env-entry-name>UserDAOImpl</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value><![CDATA[oracle.sdp.userservice.dao.ldap.UserDAOImpl]]>
</env-entry-value>
</env-entry>
Note:
Thejava.naming.security.principal, java.naming.security.credentials and java.naming.provider.url environment entries must be updated with the LDAP server's configuration. In addition, the optional entry, java.naming.security.protocol, must be set to "ssl" for SSL-based connections to the OID LDAP server. The userservice exposes an optional environment parameter, SipUriLdapAttribute. The value set for this entry is the LDAP user attribute where the SIP URI is stored. If no value is set for this entry, then the attribute defaults to mail.Repackage userservice.jar.
Repackage the EAR file for Subscriber Data Services.
Redeploy the repackaged Subscriber Data Services application and its child applications to the OCMS OC4J instance.
You cannot provision users to OID using Sash. Instead, you must provision user accounts to OID using the Oracle Identity Management (OIM) Web-based Oracle Delegated Administration Services application (OIDDAS), described in Oracle Identity Management Guide to Delegated Administration. You access this tool from a browser by entering http://<host>:<port>/oiddas, where the host and port are the hostname and HTTP port for the Oracle Application Server instance of the OID deployment.
Because certain OCMS applications require specific JAAS roles, users must belong to the correct LDAP groups. For example, users of the Proxy Registrar application must belong to the "Location Services" group. You can add users to LDAP groups either through the Oracle Delegated Administration Services application or the oidadmin LDAP utility. Using Oracle Delegated Administration Services, you can add a user to an LDAP group by adding the distinguished name of the user to the list of values in the LDAP group's uninquemember attribute. For more information, refer to Oracle Identity Management Guide to Delegated Administration.
