25 Oracle Beehive Administration Console Post-Installation Procedures

Oracle Beehive Administration Console is available for Oracle Beehive Release 1 (1.3) and later.

Depending on your security requirements or any other issue particular to your deployment, perform one or more of the following procedures after installing Oracle Beehive Administration Console:

• Configuring Oracle Beehive Administration Console for SSL Access

• Changing Oracle Beehive Administration Console Port

• Extending Java Single Sign-On Session Timeout

• Configuring Oracle Beehive Administration Console for LDAP-Based Authentication

• Configuring Virtual Host

• Restarting OC4J

Configuring Oracle Beehive Administration Console for SSL Access

1. Create a keystore with the following command. The keytool command is located in <Oracle Beehive Administration Console home>/jdk/bin. The following example will create a keystore named server.keystore in the directory <Oracle Beehive Administration Console home> with the password welcome:

   keytool -genkey -keyalg "RSA"
     -keystore <Oracle Beehive Administration Console home>/server.keystore
     -storepass welcome -validity 90
   

   Note:

   For more information about the keytool utility, refer to http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

   For additional information, refer to "Using Keys and Certificates with OC4J and Oracle HTTP Server" and "Using SSL with Standalone OC4J" in Chapter 15, "SSL Communication with OC4J" in Oracle Containers for J2EE Security Guide.

2. Make a copy of <Oracle Beehive Administration Console home>/j2ee/home/config/default-web-site.xml and name it <Oracle Beehive Administration Console home>/j2ee/home/config/secure-web-site.xml.

3. In secure-web-site.xml, edit the <web-site> element. Set the port attribute to any available port number, secure to true, and protocol to https:

   <web-site
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:noNamespaceSchemaLocation=
       "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" 
     port="4443"
     secure="true"
     protocol="https"
     display-name="Default Web Site"
     schema-major-version="11"
     schema-minor-version="1">
   

   Note:

   You may also add the attribute virtual-hosts to the <web-site> to use both SSL and virtual hosts. Refer to "Configuring Virtual Host" for more information.

4. Add the following element inside the <web-site> element:

   <ssl-config
     keystore="<Oracle Beehive Administration Console home>/server.keystore" 
     keystore-password="welcome"/>
   

   Set the attribute keystore to the full path name of the keystore you created previously. Set the attribute keystore-password to the password of the keystore.

5. In <Oracle Beehive Administration Console home>/j2ee/home/config/server.xml, edit the <web-site> element and add the attribute path="./secure-web-site.xml":

   <web-site path="./secure-web-site.xml"/>
   

6. Restart OC4J as described in "Restarting OC4J".

Changing Oracle Beehive Administration Console Port

1. Edit the file <Oracle Beehive Administration Console home>/j2ee/home/config/default-web-site.xml and modify the port attribute in the <web-site> element to any available port number:

   <web-site ... port="7779" ... >
   

2. Restart OC4J as described in "Restarting OC4J".

Extending Java Single Sign-On Session Timeout

To extend the Java Single Sign-On session timeout for Oracle Beehive Administration Console, add the highlighted text to the file <Oracle Beehive Administration Console home>/j2ee/home/application-deployments/javasso/jps-config.xml:

<serviceInstance name="idm" provider="idm.provider">
    <description>JSSO Authentication Configuration</description>
    <property name="idm.authentication.name" value="JavaSSO"/>
    <property name="idm.token.asserter.class" 
      value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
    <property name="idm.token.collector.class"
      value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
    <property name="idm.token.type" value="COOKIE_TOKEN"/>
    <property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
    <property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
    <property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
    <property name="custom.sso.cred.key" value="JSSO_KEY"/>
    <property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
    <property name="custom.sso.session.timeout" value="3600"/>
  </serviceInstance>

After making changes to the jps-config.xml file, restart OC4J as described in "Restarting OC4J".

For more information about Java Single Sign-On, refer to Chapter 14, "OC4J Java Single Sign-On" in Oracle Containers for J2EE Security Guide.

Configuring Oracle Beehive Administration Console for LDAP-Based Authentication

You may configure Oracle Beehive Administration Console so that it authenticates its users with credentials stored in your LDAP directory. These steps apply only if you have integrated and synchronized your Oracle Beehive instance with Oracle Internet Directory. Refer to "Integrating and Synchronizing LDAP with Oracle Beehive" for more information.

1. Edit the file <Oracle Beehive Administration Console home>/j2ee/home/application-deployments/javasso/jps-config.xml and update the values that are highlighted in the following excerpt with configuration information that corresponds to your LDAP directory:

   <serviceInstance name="beehive.ldap.loginmodule" 
     provider="jaas.login.provider">
     <description>Beehive LDAP Login Module</description>
     <property name="loginModuleClassName" 
       value="oracle.ocs.csi.authentication.login.modules.OcsLdapLoginModule"/>
     <property name="jaas.login.controlFlag" value="REQUIRED"/>
     <property name="debug" value="true"/>
     <property name="addAllRoles" value="true"/>
     <property name="oracle.security.jaas.ldap.user.object.class" 
       value="inetOrgPerson"/>
     <property name="oracle.security.jaas.ldap.provider.connect.pool" 
       value="true"/>
     <property name="oracle.security.jaas.ldap.provider.credential" 
       value="!welcome1"/>
     <property name="oracle.security.jaas.ldap.provider.type" value="other"/>
     <property name="oracle.security.jaas.ldap.provider.url" 
       value="ldap://ldapserver:389"/>
     <property name="oracle.security.jaas.ldap.role.searchscope" value="subtree"/>
     <property name="oracle.security.jaas.ldap.user.searchscope" value="subtree"/>
     <property name="oracle.security.jaas.ldap.user.searchbase" 
       value="cn=Users,dc=us,dc=oracle,dc=com"/>
     <property name="oracle.security.jaas.ldap.role.searchbase" 
       value="cn=Users,dc=us,dc=oracle,dc=com"/>
     <property name="oracle.security.jaas.ldap.role.object.class" 
       value="groupOfUniqueNames"/>
     <property name="oracle.security.jaas.ldap.role.name.attribute" value="cn"/>
     <property name="oracle.security.jaas.ldap.provider.user" 
       value="cn=orcladmin"/>
     <property name="oracle.security.jaas.ldap.user.name.attribute" value="uid"/>
     <property name="oracle.security.jaas.ldap.membership.searchscope" 
       value="direct"/>
     <property name="oracle.security.jaas.ldap.member.attribute" 
       value="uniqueMember"/>
     <property name="oracle.security.jaas.ldap.lm.cache_enabled" value="true"/>
     <property name="authenticated.role.name" value="authenticated-role"/>
   </serviceInstance>
   

   Tips:

   Obtain values for jps-config.xml from the file <Oracle Beehive home>/j2ee/home/config/system-jazn-data.xml. Look for the <application> element that contains the element <name>beehive-auth-framework-password</name>.

   Prepend the clear-text password (the value of oracle.security.jaas.ldap.provider.credential of the administrator's account (the value of oracle.security.jaas.ldap.provider.user) with an exclamation point (!). The exclamation point will obfuscate the password the next time OC4J is restarted.

2. In the same file (jps.config.xml), update the <jpsContexts> element with the highlighted value:

   <jpsContexts default="jsso-ldap">
   

3. Edit the file <Oracle Beehive Administration Console home>/j2ee/home/application-deployments/myapp/jps-config.xml, make the same changes as in steps 1 and 2.

4. Restart OC4J as described in "Restarting OC4J"..

Configuring Virtual Host

1. Add virtual-hosts="beehive_admin.us.oracle.com" to the <web-site> element in default-web-site.xml. (Replace beehive_admin.us.oracle.com with the name of your virtual host.)

   <web-site
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xsi:noNamespaceSchemaLocation=
       "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" 
     port="7778"
     secure="false"
     protocol="http"
     display-name="Default Web Site"
     schema-major-version="11"
     schema-minor-version="1" 
     virtual-hosts="beehive_admin.us.oracle.com">
   

2. Restart OC4J as described in "Restarting OC4J".

Restarting OC4J

For information about starting and stopping OC4J, refer to Chapter 5, "Starting and Stopping OC4J" in Oracle Containers for J2EE Configuration and Administrator's Guide.