30 Oracle Beekeeper Post-Installation Procedures

Depending on your security requirements or any other issue particular to your deployment, perform one or more of the following procedures after installing Oracle Beekeeper:

Configuring Oracle Beekeeper for SSL Access
Configuring Oracle Beekeeper with Oracle Wallet
Changing Oracle Beekeeper Port
Extending Java Single Sign-On Session Timeout
Configuring Oracle Beekeeper for LDAP-Based Authentication
Configuring Virtual Host
Restarting OC4J

Configuring Oracle Beekeeper for SSL Access

Create a keystore with the keytool command. This command is located in <Oracle Beekeeper home>/jdk/bin. The following example will create a keystore named server.keystore in the directory <Oracle Beekeeper home> with the password welcome:
```
keytool -genkey -keyalg "RSA"
  -keystore <Oracle Beekeeper home>/server.keystore
  -storepass welcome -validity 90
```
Note:
For more information about the keytool utility, refer to http://download.oracle.com/javase/1.5.0/docs/tooldocs/solaris/keytool.html.
For additional information, refer to "Using Keys and Certificates with OC4J and Oracle HTTP Server" and "Using SSL with Standalone OC4J" in Chapter 15, "SSL Communication with OC4J" in Oracle Containers for J2EE Security Guide.
In <Oracle Beekeeper home>/j2ee/home/config/default-web-site.xml, edit the <web-site> element. Set the port attribute to any available port number, secure to true, and protocol to https:
```
<web-site
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:noNamespaceSchemaLocation=
    "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" 
  port="4443"
  secure="true"
  protocol="https"
  display-name="Default Web Site"
  schema-major-version="11"
  schema-minor-version="1">
```
Note:
You may also add the attribute virtual-hosts to the <web-site> to use both SSL and virtual hosts. Refer to "Configuring Virtual Host" for more information.
Add the following element inside the <web-site> element:
```
<ssl-config
  keystore="<Oracle Beekeeper home>/server.keystore" 
  keystore-password="welcome"/>
```
Set the attribute keystore to the full path name of the keystore you created previously. Set the attribute keystore-password to the password of the keystore.
Restart OC4J as described in "Restarting OC4J".

Configuring Oracle Beekeeper with Oracle Wallet

If you have configured Oracle Beehive for SSL access and you want to add or modify a directory profile, you must specify the location of an Oracle Wallet configured for Oracle Beehive in the UnmanagedOc4J component in which Oracle Beekeeper runs.

Note:

For information about directory profiles (or LDAP mapping profiles), refer to "Step 1: Creating an LDAP Mapping Profile" in "Integrating an External User Directory with Oracle Beehive" in Oracle Beehive Integration Guide.

For more information about configuring Oracle Wallet for Oracle Beehive, refer to "Step 2: Configuring Oracle Beehive Instance to Use Oracle Wallet" in "Configuring TLS with Oracle Wallet".

Retrieve the component identifier for UnmanagedOc4j with the beectl list_components command. You may call this command from any Oracle Beehive application tier:

beectl list_components --type UnmanagedOc4j
   
----------------+-------------------------------------------------------------
Component type  | Component identifier             
----------------+-------------------------------------------------------------
UnmanagedOc4j   | e084c8c8-4a78-4852-8699-480b9bf4f79c
----------------+--------------------------------------------------------------

Set the WalletDir property in the UnmanagedOc4j component to the location of your Oracle Wallet:

beectl modify_property
  --component <UnmanagedOc4J identifier>
  --name WalletDir
  --value <Oracle Wallet directory>

Activate the configuration:
```
beectl activate_configuration
```

Changing Oracle Beekeeper Port

Edit the file <Oracle Beekeeper home>/j2ee/home/config/default-web-site.xml and modify the port attribute in the <web-site> element to any available port number:
```
<web-site ... port="7779" ... >
```
Restart OC4J as described in "Restarting OC4J".

Changing Oracle Beekeeper RMI Port

Edit the file <Oracle Beekeeper home>/j2ee/home/config/rmi.xml and modify the port attribute in the <rmi-server> element to any available port number:
```
<rmi-server ... port="23792" ... >
```
Restart OC4J as described in "Restarting OC4J".

Retrieve the component identifier for UnmanagedOc4j with the beectl list_components command. You may call this command from any Oracle Beehive application tier:

beectl list_components --type UnmanagedOc4j
   
----------------+-------------------------------------------------------------
Component type  | Component identifier             
----------------+-------------------------------------------------------------
UnmanagedOc4j   | e084c8c8-4a78-4852-8699-480b9bf4f79c
----------------+--------------------------------------------------------------

Set the RmiPort property in the UnmanagedOc4j component to the same port number you specified in rmi.xml:
```
beectl modify_property
  --component <UnmanagedOc4J identifier>
  --name RmiPort
  --value 23792
```
Activate the configuration:
```
beectl activate_configuration
```

Extending Java Single Sign-On Session Timeout

To extend the Java Single Sign-On session timeout for Oracle Beekeeper, add the highlighted text to the file <Oracle Beekeeper home>/j2ee/home/config/jps-config.xml:

<serviceInstance name="idm" provider="idm.provider">
    <description>JSSO Authentication Configuration</description>
    <property name="idm.authentication.name" value="JavaSSO"/>
    <property name="idm.token.asserter.class" 
      value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
    <property name="idm.token.collector.class"
      value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
    <property name="idm.token.type" value="COOKIE_TOKEN"/>
    <property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
    <property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
    <property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
    <property name="custom.sso.cred.key" value="JSSO_KEY"/>
    <property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
    <property name="custom.sso.session.timeout" value="3600"/>
  </serviceInstance>

After making changes to the jps-config.xml file, restart OC4J as described in "Restarting OC4J".

For more information about Java Single Sign-On, refer to Chapter 14, "OC4J Java Single Sign-On" in Oracle Containers for J2EE Security Guide.

Configuring Oracle Beekeeper for LDAP-Based Authentication

You may configure Oracle Beekeeper so that it authenticates its users with credentials stored in your LDAP directory. Refer to "Integrating an External User Directory with Oracle Beehive" in Oracle Beehive Integration Guide for more information.

Note:

If you set a directory profile as default in Oracle Beekeeper, you must configure Oracle Beekeeper for LDAP-based authentication.

Edit the file <Oracle Beekeeper home>/j2ee/home/application-deployments/javasso/jps-config.xml and update the values that are highlighted in the following excerpt with configuration information that corresponds to your LDAP directory.

Refer to the section "Retrieving Information About the LDAP Server" in "Integrating an External User Directory with Oracle Beehive" in Oracle Beehive Integration Guide for more information about these properties.

<serviceInstance name="beehive.ldap.loginmodule" 
  provider="jaas.login.provider">
  <description>Beehive LDAP Login Module</description>
  <property name="loginModuleClassName" 
    value="oracle.ocs.csi.authentication.login.modules.OcsLdapLoginModule"/>
  <property name="jaas.login.controlFlag" value="REQUIRED"/>
  <property name="debug" value="true"/>
  <property name="addAllRoles" value="true"/>
  <property name="oracle.security.jaas.ldap.user.object.class" 
    value="orclUserV2"/>
  <property name="oracle.security.jaas.ldap.provider.connect.pool" 
    value="true"/>
  <property name="oracle.security.jaas.ldap.provider.credential" 
    value="welcome1"/>
  <property name="oracle.security.jaas.ldap.provider.type" value="other"/>
  <property name="oracle.security.jaas.ldap.provider.url" 
    value="ldap://ldapserver:389"/>
  <property name="oracle.security.jaas.ldap.role.searchscope" value="subtree"/>
  <property name="oracle.security.jaas.ldap.user.searchscope" value="subtree"/>
  <property name="oracle.security.jaas.ldap.user.searchbase" 
    value="cn=Users,dc=us,dc=oracle,dc=com"/>
  <property name="oracle.security.jaas.ldap.role.searchbase" 
    value="cn=Users,dc=us,dc=oracle,dc=com"/>
  <property name="oracle.security.jaas.ldap.role.object.class" 
    value="orclGroup"/>
  <property name="oracle.security.jaas.ldap.role.name.attribute" value="cn"/>
  <property name="oracle.security.jaas.ldap.provider.user" 
    value="cn=orcladmin"/>
  <property name="oracle.security.jaas.ldap.user.name.attribute" value="uid"/>
  <property name="oracle.security.jaas.ldap.membership.searchscope" 
    value="direct"/>
  <property name="oracle.security.jaas.ldap.member.attribute" 
    value="uniqueMember"/>
  <property name="oracle.security.jaas.ldap.lm.cache_enabled" value="true"/>
  <property name="authenticated.role.name" value="authenticated-role"/>
</serviceInstance>

Tips:

The property oracle.security.jaas.ldap.user.object.class corresponds to the UserObjectClass property. The property oracle.security.jaas.ldap.role.object.class corresponds to the GroupObjectClass property. Refer to the section "Default UserObjectClass and GroupObjectClass Values" in "Integrating an External User Directory with Oracle Beehive" in Oracle Beehive Integration Guide for more information.

Follow these steps to obtain values for jps-config.xml:

Run the command beectl modify_local_configuration_files.
Obtain the required values from the following file:
```
<Oracle Beehive home>/j2ee/
  <any OC4J container>/config/system-jazn-data.xml
```
For example,
```
<Oracle Beehive home>/j2ee/BEEAPP/config/system-jazn-data.xml
```
Look for the <application> element that contains the element <name>beehive-auth-framework-password</name>.

Note that you must run the command beectl modify_local_configuration_files before obtaining values from system-jazn-data.xml; the LDAP-related entries will not appear in this file until you do so.

In the same file (<Oracle Beekeeper home>/j2ee/home/application-deployments/javasso/jps-config.xml), update the <jpsContexts> element with the highlighted value:
```
<jpsContexts default="ldap">
```
Edit the file <Oracle Beekeeper home>/j2ee/home/application-deployments/beekeeper/jps-config.xml) and make the same changes as in step 1.
In the same file (<Oracle Beekeeper home>/j2ee/home/application-deployments/beekeeper/jps-config.xml), update the <jpsContexts> element with the highlighted value:
```
<jpsContexts default="jsso-ldap">
```
Modify the AuthStoreType property of the Authentication Service to ldap with the beectl modify_property command. Refer to the section "Configuring Authentication Service to Use LDAP Server" in "Integrating an External User Directory with Oracle Beehive" in Oracle Beehive Integration Guide for more information.

Note:
You may also modify this property through Oracle Beekeeper.
Activate the configuration and commit changes:
```
beectl activate_configuration
beectl modify_local_configuration_files
```
Note:
Although you may activate the configuration through Oracle Beehive, you must run the command beectl modify_local_configuration_files from the command line.
Edit the file <Oracle Beekeeper home>/j2ee/home/application-deployments/javasso/jps-config.xml and update the value of oracle.security.jaas.ldap.provider.credential by copying the obfuscated password from <Oracle Beehive home>/j2ee/<any OC4J container>/config/system-jazn-data.xml. The obfuscated password is in the <application> element that contains the element <name>beehive-auth-framework-password</name>.
Restart OC4J as described in "Restarting OC4J".

Reconfiguring Oracle Beekeeper for UDS-Based Authentication

Follow these steps to reconfigure Oracle Beekeeper to use User Directory Services (UDS) instead of LDAP for authentication.

Note:

If you set a directory profile as non-default in Oracle Beekeeper, configure Oracle Beekeeper for UDS-based authentication.

In the file <Oracle Beekeeper home>/j2ee/home/application-deployments/javasso/jps-config.xml, update the <jpsContexts> element with the highlighted value:
```
<jpsContexts default="db">
```
In the file <Oracle Beekeeper home>/j2ee/home/application-deployments/beekeeper/jps-config.xml, update the <jpsContexts> element with the highlighted value:
```
<jpsContexts default="jsso-db">
```

Modify the AuthStoreType property of the Authentication Service to db with the beectl modify_property command:

beectl list_components --type AuthenticationService
--------------------------------------------------
| Component Type        | Component Identifier   |
--------------------------------------------------
| AuthenticationService | _AuthenticationService |
--------------------------------------------------

beectl modify_property --component _AuthenticationService --name AuthStoreType --value db

Activate the configuration and commit changes:
```
beectl activate_configuration
beectl modify_local_configuration_files
```
Note:
You may activate the configuration through Oracle Beekeeper. However, you must use the beectl command to modify local configuration files.
Restart OC4J as described in "Restarting OC4J".

Configuring Virtual Host

You may configure multiple instances of Oracle Beekeeper with a virtual host through a load balancer so that all your Oracle Beekeeper instances will be accessed by a single point of access, the virtual host though a load balancer.

Note:

If you have multiple Oracle Beekeeper nodes behind your load balancer's virtual host, then you must configure the load balancer virtual host so that it uses cookie insert persistence in order to maintain server affinity.

Refer to the documentation of your load balancer for more information about cookie insert persistence.

Edit the file <Oracle Beekeeper home>/j2ee/home/config/default-web-site.xml and specify the host name and port number of your load balancer in the <frontend> child element of <web-site> as follows:

<web-site
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:noNamespaceSchemaLocation=
    "http://xmlns.oracle.com/oracleas/schema/11/web-site-11_1.xsd" 
  port="7778"
  secure="false"
  protocol="http"
  display-name="Default Web Site"
  schema-major-version="11"
  schema-minor-version="1">
  <default-web-app application="default" name="defaultWebApp" />
  ...
  <frontend host="beehiveadmin.us.oracle.com" port="80" />
</web-site>

In this example, beehiveadmin.us.oracle.com is the host name of the load balancer and 80 is the port number.

If you or an administrator uses a Microsoft Windows computer to access Oracle Beekeeper, then on that computer, edit the file C:\WINDOWS\system32\drivers\etc\hosts file and map the IP address of the computer that runs Oracle Beehive with the host name of your virtual host.

For example, if 10.229.175.134 is the host name of the computer that runs Oracle Beekeeper and beehiveadmin.us.oracle.com is the host name of your load balancer, then add the following line to your hosts file:
```
10.229.175.134       beehiveadmin.us.oracle.com
```
Restart OC4J as described in "Restarting OC4J".

Restarting OC4J

Restart the Oracle Beekeeper unmanaged OC4J instance with the following commands:

<Oracle Beekeeper home>/opmn/bin/opmnctl stopall
<Oracle Beekeeper home>/opmn/bin/opmnctl startall

For information about starting and stopping OC4J, refer to Chapter 5, "Starting and Stopping OC4J" in Oracle Containers for J2EE Configuration and Administrator's Guide.