Oracle® Beehive Installation Guide Release 1 (1.5) for Microsoft Windows (32-Bit) Part Number E14831-05 |
|
|
View PDF |
Oracle Beekeeper is available for Oracle Beehive Release 1 (1.3) and later.
Depending on your security requirements or any other issue particular to your deployment, perform one or more of the following procedures after installing Oracle Beekeeper:
In Microsoft Windows, set the environment variable OPMN_USE_ORACLELIBS
to false
in your command shell if you use opmnctl
to control Oracle Beekeeper.
Refer to the section "Starting and Stopping Oracle Beekeeper" in "Starting and Stopping Oracle Beehive" in Oracle Beehive Administrator's Guide for more information about controlling Oracle Beekeeper with opmnctl
.
If you only use the Services management console (from the Windows Control Panel) to control Oracle Beekeeper, setting this environment variable is not necessary.
Create a keystore with the keytool
command. This command is located in <Oracle Beekeeper home>
/jdk/bin
. The following example will create a keystore named server.keystore
in the directory <Oracle Beekeeper home>
with the password welcome
:
keytool -genkey -keyalg "RSA"
-keystore <Oracle Beekeeper home>/server.keystore
-storepass welcome -validity 90
Note:
For more information about the keytool utility, refer tohttp://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html
.
For additional information, refer to "Using Keys and Certificates with OC4J and Oracle HTTP Server" and "Using SSL with Standalone OC4J" in Chapter 15, "SSL Communication with OC4J" in Oracle Containers for J2EE Security Guide.
In <Oracle Beekeeper home>
/j2ee/home/config/default-web-site.xml
, edit the <web-site>
element. Set the port
attribute to any available port number, secure
to true
, and protocol
to https
:
<web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation= "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" port="4443" secure="true" protocol="https" display-name="Default Web Site" schema-major-version="11" schema-minor-version="1">
Note:
You may also add the attributevirtual-hosts
to the <web-site>
to use both SSL and virtual hosts. Refer to "Configuring Virtual Host" for more information.Add the following element inside the <web-site>
element:
<ssl-config
keystore="<Oracle Beekeeper home>/server.keystore"
keystore-password="welcome"/>
Set the attribute keystore
to the full path name of the keystore you created previously. Set the attribute keystore-password
to the password of the keystore.
Restart OC4J as described in "Restarting OC4J".
If you have configured Oracle Beehive for SSL access and you want to add or modify a directory profile, you must specify the location of an Oracle Wallet configured for Oracle Beehive in the UnmanagedOc4J component in which Oracle Beekeeper runs.
Note:
For information about directory profiles (or LDAP mapping profiles), refer to "Step 1: Creating an LDAP Mapping Profile" in "Integrating and Synchronizing LDAP with Oracle Beehive".For more information about configuring Oracle Wallet for Oracle Beehive, refer to "Step 2: Configuring Oracle Beehive Instance to Use Oracle Wallet" in "Configuring TLS with Oracle Wallet".
Retrieve the component identifier for UnmanagedOc4j with the beectl list_components
command. You may call this command from any Oracle Beehive application tier:
beectl list_components --type UnmanagedOc4j
----------------+-------------------------------------------------------------
Component type | Component identifier
----------------+-------------------------------------------------------------
UnmanagedOc4j | e084c8c8-4a78-4852-8699-480b9bf4f79c
----------------+--------------------------------------------------------------
Set the WalletDir property in the UnmanagedOc4j component to the location of your Oracle Wallet:
beectl modify_property --component <UnmanagedOc4J identifier> --name WalletDir --value <Oracle Wallet directory>
Activate the configuration:
beectl activate_configuration
Edit the file <Oracle Beekeeper home>
/j2ee/home/config/default-web-site.xml
and modify the port
attribute in the <web-site>
element to any available port number:
<web-site ... port="7779" ... >
Restart OC4J as described in "Restarting OC4J".
Edit the file <Oracle Beekeeper home>
/j2ee/home/config/rmi.xml
and modify the port
attribute in the <rmi-server>
element to any available port number:
<rmi-server ... port="23792" ... >
Restart OC4J as described in "Restarting OC4J".
Retrieve the component identifier for UnmanagedOc4j with the beectl list_components
command. You may call this command from any Oracle Beehive application tier:
beectl list_components --type UnmanagedOc4j
----------------+-------------------------------------------------------------
Component type | Component identifier
----------------+-------------------------------------------------------------
UnmanagedOc4j | e084c8c8-4a78-4852-8699-480b9bf4f79c
----------------+--------------------------------------------------------------
Set the RmiPort property in the UnmanagedOc4j component to the same port number you specified in rmi.xml
:
beectl modify_property --component <UnmanagedOc4J identifier> --name RmiPort --value 23792
Activate the configuration:
beectl activate_configuration
To extend the Java Single Sign-On session timeout for Oracle Beekeeper, add the highlighted text to the file <Oracle Beekeeper home>
/j2ee/home/config/jps-config.xml
:
<serviceInstance name="idm" provider="idm.provider">
<description>JSSO Authentication Configuration</description>
<property name="idm.authentication.name" value="JavaSSO"/>
<property name="idm.token.asserter.class"
value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
<property name="idm.token.collector.class"
value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
<property name="idm.token.type" value="COOKIE_TOKEN"/>
<property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
<property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
<property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
<property name="custom.sso.cred.key" value="JSSO_KEY"/>
<property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
<property name="custom.sso.session.timeout" value="3600"/>
</serviceInstance>
After making changes to the jps-config.xml
file, restart OC4J as described in "Restarting OC4J".
For more information about Java Single Sign-On, refer to Chapter 14, "OC4J Java Single Sign-On" in Oracle Containers for J2EE Security Guide.
You may configure Oracle Beekeeper so that it authenticates its users with credentials stored in your LDAP directory. Refer to "Integrating and Synchronizing LDAP with Oracle Beehive" for more information.
Edit the file <Oracle Beekeeper home>
/j2ee/home/application-deployments/javasso/jps-config.xml
and update the values that are highlighted in the following excerpt with configuration information that corresponds to your LDAP directory.
Refer to "Retrieving Information About the LDAP Server" for more information about these properties.
<serviceInstance name="beehive.ldap.loginmodule" provider="jaas.login.provider"> <description>Beehive LDAP Login Module</description> <property name="loginModuleClassName" value="oracle.ocs.csi.authentication.login.modules.OcsLdapLoginModule"/> <property name="jaas.login.controlFlag" value="REQUIRED"/> <property name="debug" value="true"/> <property name="addAllRoles" value="true"/> <property name="oracle.security.jaas.ldap.user.object.class" value="orclUserV2"/> <property name="oracle.security.jaas.ldap.provider.connect.pool" value="true"/> <property name="oracle.security.jaas.ldap.provider.credential" value="!welcome1"/> <property name="oracle.security.jaas.ldap.provider.type" value="other"/> <property name="oracle.security.jaas.ldap.provider.url" value="ldap://ldapserver:389"/> <property name="oracle.security.jaas.ldap.role.searchscope" value="subtree"/> <property name="oracle.security.jaas.ldap.user.searchscope" value="subtree"/> <property name="oracle.security.jaas.ldap.user.searchbase" value="cn=Users,dc=us,dc=oracle,dc=com"/> <property name="oracle.security.jaas.ldap.role.searchbase" value="cn=Users,dc=us,dc=oracle,dc=com"/> <property name="oracle.security.jaas.ldap.role.object.class" value="orclGroup"/> <property name="oracle.security.jaas.ldap.role.name.attribute" value="cn"/> <property name="oracle.security.jaas.ldap.provider.user" value="cn=orcladmin"/> <property name="oracle.security.jaas.ldap.user.name.attribute" value="uid"/> <property name="oracle.security.jaas.ldap.membership.searchscope" value="direct"/> <property name="oracle.security.jaas.ldap.member.attribute" value="uniqueMember"/> <property name="oracle.security.jaas.ldap.lm.cache_enabled" value="true"/> <property name="authenticated.role.name" value="authenticated-role"/> </serviceInstance>
Tips:
The propertyoracle.security.jaas.ldap.user.object.class
corresponds to the UserObjectClass property. The property oracle.security.jaas.ldap.role.object.class
corresponds to the GroupObjectClass property. Refer to "Default UserObjectClass and GroupObjectClass Values" for more information.
Obtain values for jps-config.xml
from the following file:
<Oracle Beehive home>/j2ee/ <any OC4J container>/config/system-jazn-data.xml
For example,
<Oracle Beehive home>/j2ee/BEEAPP/config/system-jazn-data.xml
Look for the <application>
element that contains the element <name>beehive-auth-framework-password</name>
.
Prepend the clear-text password (the value of oracle.security.jaas.ldap.provider.credential
of the administrator's account (the value of oracle.security.jaas.ldap.provider.user
) with an exclamation point (!
). The exclamation point will obfuscate the password the next time OC4J is restarted.
In the same file (jps-config.xml
), update the <jpsContexts>
element with the highlighted value:
<jpsContexts default="ldap">
Edit the file <Oracle Beekeeper home>
/j2ee/home/application-deployments/
beekeeper
/jps-config.xml
) and make the same changes as in step 1.
In the same file (<Oracle Beekeeper home>
/j2ee/home/application-deployments/
beekeeper
/jps-config.xml
), update the <jpsContexts>
element with the highlighted value:
<jpsContexts default="jsso-ldap">
Restart OC4J as described in "Restarting OC4J".
You may configure multiple instances of Oracle Beekeeper with a virtual host through a load balancer so that all your Oracle Beekeeper instances will be accessed by a single point of access, the virtual host though a load balancer.
Note:
If you have multiple Oracle Beekeeper nodes behind your load balancer's virtual server, then you must configure your load balancer's virtual server so that it uses cookie insert persistence in order to maintain server affinity.Refer to the documentation of your load balancer for more information about cookie insert persistence.
Edit the file <Oracle Beekeeper home>
/j2ee/home/config/default-web-site.xml
and specify the host name and port number of your load balancer in the <frontend>
child element of <web-site>
as follows:
<web-site
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation=
"http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd"
port="7778"
secure="false"
protocol="http"
display-name="Default Web Site"
schema-major-version="11"
schema-minor-version="1">
<default-web-app application="default" name="defaultWebApp" />
...
<frontend host="beehiveadmin.us.oracle.com" port="80" />
</web-site>
In this example, beehiveadmin.us.oracle.com
is the host name of the load balancer and 80
is the port number.
If you or an administrator uses a Microsoft Windows computer to access Oracle Beekeeper, then on that computer, edit the file C:\WINDOWS\system32\drivers\etc\hosts
file and map the IP address of the computer that runs Oracle Beehive with the host name of your virtual host.
For example, if 10.229.175.134
is the host name of the computer that runs Oracle Beekeeper and beehiveadmin.us.oracle.com
is the host name of your load balancer, then add the following line to your hosts
file:
10.229.175.134 beehiveadmin.us.oracle.com
Restart OC4J as described in "Restarting OC4J".
Restart the Oracle Beekeeper unmanaged OC4J instance with the following commands:
<Oracle Beekeeper home>/opmn/bin/opmnctl stopall <Oracle Beekeeper home>/opmn/bin/opmnctl startall
For information about starting and stopping OC4J, refer to the chapter "Starting and Stopping OC4J" in Oracle Containers for J2EE Configuration and Administrator's Guide.