A Oracle Secure Enterprise Search Secure Portlet

This appendix describes the tasks to register an Oracle SES WSRP portlet (or, secure portlet). OracleAS Portal customers can use this portlet from their Portal pages. This secure portlet requires Oracle Application Server Portal 10.1.4.

This contains the following topics:

• OracleAS Portal Tasks

• Oracle SES Tasks

• Example of Exporting Keys

OracleAS Portal Tasks

This section lists the detailed tasks necessary on the Portal 10.1.4 (consumer) side.

1. Apply Portal patch for bug 5024378.

2. Generate keys. (This is necessary for secure portlet search.) Follow the Configuration section of the OracleAS Portal patch Installation and Configuration Guide until Step 2.

3. After the public/private key is generated, export the public key to Oracle SES instance. (This is necessary for secure portlet search.)

   See Also:

   "Example of Exporting Keys"

4. Complete the steps required in the following section "Oracle SES Tasks".

5. Register the portlet provider and create a portlet page. Complete Step 3 & 4 of the Configuration section of the Portal patch Installation and Configuration Guide.

   Note:

   Any intermediary step repeated after the installation steps require restart of the corresponding servers.

Oracle SES Tasks

This section lists the detailed tasks necessary on the Oracle SES (provider) side.

First, you invoke Oracle SES WSRP Web Service ports. You then register the public key of OracleAS Portal with the Oracle SES OC4J instance and enable Username Token Web Service Security for Oracle SES WSRP Web Service port. Then, set up Oracle Identity Management as the security provider. (So far, all these steps are necessary for secure search.) You then change configuration files. (jazn.xml and wsmgnt.xml are necessary for secure portlet search; portlet.xml is necessary for both public and secure portlet search.) Finally, you must restart the Oracle SES OC4J instance.

Note:

The same commands can be used if Oracle SES is installed in Windows if you use "\" in place of "/" for the directory path.

In this section, $ORACLE_HOME represents the path where Oracle SES is installed. On Windows, the equivalent is %ORACLE_HOME%.

1. Log on to OC4J console using http://<host>:<port>/em

   where <port> is the Oracle SES port (default 7777).

   For user name enter oc4jadmin, and for password enter the Oracle SES installation password.

   1. Click the Applications tab, and then click the search_portlet application link.

   2. Under the Modules section, click the search_portlet_war Web application link.

   3. Click the Test Web Module link.

   4. Enter the URL in the test box: http://<host>:<port>/sesPortlet/portlets/WSRPBaseService?WSDL. Then click the Test Web Module button. A window will appear to ensure that the portlet is deployed properly.

2. Add Identity & Keystore Credentials, Enable WS Security Username Token. (This is necessary for secure search.)

   1. Click the Application: search_portlet link. Then click the Web Services tab, and then the WSRPBaseService link.

   2. Click the Administration link.

   3. Click the Enable/Disable Features button if security is not enabled already. Select Security from Available Features and move it to Enabled Features using the move button. Click OK to enable the security. (If security is enabled, then skip to the next Edit configuration step.)

   4. Click the Security row Edit configuration link to configure keystore credentials and identity certifications.

   5. Click the Keystore and Identity Certificates button to configure key store information.

   6. Enter the following information, and click OK.

      Note:

      The cacerts keystore is where the public key of the Portal (consumer) will be imported. If it is to some other keystore, then change it accordingly.

      Keystore name: SESKey

      Keystore path: ../../../../../jdk/jre/lib/security/cacerts (Specify path to keystore, relative to the application root directory.)

      Keystore Type: JKS

      Keystore password: by default, changeit is the password

   7. Click the Inbound Policies button to enable the username token ws-security mechanism.

   8. Select the Use Username/Password Authentication checkbox. Click OK to complete keystore credentials and identity certificates.

3. Set Oracle Internet Directory as the security provider. (This is necessary for secure search.)

   1. Click the OC4J: OC4J_SEARCH tab.

   2. Click the Administration tab. Then scroll down to click the Identity Management link to enter identity management server details.

   3. Click the Configure button and enter the Oracle Identity Management server information. (If identity management is already set, then it will show the configuration settings. Make the necessary changes. If no changes are necessary, then proceed with the next step.) After entering necessary information, click the Next button after Step 1 and Step 2. Select the Use OID Security Provider box for search_portlet application alone and click the Configure button to complete setup of Oracle Internet Directory as the security provider.

   4. Click the OC4J: OC4J_SEARCH link.

   5. Click the Administration tab, then click the Security Provider link.

   6. Click Edit for the search_portlet application.

   7. Click the Change Security Provider button.

   8. Select Oracle Identity Management Security Provider from the dropdown list. Click OK.

   9. Logout from the OC4K Web Enterprise Manager.

   10. Restart the Oracle SES OC4J instance to enable security provider settings:

       Change directory to $ORACLE_HOME/bin and run the following command:

       ./ searchctl restart
       
       

       On Windows, run the following command:

       searchctl restart
       
       

4. Add the mapping attribute entry to the jazn.xml.

   1. From the $ORACLE_HOME/oc4j/j2ee/home/config directory, edit jazn.xml. Add the following entry at the end before the </jazn> tag:

      "<property name="mapping.attribute" value="cn"/>"
      
      

   2. Replace the entries in $ORACLE_HOME/oc4j/j2ee/OC4J_SEARCH/config/jazn.xml with the entries from $ORACLE_HOME/oc4j/j2ee/home/config/jazn.xml.

   3. Change the verify-username-token element to support "Username Token without password web service security" in wsmgmt.xml (This is necessary for secure search.)

      Change directory to $ORACLE_HOME/oc4j/j2ee/OC4J_SEARCH/config to edit the wsmgmt.xml file. Comment the following entry:

      "<verify-username-token password-type="PLAINTEXT" require-nonce="false"    require-created="false"/>"
      
      

      and make the following entry:

      "<verify-username-token>
      <property name="username.token.allow.nopassword" value="true"/>
      </verify-username-token>" 
      
      

5. Edit portlet.xml.

   From the $ORACLE_HOME/oc4j/j2ee/OC4J_SEARCH/applications/search_portlet/search_portlet_war/WEB-INF directory, edit portlet.xml to change the following <init-param> element values:

   Change endPointURL value element to appropriate http://<host>:<port>/search/query/OracleSearch.

   Change absUrlPrefix value element to appropriate http://<host>:<port>/.

   For secure search, set secureContentSearch value element to true.

   Change appID value element to one of the keys that is configured as a federated trusted entity. If one is not provided, then you must configure one.

   Change appPWD value element to the corresponding password of the configured federated trusted entity.

   Note:

   Set up federated trusted entities on the Global Settings - Federation Trusted Entities page in Oracle SES. Enter an entity name and password, then click Add. The entry will be added to the Trusted Entities table.

6. Restart the Oracle SES OC4J instance to enable the changes made to portlet.xml.

   From the $ORACLE_HOME/bin directory, run the following command:

   ./ searchctl restart
   
   

   On Windows, run the following command:

   searchctl restart
   

Example of Exporting Keys

Create a public and private key on the consumer, OracleAS Portal, and export the public key to the provider, Oracle SES.

See Also:

The appendix of the Installation and Configuration Guide provided with the Portal patch for a detailed description about how to create a key

The following commands indicate a sample usage experience for creating and importing the keys.

1. Generate key:

   keytool -genkey -alias portalsignkey -keypass <key-password> –keyalg RSA -sigalg 
   SHA1withRSA -keystore 
   portalKey.jks -storepass <store-password>
   
   

2. List keystore to see the key generated in the name portalsignkey:

   keytool -list -keystore portalKey.jks -storepass <store-password>
    
   

3. Create a certificate request file:

   keytool -certreq -file portalKey.csr -alias portalsignkey -keystore portalKey.jks -storepass <store-password> 
   -keypass <key-password>
   
   

4. Import root, intermediate [if needed] and public key certificate:

   keytool -import -file root.cer -keystore portalKey.jks -storepass <store-password>
   keytool -import -file intermediate.cer -keystore portalKey.jks -storepass <store-password> -alias inter
   keytool -import -file portalKey.cer -keystore portalKey.jks -storepass <store-password> -alias portalsignkey -keypass 
   <key-password>
   
   

5. Export public key:

   keytool -export -file portalpublickey.cer -alias portalsignkey -keystore portalKey.jks -storepass <store-password>
   
   

6. Import public key to Oracle SES cacerts:

   keytool -import -file portalpublickey.cer -keystore cacerts -storepass <store-password> –alias portalpublickey
   

Note:

<key-password> is the password to protect the private key of the generated key pair, and <store-password> is the password to protect the integrity of the keystore.

See Also:

http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html