Content Server is deployed on an Oracle Universal Content Management (Oracle UCM) domain, which is deployed on an Oracle WebLogic Server domain on Oracle Fusion Middleware. Security is supported at multiple levels including Content Server, Oracle WebLogic Server, and Oracle Platform Security Services.
Access to content in the Content Server repository requires a Content Server administrator to manage content, users, and groups, as well as roles, permissions, and accounts. An Oracle WebLogic Server administrator functions as the Content Server administrator. The Oracle WebLogic Server administrator must log in to Content Server and set up the primary Content Server administrator account and password, if no such user was configured during deployment. Once the Content Server administrator is configured, then content management tasks can be performed on Content Server.
Most user management tasks must be performed with the Oracle WebLogic Server Administration Console rather than the User Admin applet in Content Server. By default, Oracle UCM uses the Oracle WebLogic Server user store to manage user names and passwords, and the credential store is leveraged to grant users access to Content Server. Oracle Platform Security Services provides alternatives to the default Oracle WebLogic Server user store, such as Oracle Internet Directory, which can support users and passwords for an enterprise level system.
Content Server offers two levels of security for repository content: security groups (which are required) and accounts (which are optional). Every content item is assigned to a security group, and if accounts are enabled, then content items can also be assigned to an account. Users are assigned a certain level of permission (Read, Write, Delete, or Admin) for each security group and account, which enables them to work with a content item only to the extent that they have permissions to the item's security group and account.
This section covers the following topics:
This section covers the following topics:
With 11g Release 1 (11.1.1) of Oracle Universal Content Management (Oracle UCM), Content Server is deployed on an Oracle WebLogic Server domain and uses Oracle Platform Security Services (OPSS) to authenticate and manage user access through Oracle WebLogic Server.
If you have used earlier versions of Content Server, be aware of the following changes to security:
During Oracle WebLogic Server installation and configuration, a default administration user must be specified. When this user first logs in to Content Server, a password is not required, however, the Post Installation Configuration Page is displayed for further configuration and to specify a Content Server administrator login and password.
When Content Server is installed, a JpsUserProvider is set up by default to communicate with the Oracle WebLogic Server user store for user authentication and access.
All users authenticated through external security (using JpsUserProvider with Oracle WebLogic Server or another provider with Oracle WebLogic Server) are considered external Content Server users. The first time users log in to Content Server they are added to the Content Server database, and administrators can view external user information through the Repository Manager. However, external users are not automatically included in user lists, such as the Author field on a content Check In page.
By default, Content Server uses the Oracle WebLogic Server user store to manage user names and passwords. Most user management tasks must be performed with the Oracle WebLogic Server Administration Console instead of Content Server's User Admin applet. Although a Content Server administrator can use the User Admin applet to create local users and assign passwords and roles on Content Server, for local users to be authenticated for access to Content Server they must also be created and assigned passwords and roles using Oracle WebLogic Server.
Note:
Any user created solely in Content Server is not recognized by Oracle WebLogic Server.The Oracle WebLogic Server user store also manages some additional user metadata such as email and display names. You can use the Oracle WebLogic Server admin server interface to edit these values. The value settings can be found in the interface for the Oracle WebLogic Server domain SecurityRealm, realm name, Users and Groups, user name, Attributes tab.
User metadata can be changed in Content Server, but only after users have logged in to Content Server at least one time to establish themselves as users in Content Server. After the first login, users can update their User Profile page, or a Content Server administrator can set user attribute values with the User Admin applet.
Users can be assigned groups in Oracle WebLogic Server. When a user logs in to Content Server, the user's groups are mapped to Content Server roles. For Oracle WebLogic Server groups to be recognized in Content Server, roles with the exact same names must be created in Content Server and assigned to security groups. If this is not done, the Oracle WebLogic Server groups assigned to users has no impact on users' privileges in Content Server.
It is recommended that any configuration with an external user store, such as an LDAP server, is performed with the Oracle WebLogic Server administration server instead of Content Server. Oracle WebLogic Server uses an embedded LDAP server, but also can be configured to work with other LDAP servers such as Oracle Internet Directory. Integration with an external user store applies to the domain, including all its servers; the Oracle WebLogic Server Admin Server could be shut down, and Oracle UCM and other applications could continue to use the configured LDAP server.
For more information on security integration and configuration, see "Configuring Security for Oracle UCM and Content Server".
Administrators set up initial user and content security within Content Server by using the User Admin application to define user roles, permissions to groups, and accounts. Oracle WebLogic Server is used to create user accounts and assign each user to one or more of the roles, which in turn are assigned specific permissions to security groups. If accounts are enabled, administrators can assign each user specific permissions to certain accounts, which then limits the permissions they might otherwise have through their assigned roles.
For details, see "Security Groups, Roles, and Permissions", "Accounts", and "User Logins and Aliases".
The following components also can be used to provide additional internal Content Server security:
Security can be customized for user access by using the ExtranetLook component, which is installed (disabled) with Content Server. See "Login/Logout Customization" for details.
Note:
The ExtranetLook component is not applicable when Oracle WebLogic Server is used as the Web server for Content Server. Modification of the security implementation is controlled through direct customization of the Oracle WebLogic Server and Administrative configuration.Security can be customized for user access and search results by using the Need to Know component. This component enables you to further configure user access restrictions, modify the display of search results, alter search behavior, and set up hit list roles. To use this component, you must install and enable it. For more information, see Appendix B, "Need to Know Component".
Be aware that Internet Explorer 7 supplies the following message to users logging in with basic authentication without a secure connection:
Warning: This server is requesting that your username and password be sent in an insecure manner
The behavior (sending username and password in text) is not new for basic authentication and does not cause problems.
Content Server can combine authentication methods. For example, you can define some users in Oracle WebLogic Server, allow some users to log in using their Microsoft domain identity, and grant other users Content Server access based on their LDAP credentials. However, authentication is configured through Oracle WebLogic Server, so the combination of methods is limited. Users can authenticate against multiple authentication stores, but because of the Oracle Platform Security Services and Oracle WebLogic Server integration, only one of the configured user stores can be used to extract authorization (group) information.
The following options can be used to provide additional security:
Security can be customized to support encrypted socket communication and authentication by using the Security Providers component, which is installed (enabled) by default with Content Server. This component enables a Secure Sockets Layer (SSL) provider, which can be configured to use certificates for socket or server authentication.
If you use SSL and HTTPS to connect to Content Server, and are unable to connect through WebDAV, try connecting to the Content Server through the browser using the same URL you used in your WebDAV connection string. This lets you see if there is a problem with the certificate, which is used to encrypt communications. If you get a dialog box stating a problem with the certificate, resolve the issue and then try to connect through WebDAV again.
For users to access Content Server using different Web server front ends, when one server front end is HTTPS and the other is HTTP, customize the Content Server configuration using the BrowserUrlPath component. This component is installed (disabled) by default with Content Server and supports a Web server front end using HTTPS and a load balancer that forwards itself as the HTTP Host header. If you only use one access method (only HTTPS, or only HTTP), or you are not using a load balancer that blocks the "Host" parameter from the browser, then this component is unnecessary. For more information see "Browser URL Customization".
Extended security attributes can be assigned to external users or to users for a specific application. The extended attributes are merged into pre-existing user attributes and enable additional flexibility in managing users. For more information see "Extended User Attributes".
Content Server can be customized to filter data input for illegal or corruptive HTML constructs. For more information see "Filter Data Input".
In all environments, a comprehensive understanding of your organization's security needs and a thorough planning phase is crucial to a successful security integration.
User access to Content Server can be set up in multiple ways, but user authentication can only be managed with Oracle WebLogic Server. Content Server supports the following user types:
External users are defined outside the Content Server system and authenticated by external security with Oracle WebLogic Server. Once authenticated, external users can use the Oracle UCM login screen to access Content Server. Generally, external users are users in a trusted domain to whom you grant access and do not manage through Content Server. Their passwords are owned by the Oracle WebLogic Server, the network domain, or another provider, although the User Admin applet can be used to set a user password when converting an external user to a local user. Unlike local users, undefined external users are not assigned the guest role.
The first time users log in to Content Server they are added to the Content Server database, and administrators can view external user information through the Repository Manager. However, external users are not automatically included in user lists, such as the Author field on a content Check In page. If an Override check box is selected on a user's User Profile page, any user information defined in the Content Server database overrides the user information derived from the external user base.
The Admin User applet only shows users after they have logged in at least one time to Content Server. All users from the Oracle WebLogic Server user store are shown as external users.
By default, external security integrations map a limited set of user information (user name, password, roles, accounts, and some additional information such as e-mail address) from the external user base to the Content Server. If you are using LDAP integration, then additional user information, such as e-mail address or user locale, can be mapped from the embedded LDAP server in Oracle WebLogic Server and integrated with Oracle Platform Security Services.
The following is a list of common characteristics of external users:
Login is Defined By: Participation in an external user database.
Trusted domain (such as Oracle WebLogic Server)
Other database
Access is Determined By: Credentials from a trusted domain or other user base (such as the Oracle WebLogic Server user store or LDAP).
User Login: Oracle WebLogic Server and Content Server must be running for users to log in.
User password: User passwords are defined on Oracle WebLogic Server or another user base (such as an LDAP server) by the administrator. Users cannot change their passwords on Content Server.
Interface Issues: User names do not appear in the content check-in lists. However, users can participate in workflows.
Follow these steps to set up roles, groups, and accounts for external users:
Set up security groups. See "Adding a Security Group on Content Server".
Establish roles. See "Creating a Role on Content Server".
Arrange permissions. See "Adding and Editing Permissions on Content Server".
(Optional) Use accounts. See "Enabling Accounts on Content Server".
For details about creating external users, see Administrator's Guide for Oracle WebLogic Server Administration Console Online Help.
Local users are defined by an administrator within the Content Server system. Administrators assign these users one or more roles, which provide the user with access to security groups.
Caution:
Local users are not supported on Oracle WebLogic Server. Although Content Server administrators can create and configure local users with the User Admin applet, for local users to be authenticated for access to Content Server the users and passwords also must be created on Oracle WebLogic Server. The default user type supported in 11g Release 1 (11.1.1) is External Users.The following sections focus on local users:
The following is a list of common characteristics of local users:
Logins are Created By: Administrator in the Content Server instance.
Access is Determined By: Content Server roles, which provide access to security groups.
User Login: Local users cannot log in to the Content Server Admin Server because the Admin Server requires logging in through Oracle WebLogic Server.
User Password: Users can change their passwords.
Interface Issues: User names appear in the content check-in lists. Users can specify whether to change full name, e-mail address, and user type.
Recommended for: 1000 or fewer users. Because of performance considerations, do not configure more than 1000 local users.
Follow these steps to set up local users:
Set up security groups. See "Adding a Security Group on Content Server".
Establish roles. See "Creating a Role on Content Server".
Arrange permissions. See "Adding and Editing Permissions on Content Server".
Assign user logins. See "Adding a User Login".
(Optional) Use accounts. See "Enabling Accounts on Content Server".
The following is a series of recommendations for improving overall security on a Content Server instance. We recommend using the following types of security to completely secure Content Server:
Access to the directory structure: Secure the file system to allow access to only those operating system accounts that require access.
Read Access: Specify Read access for the system administrator to check log files and for those who need to perform regular backups and periodic disaster recovery backups.
Oracle WebLogic Server does not require an external Web server because it has its own Web server. If you are using a configuration with an external Web server, also set Read access for the account that runs the Web server to access and deliver files from the Content Server Web site to the user's browser. The Web site includes the files stored under the /weblayout directory and the /data directory.
Write Access: Specify Write access for the system administrator to install new software and perform customization. Set Write access for the Content Server and optionally the Inbound Refinery.
There should be no need to grant any other account access to the Content Server directory structure (unless you run some other process to access data directly).
Network Access: Configure the network to allow access to the Content Server directory structure only through the Content Server application.
The /data directory and the /config directory contain user names and passwords. These directories should not be shared on the network.
For extra security, transmissions to and from the Web server should be encrypted by using Secure Sockets Layer (SSL).
Database Access: Content Server uses a single database account to access data stored in the database. The database user name and password should be chosen so that they are hard to break and should be updated periodically.
Physical Access: Keep the server that is running Content Server in a locked room.