This chapter explains how to configure an Oracle Information Rights Management (Oracle IRM) application in an Oracle WebLogic Server domain.
This chapter includes the following sections:
Before logging in to the Oracle IRM Management Console or using Oracle IRM Desktop, you need to complete the Oracle IRM configuration, as these topics describe:
Note:
In a production system, Oracle Enterprise Content Management Suite applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. If you want to reassociate the identity store for Oracle IRM with an external LDAP authentication provider, it is easier to do this before you complete the configuration of the Oracle IRM Managed Server and before you connect it to the Oracle Universal Content Management (Oracle UCM) repository. For more information, see Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider."You can set the Server URL configuration parameter to an Oracle IRM Managed Server on the General Settings page for Oracle IRM in Fusion Middleware Control.
Caution:
The Server URL value is embedded into every sealed document, and Oracle IRM Desktop uses this value to identify and connect to an Oracle IRM server to retrieve licenses. This setting must not be changed after any documents have been sealed using this server, or no one will be able to access the documents.For a simple installation where the Managed Server is directly accessible to Oracle IRM Desktop, this value will be the URI of the Managed Server. For example:
https://managedServerHost:managedServerPort/irm_desktop
To set the Server URL configuration parameter:
Start Oracle Enterprise Manager 11g Fusion Middleware Control at the following Web site:
http://adminServerHost:adminServerPort/em
For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:
http://myHost:7001/em
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
From the farm navigation tree in Application Server Control, expand Content Management and Information Rights Management, and then click irm.
From the IRM menu, select Administration and then General Settings.
Fusion Middleware Control displays the General Settings page.
In the Server URL field, enter the URL to access the Oracle IRM Managed Server.
For example:
https://irm.example.com/irm_desktop
On the General Settings page, you can also specify other settings for Oracle IRM.
Click Apply.
To configure a key store for Oracle IRM, you need to create the key store and set its location and passwords. Due to algorithm restrictions with certain Java Cryptographic Extension (JCE) security providers, a number of different cryptographic algorithms and types of key stores are supported.
You should choose the most appropriate cryptographic algorithm, key size, and key store for the target platform. For most platforms the Advanced Encryption Standard (AES) key wrapping algorithm should be used. Other platforms require an RSA key wrapping algorithm.
With the AES algorithm, the size of the wrapping key can either 256 bits or 128 bits. To seal content using the AES 256 cryptographic schema, you should use a 256 bit wrapping key. To seal content using the AES 128 cryptographic schema, you can use a 128 bit or 256 bit wrapping key. The AES key wrap algorithm is typically faster than the RSA key wrap algorithm.
The Oracle IRM Java EE application uses a cryptographic key to wrap (encrypt) and unwrap (decrypt) Oracle IRM key data stored in the database. This wrapping key must be generated before contexts can be created.
The suggested location for the key store is under the domain home, in the MW_HOME/user_projects/domains/domain_name/config/fmwconfig directory (UNIX system) or MW_HOME\user_projects\domains\domain_name\config\fmwconfig (Windows system). Placing the key store in this location ensures that the key store file is backed up when the domain and corresponding credential store files are backed up.
To create a key store for Oracle IRM:
Run the following script to set the environment.
On a UNIX operating system:
MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
On a Windows operating system:
MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd
For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib directory (UNIX system) or MW_HOME\wlserver_10.3\server\lib directory (Windows system).
Run the keytool utility to generate an Oracle IRM key store as follows.
For AES, enter the following keytool command (the key size can be either 128 or 256):
keytool -genseckey -storetype JCEKS -alias oracle.irm.wrap
-keyalg AES -keysize 256 -keystore irm.jceks
When prompted by keytool, choose appropriate passwords for the key store and the generated key.
For RSA, enter the following keytool command:
keytool -genkeypair -alias oracle.irm.wrap
-keyalg RSA -keysize 2048 -keystore irm.jks
When prompted for the certificate details, use the suggested default value, unknown. When prompted by keytool, choose appropriate passwords for the key store and the generated key.
Copy the irm.jceks or irm.jks file to the MW_HOME/user_projects/domains/domain_name/config/fmwconfig directory (UNIX system) or MW_HOME\user_projects\domains\domain_name\config\fmwconfig directory (Windows system).
You can set the key store location with either Fusion Middleware Control or WebLogic Scripting Tool (WLST) commands.
You can set the key store location on the Oracle IRM General Settings page in Fusion Middleware Control.
To set the key store location with Fusion Middleware Control:
Start Fusion Middleware Control at the following URL:
http://adminServerHost:adminServerPort/em
For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:
http://myHost:7001/em
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
From the farm navigation tree in Fusion Middleware Control, expand Content Management and Information Rights Management, and then click irm.
From the IRM menu, select Administration and then General Settings.
In the Keystore field on the General Settings page, enter one of the following key store paths.
Key store path for an AES key store
On a UNIX operating system:
MW_HOME/user_projects/domains/domain_name/config/fmwconfig/irm.jceks
On a Windows operating system:
MW_HOME\user_projects\domains\domain_name\config\fmwconfig\irm.jceks
Key store path for an RSA key store
On a UNIX operating system:
MW_HOME/user_projects/domains/domain_name/config/fmwconfig/irm.jks
On a Windows operating system:
MW_HOME\user_projects\domains\domain_name\config\fmwconfig\irm.jks
For the key store type, enter one of the following values:
JCEKS for an AES key store
JKS for an RSA key store
On the General Settings page, you can also specify other settings for Oracle IRM.
Click Apply.
You can set the key store location with the connect and setIRMKeyStore WLST commands.
To set the key store location with WLST commands:
Enter the following commands.
On a UNIX operating system:
ECM_ORACLE_HOME/common/bin/wlst.sh connect('username','password','t3://adminServerHost:adminServerPort') setIRMKeyStore()
On a Windows operating system:
ECM_ORACLE_HOME\common\bin\wlst.cmd connect('username','password','t3://adminServerHost:adminServerPort') setIRMKeyStore()
You will be prompted for the key store path and key store type.
For the key store path, enter one of the following values.
Key store path for an AES key store
On a UNIX operating system:
MW_HOME/user_projects/domains/domain_name/config/fmwconfig/irm.jceks
On a Windows operating system:
MW_HOME\user_projects\domains\domain_name\config\fmwconfig\irm.jceks
Key store path for an RSA key store
On a UNIX operating system:
MW_HOME/user_projects/domains/domain_name/config/fmwconfig/irm.jks
On a Windows operating system:
MW_HOME\user_projects\domains\domain_name\config\fmwconfig\irm.jks
For the key store type, enter one of the following values.
JCEKS for an AES key store
JKS for an RSA key store
You must set passwords for the Oracle IRM key store with WLST commands. When the key store is created, you will be prompted for a key store password and a password for the generated key. These passwords are required by the Oracle IRM server.
To set passwords for the key store:
For an AES key store, enter the following WLST commands.
On a UNIX operating system:
ECM_ORACLE_HOME/common/bin/wlst.sh connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jks","dummy","password") createCred("IRM","key:irm.jceks:oracle.irm.wrap","dummy","password")
On a Windows operating system:
ECM_ORACLE_HOME/common/bin/wlst.cmd connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jceks","dummy","password") createCred("IRM","key:irm.jceks:oracle.irm.wrap","dummy","password")
For an RSA key store, enter the following WLST commands.
On a UNIX operating system:
ECM_ORACLE_HOME/common/bin/wlst.sh connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jks","dummy","password") createCred("IRM","key:irm.jks:oracle.irm.wrap","dummy","password")
On a Windows operating system:
ECM_ORACLE_HOME/common/bin/wlst.cmd connect('username','password','t3://adminServerHost:adminServerPort') createCred("IRM","keystore:irm.jks","dummy","password") createCred("IRM","key:irm.jks:oracle.irm.wrap","dummy","password")
In the connect command, substitute the correct values for username and password.
In the createCred command, substitute for password the password that was used for creating the key and keystore.
The "dummy" parameter passed to the createCred command is the user name parameter. The key store does not use a user name, so this value is ignored. This is why the value is set as dummy.
It is normal for the creatCred command to return the text "Already in Domain Runtime Tree". This text does not signify an error.
For a development environment, you also need to configure one-way SSL with a server-specific certificate. One-way SSL means that only the server certificate passes from the server to the client but not the other way around.
To configure one-way SSL for a development environment:
Run the following script to set the environment.
On a UNIX operating system:
MW_HOME/wlserver_10.3/server/bin/setWLSEnv.sh
On a Windows operating system:
MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd
For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar file in the MW_HOME/wlserver_10.3/server/lib directory (UNIX system) or MW_HOME\wlserver_10.3\server\lib directory (Windows system).
Use the CertGen utility to create a server-specific, private key and certificate, as follows:
java utils.CertGen -selfsigned
-certfile MyOwnSelfCA.cer
-keyfile MyOwnSelfKey.key
-keyfilepass mykeypass
-cn "hostname"
For hostname, substitute the name of the machine where Oracle IRM is deployed. You should use the same name while accessing Oracle IRM Web services. For example, to generate the server certificate for a machine named myhost.us.example.com, the command would be as follows:
java utils.CertGen -selfsigned
-certfile MyOwnSelfCA.cer
-keyfile MyOwnSelfKey.key
-keyfilepass mykeypass
-cn "myhost.us.example.com"
This command will generate a server certificate for the machine myhost.us.example.com. Verify that the certificate has been issued to the machine name you specified.
CertGen creates a unique and secret Private Key for Oracle IRM and a Self-Signed Root Certificate.
Run the ImportPrivateKey utility to package the Private Key and Self-Signed Root Certificate into a keystore, as follows:
java utils.ImportPrivateKey
-keystore MyOwnIdentityStore.jks
-storepass identitypass
-keypass keypassword
-alias trustself
-certfile MyOwnSelfCA.cer.pem
-keyfile MyOwnSelfKey.key.pem
-keyfilepass mykeypass
Run the keytool utility to package the key and certificate into a separate keystore called the Trust Keystore, as follows:
keytool -import -trustcacerts -alias trustself
-keystore TrustMyOwnSelf.jks
-file MyOwnSelfCA.cer.der -keyalg RSA
On the client machine, double-click the certificate file to open the Certificate window, and then click Install Certificate to start the Certificate Import Wizard.
Install the certificate under Trusted Root Certification Authorities in Internet Explorer.
On every machine running Oracle IRM Desktop, in the Certificate Import Wizard, explicitly select a certificate store for Trusted Root Certification Authorities. The root certificate must be trusted on all client computers that will access the server.
Click Next, and then follow the instructions on the wizard screens.
Set Up a Custom Identity Keystore and Trust Store:
Log in to the Oracle WebLogic Server Administration Console, at the following URL:
http://adminServerHost:adminServerPort/console
For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:
http://myHost:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Select Environments under your domain from Domain Structure.
Select Servers from Environment.
From Summary of Servers, select the server for which to enable SSL.
Click the KeyStores tab on the Settings for servername page.
In the KeyStores field, select Custom Identity and Custom Trust.
Enter values in the other fields on the KeyStores tab.
Save the changes.
Click the SSL tab.
In the Identity and Trust Locations field, select Keystores.
Enter values in the other fields on the SSL tab.
Save the changes.
When the Oracle IRM Managed Server is running, the Oracle IRM application is deployed and ready to be accessed through the Oracle IRM Management Console:
https://managedServerHost:managedServerPort/irm_rights
Oracle IRM requires SSL to be enabled on the front-end application, whether it is Oracle HTTP Server (OHS) or a Managed Server running Oracle IRM as an application deployed to Oracle WebLogic Server. Communication between Oracle IRM Desktop and the Oracle IRM server application must be over SSL because sensitive information such as passwords are communicated. Other uses of SSL, such as between OHS and Managed Servers, the Administration Server, and the LDAP authentication provider are optional.
Oracle IRM uses the Credential Store Framework of Oracle Platform Security Services (OPSS) to retrieve passwords for the Oracle IRM key store. There are no specific configuration steps for Oracle IRM if the credential and policy stores are reassociated with an external LDAP authentication provider, as described in Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider."
Oracle IRM uses OPSS to obtain user and group details from the external LDAP authentication provider. For information about configuring the identity store, see Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider."