Oracle® Beehive Installation Guide Release 1 (1.4) for Linux x86 Part Number E13791-03 |
|
|
View PDF |
Oracle Beekeeper is available for Oracle Beehive Release 1 (1.3) and later.
Depending on your security requirements or any other issue particular to your deployment, perform one or more of the following procedures after installing Oracle Beekeeper:
Create a keystore with the following command. The keytool command is located in <Oracle Beekeeper home>
/jdk/bin
. The following example will create a keystore named server.keystore
in the directory <Oracle Beekeeper home>
with the password welcome
:
keytool -genkey -keyalg "RSA"
-keystore <Oracle Beekeeper home>/server.keystore
-storepass welcome -validity 90
Note:
For more information about the keytool utility, refer tohttp://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
.
For additional information, refer to "Using Keys and Certificates with OC4J and Oracle HTTP Server" and "Using SSL with Standalone OC4J" in Chapter 15, "SSL Communication with OC4J" in Oracle Containers for J2EE Security Guide.
Make a copy of <Oracle Beekeeper home>
/j2ee/home/config/default-web-site.xml
and name it <Oracle Beekeeper home>
/j2ee/home/config/secure-web-site.xml
.
In secure-web-site.xml
, edit the <web-site>
element. Set the port
attribute to any available port number, secure
to true
, and protocol
to https
:
<web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation= "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" port="4443" secure="true" protocol="https" display-name="Default Web Site" schema-major-version="11" schema-minor-version="1">
Note:
You may also add the attributevirtual-hosts
to the <web-site>
to use both SSL and virtual hosts. Refer to "Configuring Virtual Host" for more information.Add the following element inside the <web-site>
element:
<ssl-config
keystore="<Oracle Beekeeper home>/server.keystore"
keystore-password="welcome"/>
Set the attribute keystore
to the full path name of the keystore you created previously. Set the attribute keystore-password
to the password of the keystore.
In <Oracle Beekeeper home>
/j2ee/home/config/server.xml
, edit the <web-site>
element and add the attribute path="./secure-web-site.xml"
:
<web-site path="./secure-web-site.xml"/>
Restart OC4J as described in "Restarting OC4J".
If you have configured Oracle Beehive for SSL access and you want to add or modify a directory profile, you must specify the location of an Oracle Wallet configured for Oracle Beehive in the UnmanagedOc4J component in which Oracle Beekeeper runs.
Note:
For information about directory profiles (or LDAP mapping profiles), refer to "Step 1: Creating an LDAP Mapping Profile" in "Integrating and Synchronizing LDAP with Oracle Beehive".For more information about configuring Oracle Wallet for Oracle Beehive, refer to "Step 2: Configuring Oracle Beehive Instance to Use Oracle Wallet" in "Configuring TLS with Oracle Wallet".
Retrieve the component identifier for UnmanagedOc4j with the beectl list_components
command. You may call this command from any Oracle Beehive application tier:
beectl list_components --type UnmanagedOc4j
----------------+-------------------------------------------------------------
Component type | Component identifier
----------------+-------------------------------------------------------------
UnmanagedOc4j | e084c8c8-4a78-4852-8699-480b9bf4f79c
----------------+--------------------------------------------------------------
Set the WalletDir property in the UnmanagedOc4j component to the location of your Oracle Wallet:
beectl modify_property --component <UnmanagedOc4J identifier> --name WalletDir --value <Oracle Wallet directory>
Activate the configuration:
beectl activate_configuration
Edit the file <Oracle Beekeeper home>
/j2ee/home/config/default-web-site.xml
and modify the port
attribute in the <web-site>
element to any available port number:
<web-site ... port="7779" ... >
Restart OC4J as described in "Restarting OC4J".
To extend the Java Single Sign-On session timeout for Oracle Beekeeper, add the highlighted text to the file <Oracle Beekeeper home>
/j2ee/home/config/jps-config.xml
:
<serviceInstance name="idm" provider="idm.provider">
<description>JSSO Authentication Configuration</description>
<property name="idm.authentication.name" value="JavaSSO"/>
<property name="idm.token.asserter.class"
value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
<property name="idm.token.collector.class"
value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
<property name="idm.token.type" value="COOKIE_TOKEN"/>
<property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
<property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
<property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
<property name="custom.sso.cred.key" value="JSSO_KEY"/>
<property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
<property name="custom.sso.session.timeout" value="3600"/>
</serviceInstance>
After making changes to the jps-config.xml
file, restart OC4J as described in "Restarting OC4J".
For more information about Java Single Sign-On, refer to Chapter 14, "OC4J Java Single Sign-On" in Oracle Containers for J2EE Security Guide.
You may configure Oracle Beekeeper so that it authenticates its users with credentials stored in your LDAP directory. These steps apply only if you have integrated and synchronized your Oracle Beehive instance with Oracle Internet Directory. Refer to "Integrating and Synchronizing LDAP with Oracle Beehive" for more information.
Edit the file <Oracle Beekeeper home>
/j2ee/home/application-deployments/javasso/jps-config.xml
and update the values that are highlighted in the following excerpt with configuration information that corresponds to your LDAP directory:
<serviceInstance name="beehive.ldap.loginmodule" provider="jaas.login.provider"> <description>Beehive LDAP Login Module</description> <property name="loginModuleClassName" value="oracle.ocs.csi.authentication.login.modules.OcsLdapLoginModule"/> <property name="jaas.login.controlFlag" value="REQUIRED"/> <property name="debug" value="true"/> <property name="addAllRoles" value="true"/> <property name="oracle.security.jaas.ldap.user.object.class" value="inetOrgPerson"/> <property name="oracle.security.jaas.ldap.provider.connect.pool" value="true"/> <property name="oracle.security.jaas.ldap.provider.credential" value="!welcome1"/> <property name="oracle.security.jaas.ldap.provider.type" value="other"/> <property name="oracle.security.jaas.ldap.provider.url" value="ldap://ldapserver:389"/> <property name="oracle.security.jaas.ldap.role.searchscope" value="subtree"/> <property name="oracle.security.jaas.ldap.user.searchscope" value="subtree"/> <property name="oracle.security.jaas.ldap.user.searchbase" value="cn=Users,dc=us,dc=oracle,dc=com"/> <property name="oracle.security.jaas.ldap.role.searchbase" value="cn=Users,dc=us,dc=oracle,dc=com"/> <property name="oracle.security.jaas.ldap.role.object.class" value="groupOfUniqueNames"/> <property name="oracle.security.jaas.ldap.role.name.attribute" value="cn"/> <property name="oracle.security.jaas.ldap.provider.user" value="cn=orcladmin"/> <property name="oracle.security.jaas.ldap.user.name.attribute" value="uid"/> <property name="oracle.security.jaas.ldap.membership.searchscope" value="direct"/> <property name="oracle.security.jaas.ldap.member.attribute" value="uniqueMember"/> <property name="oracle.security.jaas.ldap.lm.cache_enabled" value="true"/> <property name="authenticated.role.name" value="authenticated-role"/> </serviceInstance>
Tips:
Obtain values forjps-config.xml
from the following file:
<Oracle Beehive home>/j2ee/ <any OC4J container>/config/system-jazn-data.xml
For example,
<Oracle Beehive home>/j2ee/BEEAPP/config/system-jazn-data.xml
Look for the <application>
element that contains the element <name>beehive-auth-framework-password</name>
.
Prepend the clear-text password (the value of oracle.security.jaas.ldap.provider.credential
of the administrator's account (the value of oracle.security.jaas.ldap.provider.user
) with an exclamation point (!
). The exclamation point will obfuscate the password the next time OC4J is restarted.
In the same file (jps-config.xml
), update the <jpsContexts>
element with the highlighted value:
<jpsContexts default="ldap">
Edit the file <Oracle Beekeeper home>
/j2ee/home/application-deployments/
beekeeper
/jps-config.xml
) and make the same changes as in step 1.
In the same file (<Oracle Beekeeper home>
/j2ee/home/application-deployments/
beekeeper
/jps-config.xml
), update the <jpsContexts>
element with the highlighted value:
<jpsContexts default="jsso-ldap">
Restart OC4J as described in "Restarting OC4J"..
Add virtual-hosts="beehive_admin.us.oracle.com"
to the <web-site>
element in default-web-site.xml
. (Replace beehive_admin.us.oracle.com
with the name of your virtual host.)
<web-site
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation=
"http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd"
port="7778"
secure="false"
protocol="http"
display-name="Default Web Site"
schema-major-version="11"
schema-minor-version="1"
virtual-hosts="beehive_admin.us.oracle.com">
Restart OC4J as described in "Restarting OC4J".
For information about starting and stopping OC4J, refer to Chapter 5, "Starting and Stopping OC4J" in Oracle Containers for J2EE Configuration and Administrator's Guide.