9 Installing and Configuring Oracle Content Server

This chapter describes how to install and configure Oracle Content Server (OCS). It contains the following sections:

9.1 Prerequisites

Ensure that you meet the following prerequisites:

  • The OCS schema <prefix>_OCSERVER. exists in the database. The schema was installed when you ran RCU. You must run RCU to install schemas needed by Oracle WebCenter.

  • A shared drive is available to both of the machines (WCHOST1 and WCHOST2) on which OCS will be installed.

9.2 Installing Oracle Content Server

Run the installer from WCHOST1, which is one of the two machines that will eventually form the OCS cluster. You will install OCS on the shared disk.

Run the OCS installer from the /install directory on the OCS media.


The installer is text-based. The following lines show an installer session. Your responses are in bold.

Please select your locale from the list.            *4. English-US

Select installation type from the list.             *1. Install new server

Please enter the full pathname to the installation directory.
Content Server Core Folder [/oracle/ucm/server]:    /shared/oracle/ucm/server
// This is an example. Make sure that you specify an installation directory that is on a shared drive.

Create Directory               *1. Yes

Java virtual machine           *1. Sun Java 1.5.0_11 JDK

Enter the location of the native file repository. This directory contains the
native files checked in by contributors.
Content Server Native Vault Folder [/shared/oracle/ucm/server/vault/]: < accept default >

Create Directory                   *1. yes

Enter the location of the web-viewable file repository. This directory contains
files that can be accessed through the web server.
Content Server Weblayout Folder [/shared/oracle/ucm/server/weblayout/]: < accept default >

Create Directory                  *1. yes

This server can be configured to manage its own authentication or to allow another
master to act as an authentication proxy.
Configure this server as a master or proxied server.
        *1. Configure as a master server.

During installation, an admin server can be installed and configured to manage
this server. If there is already an admin server on this system, you can have the
installer configure it to administrate this server instead.
Select admin server configuration.
        *1. Install an admin server to manage this server.

Enter the location of an executable to start your web browser. This browser will
be used to display the online help.
Web Browser Path [/usr/local/bin/firefox]:               < accept default >

Content Server System locale
         *4. English-US

Please select the region for your timezone from the list.
        *1. Use the timezone setting for your operating system

Please enter the port number that will be used to connect to the Content Server.
This port must be otherwise unused.
Content Server Port [4444]:           9054

Please enter the port number that will be used to connect to the Admin Server.
This port must be otherwise unused.
Admin Server Port [4440]:         9050

// Do NOT take the default. Specify the list of all the IPs of WebCenter and
// Oracle HTTP Server hosts in the cluster. For the EDG topology, this includes
// For example,|||
Enter a security filter for the server port. Hosts which are allowed to communicate directly with the server port may access any resources
managed by the server. Insure that hosts which need access are included in the filter. See the installation guide for more details.
Incoming connection address filter []:  <list of IP addresses of all the Oracle HTTP Server and WebCenter servers in the cluster>

// Either take the default or specify a new context root
// Here we'll accept the default of 'idc'.
Web Server Relative Root [/idc/]:     /idc/

Enter the name of the local mail server. The server will contact this system to
deliver email.
Company Mail Server [mail]:        < accept default or enter name of local mail server>

Enter the e-mail address for the system administrator.
Administrator E-Mail Address [sysadmin@mail]:       < accept default or enter email of the system administrator >

// Next question do NOT take the DEFAULT, specify host:port which your webserver is running
Web Server HTTP Address [webhost1]:     webhost1.us.oracle.com:7777

Enter the name for this instance. This name should be unique across your entire
enterprise. It may not contain characters other than letters, numbers, and underscores.
Server Instance Name [idc]:   < accept default >

Enter a short label for this instance. This label is used on web pages to identify
this instance. It should be less than 12 characters long.
Server Instance Label [idc]:   < accept default >

Enter a long description for this instance.
Server Description [Content Server idc]:   < accept default >

// Choose Apache for Oracle HTTP Server
Web Server
        *1. Apache

Please select a database from the list below to use with the Content Server.
Content Server Database
        *1. Oracle

Manually configure JDBC settings for this database
        *2. no

// Specify the hostname of one of the RAC DB machines.
Oracle Server Hostname [localhost]:     rachost1.us.oracle.com

// Specify the database port
Oracle Listener Port Number [1521]:     1521

// Specify the username (prefix_OCSERVER) of the schemas you installed using the RCU
The user name is used to log into the database used by the content server.
Oracle User [user]:   WCEDG_OCSERVER
// Specify the password (prefix_OCSERVER) of the schemas you installed using the RCU
The password is used to log into the database used by the content server.
Oracle Password []:   < enter the schema password >

//Specify the SID of one of the RAC instances.
Oracle Instance Name [ORACLE]:   orasid1

Configure the JVM to find the JDBC driver in a specific jar file
        *2. no

// Accept the default. Do not choose to create database tables since they should
// have been created with RCU already.

The installer can attempt to create the database tables or you can manually create
them. If you choose to manually create the tables, you should create them now.
Attempt to create database tables
1. No

Select components to install.
 1. ContentFolios: Collect related items in folios
 2. LinkManager8: Hypertext link management support
 3. OracleTextSearch: External Oracle 11g database as search indexer support
 4. ThreadedDiscussions: Threaded discussion management
Enter numbers separated by commas to toggle, 0 to unselect all, F to finish:    F

The installer then installs Oracle Content Server. Ensure that Oracle Content Server starts up at the end of installation.

If Oracle Content Server does not start, check the logs for errors, and resolve them. The log files are located in the following places:

Table 9-1 Location of Log Files for Oracle Content Server

Location Description


Basic installer log


Output from starting Oracle Content Server


HTML logs

You can try to start the server manually by running:


If you want to see some debug output, specify the -debug parameter:

<content_server_dir>/bin/IdcServer -debug

If you want to see more debug output, edit the <content_server_dir>/config/config.cfg file to include the following line:


If you want to see even more debug output, add these lines to <content_server_dir>/config/config.cfg:


9.3 Running the WebCenter Configuration Script

Run the WebCenter configuration script, wc_contentserverconfig.sh, from the Oracle Content Server media to prepare the server to work with Oracle WebCenter. This script installs the following:

  • Oracle Content Server patch

  • Folders_g component

  • WcConfigure component

The WcConfigure component performs the following tasks to configure Oracle Content Server for Oracle WebCenter:

  • Sets configuration values for UseAccounts and IsAutoNumber to true and AutoNumberPrefix to IDC_Name, if not set.

  • Updates, if necessary, the JDBC password and its encoding from ClearText to Intradoc.

  • Adds the document type DOCUMENT.

  • Configures folders so that dDocType and dSecurityGroup are inherited, and the system default information is set as follows: dDocType=DOCUMENT and dSecurityGroup=Public.

Perform these steps to run the wc_contentserverconfig WebCenter script:

  1. Navigate to the webcenter-conf directory, which is in the root directory on the Oracle Content Server media.

  2. Run the following command:

    ./wc_contentserverconfig.sh <content_server_dir> <path_to_source_directory>

    Where <content_server_dir> refers to the Oracle Content Server installation directory and <path_to_source_directory> refers to the webcenter-conf directory on the Oracle Content Server media. For example:

    wc_contentserverconfig.sh /shared/oracle/ucm/server /myproducts/ucmmedia/webcenter-conf
  3. Restart Oracle Content Server Admin Server and Oracle Content Server.

    To restart Admin Server, run <content_server_dir>/admin/etc/idcadmin_restart.

    To restart Oracle Content Server, run <content_server_dir>/etc/idcserver_restart.

    Where <content_server_dir> refers to the Oracle Content Server installation directory.


For more information about how to start, stop, or restart Oracle Content Server, see the Content Server Installation Guide for UNIX at http://download.oracle.com/docs/cd/E10316_01/owc.htm.

9.4 Configuring Oracle Content Server for Remote Oracle HTTP Server

Perform these steps to configure Oracle Content Server for remote Oracle HTTP Server (that is, Content Server and Oracle HTTP Server run on different hosts). You must perform steps on the Content Server machine and on the Oracle HTTP Server machine:

9.4.1 Steps to Perform on the Content Server Machine

Perform these steps on the Content Server machine (WCHOST1):

  1. Shut down Oracle Content Server and the Content Server Admin Server:

    To stop Oracle Content Server, run this command:

    WCHOST1> <content_server_dir>/etc/idcserver_stop

    To stop the Content Server Admin Server, run this command:

    WCHOST1> <content_server_dir>/admin/etc/idcadmin_stop
  2. Edit the <content_server_dir>/config/config.cfg file to include the following lines:


    Also, add SocketHostAddressSecurityFilter if it is not already there. This should be set to a pipe-delimited list of hosts allowed to access Oracle Content Server.


    SocketHostAddressSecurityFilter= | IP_of_WEBHOST1 | IP_of_WEBHOST2 | IP_of_WCHOST1 | IP_of_WCHOST2
  3. Edit the <content_server_dir>/admin/bin/intradoc.cfg file to include the SocketHostAddressSecurityFilter entry if it is not already there. See the previous step for the values for this parameter.

  4. Restart the content server.

9.4.2 Steps to Perform on the Oracle HTTP Server Machine

Perform these steps on the Oracle HTTP Server machine (WEBHOST1):

  1. Create a local directory on WEBHOST1 with the same path name as the shared directory on WCHOST1:

    WEBHOST1> mkdir -p /shared/oracle/ucm/server

    The remaining steps will refer to this directory as <cs_on_webhost_dir>.

    This is a local directory: the WEBHOST machine does not have access to the shared drive.

  2. Copy the following directories (the content server stub) from the Oracle Content Server machine to the directory on WEBHOST1 created in the previous step:

    • <content_server_dir>/data

    • <content_server_dir>/idcplg (if it exists)

    • <content_server_dir>/weblayout (without the groups subdirectory)

  3. On WEBHOST1, create the <cs_on_webhost_dir>/shared/os/<OS_Name>/lib directory.

    For example:

    WEBHOST1> mkdir /shared/oracle/ucm/server/shared/os/linux/lib
  4. Copy the IdcApache22Auth.so and RedirectUrls.so files on the Content Server machine (these files are located in the <content_server_dir>/shared/os/<OS_Name>/lib directory) to the directory created in the previous step, on the WEBHOST1 machine.

  5. On WEBHOST1, create the <cs_on_webhost_dir>/data/users/SystemFilters.hda file, and add the following lines:

    @Properties LocalData 
    @ResultSet IdcAuthPlugins 
  6. Create virtual directories for Oracle HTTP Server.

    Add the following lines to Oracle HTTP Server's httpd.conf file:


    The lines below use idc because it was the context root specified during the installation. If you specified a different context root, then enter your context root instead of idc.
    LoadModule IdcApacheAuth <cs_on_webhost_dir>/shared/os/linux/lib/IdcApache22Auth.so
    IdcUserDB idc "<cs_on_webhost_dir>/data/users/userdb.txt"
    Alias /idc "<cs_on_webhost_dir>/weblayout"
    <Location /idc>
       Order allow,deny
       Allow from all
       DirectoryIndex portal.htm
       IdcSecurity idc
    UseCanonicalName Off
  7. Restart Oracle Content Server.

  8. Restart Oracle HTTP Server.

9.5 Validating the Installation

Verify that you can access the Admin interface at http://webhost1:7777/idc. The login is sysadmin/idc.

If the Admin interface does not come up, diagnose and resolve any problems before proceeding.

9.6 Backing Up the Installation

Back up all the installation files on both the Web machine and the Content Server machine.

For the HTTP Server machine, back up the configuration directory:

WEBHOST1> tar -cvpf ucmWHconfigback.tar /shared/oracle/ucm/server

For the Content Server machine, back up all install files and configuration:

WCHOST1> tar -cvpf ucmCSback.tar /shared/oracle/ucm/server

9.7 Configuring Oracle Content Server for WebCenter

To configure Oracle Content Server to work with WebCenter, perform the steps described in these sections:

9.7.1 Configuring Oracle Content Server

After installing Oracle Content Server, you must configure the server to use the same LDAP-based identity store that Oracle WebCenter has been configured to use. You can optionally configure Oracle Content Server for using WS-Security and enabling full-text search and index. Table 9-1 lists the various tasks and whether these tasks are mandatory or optional.

Table 9-2 Oracle WebCenter-Specific Post-Installation Configuration Tasks for Oracle Content Server

Task Mandatory/Optional

Configuring the Identity Store


Enabling Full-Text Searching and Indexing


Configuring Secure Socket Layer (SSL) in Oracle Content Server

Optional Configuring the Identity Store

Both Oracle Content Server and Oracle WebCenter must be configured to use the same LDAP-based identity store. By default, Oracle Content Server is not set up with an LDAP-based identity store.

To configure Oracle Content Server to use the LDAP-based identity store:

  1. Start the Oracle Content Server console and log on to the server with administrative permission.

  2. From the Administration menu, select Providers.

  3. In the Create a New Provider section, click Add for the ldapuser provider type (Figure 9-1)

    Figure 9-1 Creating a New Provider

    Creating a New Provider
  4. Specify details for the LDAP provider. You must specify the following information: provider name, provider description, provider class, source path, LDAP server, LDAP suffix, and LDAP port (Figure 9-2). The LDAP server details must be of the server that Oracle WebCenter is configured to use.

    You may also specify the LDAP admin user and password.


    Set the Default Network Account field to #none. Do not set any default role because all user security information is stored using the extended user attribute component of Oracle Content Server. You can set the Role Prefix and Account Prefix fields to any path that does not exist in the LDAP server.

    Figure 9-2 Specifying Details of a New LDAP Provider

    Specifying Details of a New LDAP Provider
  5. Click the Add button to add the LDAP provider.

  6. Click the Test link on the main providers page to verify that the new LDAP connection works fine. Enabling Full-Text Searching and Indexing

By default, the database used with Oracle Content Server is set up to provide metadata-only searching and indexing capabilities. You can additionally configure SQLServer, Oracle, and DB2 to support full-text searching and indexing. Configuring full-text search is optional, but advisable.

For information about enabling full-text searching and indexing, see the "Setting Up Database Search and Indexing" appendix in the Oracle Universal Content Management Content Server Installation Guide for Windows or UNIX available here:

http://download.oracle.com/docs/cd/E10316_01/ouc.htm Configuring Secure Socket Layer (SSL) in Oracle Content Server

If Oracle Content Server and the WebCenter application in which you have created a repository connection are not on the same machine or same trusted private network, then identity propagation is not secure. To ensure its security, you must configure SSL on Oracle Content Server.

To configure SSL on Oracle Content Server, you must perform the following tasks:

You can also see the "Secure Socket Layer (SSL) Communication" in Content Integration Suite (CIS) Installation Guide available at http://download.oracle.com/docs/cd/E10316_01/owc.htm. Perform these procedures, if you use self-signed certificates.

In a production environment, it is recommended that you use real certificates. For information on how to configure keystores when using real certificates, see "Using Service Providers" in Security Providers Component Administration Guide available at http://download.oracle.com/docs/cd/E10316_01/cs/cs_doc_10/documentation/extras/security_providers_guide.pdf.

Configuring a Keystore and Key on the Client Side

To configure a keystore on the WebCenter application (client) side:

  1. In your development environment, go to JDEV_HOME/jdk/bin and open the command prompt.

  2. Generate the client keystore by running the following keytool command:

    keytool -genkey -keyalg RSA -validity 5000 -alias Client private key alias -keystore client-keystore.jks 
    -dname "cn=client" -keypass Private key password -storepass KeyStore password
  3. To verify that the keys have been correctly created, run the following keytool command. This is an optional step:

    keytool -list -keystore client-keystore.jks -storepass KeyStore password
  4. To use the key, sign it by running the following keytool command:

    keytool -selfcert -validity 5000 -alias Client private key alias -keystore client-keystore.jks 
    -keypass Private key password -storepass KeyStore password
  5. Export the client public key by running the following keytool command:

    keytool -export -alias Client private key alias -keystore client-keystore.jks 
    -file client.pubkey -keypass Private key password -storepass KeyStore password

Configuring a Keystore and Key on the Server Side

To configure a keystore on the Oracle Content Server side:

  1. In the same development environment, go to JDEV_HOME/jdk/bin and open the command prompt.

  2. Generate the server keystore by running the following keytool command:

    keytool -genkey -keyalg RSA -validity 5000 -alias Server public key alias 
    -keystore server-keystore.jks -dname "cn=server" -keypass Private server key password -storepass KeyStore password
  3. To verify that the key has been correctly created, run the following keytool command:

    keytool -list -keystore server-keystore.jks -keypass Server private key password -storepass KeyStore password
  4. To use the key, sign it by running the following keytool command:

    keytool -selfcert -validity 5000 -alias Server public key alias -keystore server-keystore.jks 
    -keypass Private server key password -storepass KeyStore password
  5. Export the server public key to the server keystore by running the following keytool command:

    keytool -export -alias Server public key alias -keystore server-keystore.jks 
    -file server.pubkey -keypass Server private key password -storepass KeyStore password

Verifying Signatures of Trusted Clients

To verify signatures of trusted clients, import the client public key into the server keystore:

  1. In your development environment, go to JDEV_HOME/jdk/bin and open the command prompt.

  2. To verify the signature of trusted clients, import the client's public key in to the server keystore by running the following keytool command:

    keytool -import -alias Client public key alias -file client.pubkey -keystore 
    server-keystore.jks -keypass Private server key password -storepass KeyStore password
  3. Import the server public key into the client keystore by running the following keytool command:

    keytool -import -alias Server public key alias -file server.pubkey -keystore 
    client-keystore.jks -keypass Private key password -storepass KeyStore password

    When the tool prompts you if the key is self certified, you must enter Yes. Example 9-1 shows a sample output that is generated after this procedure is completed successfully.

    Example 9-1 Sample Output Generated by the Keytool

    [user@server]$ keytool -import -alias client -file client.pubkey
    -keystore server-keystore.jks -keypass Server private key password -storepass Keystore password
    Owner: CN=client
    Issuer: CN=client
    Serial number: serial number, for example, 123a19cb
    Valid from: Date, Year, and Time until: Date, Year, and Time
    Certificate fingerprints:
    Trust this certificate? [no]:  yes
    Certificate was added to keystore.

Securing Identity Propagation

To secure identity propagation, you must configure SSL on Oracle Content Server.

  1. Log into Oracle Content Server as an administrator.

  2. From Administration, choose Providers. The Create a New Provider page displays.

  3. Click Add for sslincoming. The Add Incoming Provider page displays.

  4. In Provider Name, enter a name for the provider, for example, sslincomingprovider.

    When the new provider is set up, a directory with the provider name is created as a subdirectory of the CONTENT_SERVER_HOME/data/providers directory.

  5. In Provider Description, briefly describe the provider, for example, SSL Incoming Provider for securing the Content Server.

  6. In Provider Class, enter the class of the sslincoming provider, for example, idc.provider.ssl.SSLSocketIncomingProvider.


    You can add a new SSL keepalive incoming socket provider or a new SSL incoming socket provider. Using a keepalive socket improves the performance of a session and is recommended for most implementations.
  7. In Connection Class, enter the class of the connection, for example, idc.provider.KeepaliveSocketIncomingConnection.

  8. In Server Thread Class, enter the class of the server thread, for example, idc.server.KeepaliveIdcServerThread.

  9. In Server Port, specify an open server port, for example, 5555.

  10. Select the Require Client Authentication checkbox.

  11. In Keystore password, enter the password to access the keystore.

  12. In Alias, enter the alias of the keystore.

  13. In Alias password, enter the password of the alias.

  14. In Truststore password, enter the password of the trust store.

  15. Click Add. The new incoming provider is now set up.

  16. Go to the new provider directory that was created in step 4.

  17. To specify truststore and keystore, create a file named sslconfig.hda.

  18. Copy the server keystore to the server.

  19. Configure the sslconfig.hda file. Example 9-2 shows how the .hda file should look after you include the truststore and keystore information.

    Example 9-2 Sample sslconfig.hda File

    @Properties LocalData

9.7.2 Configuring the Load Balancer

You must configure the load balancer to act as a socket load balancer. This will be used to make socket connections from the Oracle HTTP Server as well as WebCenter.

  1. Configure load balancer addresses.

    A virtual address should be configured on the load balancer. This address will only be used internally to access Oracle Content Server (OCS). This address should be configured to route to the OCS cluster.


    Virtual host on load balancer: wcinternal.mycompany.com:9054

    Maps to: WCHOST1:9054, WCHOST2:9054

    Load-balancing method: round-robin

  2. Reconfigure Oracle HTTP Server and Content Server.

    Oracle HTTP Server and Content Server both must be reconfigured to support the new virtual address.

    1. On the Content Server machine (WCHOST1), in the file <content_server_dir>/data/users/SecurityInfo.hda, replace the two occurrences of WCHOST1 (under @Properties LocalData and @ResultSet ProxiedServers) with the virtual host name wcinternal.mycompany.com.

    2. Copy the SecurityInfo.hda file to the same directory on the Oracle HTTP Server host. This should overwrite the copy of the file already there.

  3. Restart the Content Server and Oracle HTTP Server. Verify that the address and login work as before.

9.7.3 Installing Content Server Cluster

Each Content Server node is installed using the cluster installer which can be found in <content_server_dir>/bin.

Before proceeding, shut down the Content Server and Admin Server from the previous installation. The installation process consists of the following steps: Installing the First Content Server Node

From the first node (WCHOST1), run the following command (all on one line):


For <node_name>, specify WCHOST1.

For <ocs-stub>, use a local directory, for example, /u01/app/oracle/product/ucm.

For Set-ClusterBinDirRule, specify local. Installing the Second Content Server Node

From the second node (WCHOST2), run the command (all on one line):


For <node_name>, specify WCHOST2.

For <ocs-stub>, use a local directory, for example, /u01/app/oracle/product/ucm.

For Set-ClusterBinDirRule, specify local. Post-Installation Steps

After setting up the nodes, add the following lines to the <ocs-stub>/bin/intradoc.cfg and the <ocs-stub>/admin/bin/intradoc.cfg files on each of the nodes WCHOST1 and WCHOST2:


<node_name> is the identifier for the node.

<cluster_name> is the identifier for the cluster.

All nodes should have a different node name, but should have the same cluster group name. For example, WCHOST1 would be configured as follows:


And WCHOST2 would be configured as follows:

ArchiverDoLocks=true Starting the Servers

Start Oracle Content Server and Admin Server on each node using the binaries in <ocs-stub>/bin.

Verify that the log and PID files are created in the <ocs-stub>/admin/etc and <ocs-stub>/etc directories.

Start Oracle HTTP Server on WEBHOST1.

9.8 Adding Another Oracle HTTP Server and Configuring a Load Balancer

This section contains the following sections:

9.8.1 Configuring the Second Oracle HTTP Server

To configure the second Oracle HTTP Server (that is, the Oracle HTTP Server on WEBHOST2), perform the steps in Section 9.4.2, "Steps to Perform on the Oracle HTTP Server Machine."

Validate that the Content Server is accessible at http://WEBHOST2:7777/idc.

9.8.2 Configuring the Load Balancer

The load balancer in the WebCenter enterprise topology should already be able to send requests from the load balancer address:


to both




Validate the above before continuing.

9.8.3 Configuring the Content Server's HTTP Address

The Content Server's HTTP address must be reconfigured to point from WEBHOST1 to the load balancer.

In the file <content_server_dir>/config/config.cfg, edit the HttpServerAddress line to:


9.9 Reconfiguring the Content Server to Support RAC

In the file <content_server_dir>/config/config.cfg, edit the JdbcConnectionString line to provide an RAC connection string. For example:

                  (ADDRESS=(PROTOCOL=TCP) (HOST=RACHOST2) (PORT=1521))

9.10 Backing Up the Installation

Back up all the installation files on both the Web machine and the Content Server machine.

For the HTTP Server machine, back up the configuration directory:

WEBHOST1> tar -cvpf ucmWHconfigback.tar /shared/oracle/ucm/server

For the Content Server machine, back up all install files and configuration:

WCHOST1> tar -cvpf ucmCSback.tar /shared/oracle/ucm/server

In addition, back up the cluster configuration files:

WCHOST1> tar -cvpf ucmCS1back.tar <ocs-stub>
WCHOST2> tar -cvpf ucmCS2back.tar <ocs-stub>