4 Configuring Oracle Enterprise Content Management Suite

This chapter explains how to configure an Oracle WebLogic Server domain for Oracle Enterprise Content Management Suite applications.

This chapter includes the following sections:

• Section 4.1, "Preparing to Configure Oracle Enterprise Content Management Suite"

• Section 4.2, "Creating an Oracle WebLogic Server Domain"

• Section 4.3, "Extending an Existing Domain"

• Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider"

• Section 4.5, "Adding Users to Oracle Internet Directory"

• Section 4.6, "Configuring Desktop Authentication"

• Section 4.7, "Configuring Managed Server Clusters"

• Section 4.8, "Migrating a Domain with Pack and Unpack"

4.1 Preparing to Configure Oracle Enterprise Content Management Suite

After you have successfully run the Oracle Fusion Middleware 11g Oracle Enterprise Content Management Suite Installer, you can deploy and configure the following Oracle Enterprise Content Management Suite products as applications:

• Oracle Imaging and Process Management

• Oracle Information Rights Management

To configure these applications, you can create or extend an Oracle WebLogic Server domain, which includes a Managed Server for each deployed application and one Administration Server. Each of these servers is an Oracle WebLogic Server instance.

You can create a domain to include either or both of these applications. Or you can create a domain to include a Managed Server for either application (one Managed Server) and then extend the domain with a Managed Server for the other application. For Oracle I/PM, you can extend the domain with Oracle SOA Suite, which includes Oracle BPEL Process Manager.

Note: The Oracle I/PM product deployment provides for up to 10 GB of disk space to be used to stage simultaneous document uploads through the user interface. This limit exists to provide an upper limit to thwart malicious server attacks.

If you have not successfully run the installer on your system, first see Chapter 3, "Installing Oracle Enterprise Content Management Suite."

To create a domain for one or more Oracle Enterprise Content Management Suite applications, follow the instructions in Section 4.2, "Creating an Oracle WebLogic Server Domain."

To extend an existing domain for one or more Oracle Enterprise Content Management Suite applications, follow the instructions in Section 4.3, "Extending an Existing Domain."

During the configuration, if you need additional help with any of the screens, either click the name of the screen in the instructions to see its description in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens," or click Help on the screen in the installer to access the online help.

After you create or extend a domain, you can configure Oracle Enterprise Manager 11g Fusion Middleware Control for administration of Oracle Enterprise Content Management Suite applications. Fusion Middleware Control is deployed to the Administration Server when a domain is created. You can use Fusion Middleware Control for additional configuration tasks.

To create a log file of your configuration session, start Fusion Middleware Configuration Wizard with the -log option.

On a UNIX operating system:

% ./config.sh -log=log_file_name

On a Windows operating system:

G:\ config.cmd -log=log_file_name

Your log files will be created in your INVENTORY_HOME/logs directory.

4.2 Creating an Oracle WebLogic Server Domain

You can create an Oracle WebLogic Server domain for Oracle Enterprise Content Management Suite with Fusion Middleware Configuration Wizard. When you create a domain for the suite, you configure one or more of its applications. The configuration wizard is in the ECM_ORACLE_HOME/common/bin directory (UNIX system) or ECM_ORACLE_HOME\common\bin directory (Windows system).

ECM_ORACLE_HOME represents the ECM Oracle home directory, where Oracle Enterprise Content Management Suite is installed.

Table 4-1 describes the steps for creating a domain and provides links to descriptions of the screens in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens."

Table 4-1 Procedure for Creating a New Domain

Step	Screen	When This Screen Appears	Description and Action Required
1	None.	Always	Start Fusion Middleware Configuration Wizard. On a UNIX operating system: cd ECM_ORACLE_HOME/common/bin ./config.sh On a Windows operating system: cd ECM_ORACLE_HOME\common\bin config.cmd
2	Welcome	Always	Select Create a new WebLogic Domain. Click Next to continue.
3	Select Domain Source	Always	Select Generate a domain configured automatically to support the following products and either or both of these products: Oracle Information Rights Management Oracle Imaging and Process Management When you select Oracle Imaging and Process Management or Oracle Information Rights Management on the Select Domain Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. Click Next to continue.
4	Specify Domain Name and Location	Always	Enter the name of the domain you want to create in the Domain name field. The default location for the domain is MW_HOME/user_projects/domains/ (UNIX system) or MW_HOME\user_projects\domains\ (Windows system). You can specify a different location in the Domain location field. Note: Record the domain name and location from this screen because you will need them later to start the Administration Server. You can specify the location of the Oracle Enterprise Content Management Suite application in the Application location field. The default location is MW_HOME/user_projects/applications/. Click Next to continue.
5	Configure Administrator User Name and Password	Always	The User name field has the default administrator user name, weblogic. You can specify a different administrator user name. In the User password field, enter the password for the administrator user. Note: Record the administrator user name and password from this screen because you will need them later to start the Administration Server and to access the domain through the Oracle WebLogic Server Administration Console or Oracle Enterprise Manager 11g Fusion Middleware Control. Click Next to continue.
6	Configure Server Start Mode and JDK	Always	Under WebLogic Domain Startup Mode, Development Mode is the default mode. For a production system, select Production Mode. Under JDK Selection, you can leave Available JDKs and the default JDK selected, or you can change them. The default JDK for development mode is Sun SDK 160_14. The default JDK for production mode is JRockit SDK 1.6.0_14. To specify a different JDK, select Other JDK, and enter its location. Click Next to continue.
7	Configure JDBC Component Schema	Always	Configure each component schema, including OWSM MDS Schema if it was created with Repository Creation Utility (RCU), in the following fields: Component Schema: Select a component schema row. Vendor: Select a database vendor from the list. Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list. Schema Owner: Enter the user name of the application schema owner, specified during schema creation with RCU. Schema Password: Enter the schema password, specified during schema creation with RCU. DBMS/Service: Enter the name of the database instance if Oracle's Driver (Thin) for Instance connections is selected in the Driver field, or enter the service name (global database name) if Oracle's Driver (Thin) for Service connections is selected in the Driver field. For Microsoft SQL Server, you must enter a database name because there is no service name. Specify the database that contains the application schema or schemas. For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: sales.example.com. Host Name: Specify the name of the machine on which your database resides, in the format host.example.com. For Oracle RAC databases, specify the Virtual IP name or one of the node names as the host name. Listen Port: Specify the database listen port number. The default port number for an Oracle Database instance is 1521. The default port number for Microsoft SQL Server is 1433. Click Next to continue.
8	Test Component Schema	Always	The configuration wizard automatically tests the connection to the JDBC component schema. If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection. After the test succeeds, click Next to continue.
9	Select Optional Configuration	Always	Optionally, select any or all of these options for configuring the Administration Server and Managed Servers: Administration Server Managed Servers, Clusters and Machines Deployments and Services RDBMS Security Store Click Next to continue to the configuration screens for the selected option or if you did not select any options, to the Configuration Summary screen.
10	Configure the Administration Server	If you selected Administration Server on the Select Optional Configuration screen.	The default listen port number for the Administration Server is 7001, which you can change. If you want to change the configuration of SSL for the Administration Server, you can select SSL enabled. The SSL port is set to 7002 by default in the SSL Listen Port field. If SSL enabled is selected, you can change the SSL listen port value. Click Next to continue.
11	Configure Managed Servers	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value. For increased security, you can specify a nondefault port number. Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications. If you want to change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value. For Oracle IRM, SSL is enabled by default, with port number 16101. SSL needs to be enabled so that Oracle IRM Desktop does not show prompts to accept certificates when it contacts the Managed Server. The certificate used must be trusted by Microsoft Internet Explorer on computers running Oracle IRM Desktop. Click Next to continue.
12	Configure Clusters	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Optionally, configure one or more clusters. Click Next to continue.
13	Configure Machines	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Optionally, configure machines to host Oracle WebLogic Server. Click Next to continue.
14	Target Deployments to Clusters or Servers	If you selected Deployments and Services on the Select Optional Configuration screen.	Optionally, assign each Managed Server to a cluster. Oracle IRM should be deployed on a cluster or on a managed server that is not a member of any cluster because Oracle IRM uses persistent-store-type as replicated_if_clustered. If the Oracle IRM Web application is deployed on a clustered server, the in-effect persistent-store-type will be replicated. Otherwise, memory is the default. Make sure that the Oracle IRM application is not deployed to one of the servers in a cluster. Click Next to continue.
15	Target Services to Clusters or Servers	If you selected Deployments and Services on the Select Optional Configuration.	Optionally, modify how your services are targeted to servers or clusters. If OWSM MDS Schema was created with RCU, target it to the Administration Server by selecting AdminServer on the left and mds-owsm under JDBC and JDBC System Resource on the right. Click Next to continue.
16	Configure RDBMS Security Store Database	If you selected RDBMS Security Store on the Select Optional Configuration screen.	Optionally, make changes to your RDBMS security store. Click Next to continue.
17	Configuration Summary	Always	Review your configuration and make any corrections or updates by following the instructions on the screen. You can click Previous on each screen to go back to a screen where you want to change the configuration. When the configuration is satisfactory, click Create to create the domain.
18	Creating Domain	Always	When the domain is created successfully, click Done.

Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications.

Table 4-2 Default Ports for Managed Servers

Managed Server	Default Listen Port	Default SSL Port	Port Range
Oracle I/PM	16000	16001	16000-16099
Oracle IRM	16100	16101	16100-16199

The following operations should have completed successfully:

• Creation of an Oracle WebLogic Server domain, with an Administration Server

• Creation of a Managed Server for each application that you selected on the Select Domain Source screen

• Deployment of each application to its Managed Server

  An application is not active until its Managed Server is started. For more information, see Section 7.2, "Starting Managed Servers."

4.3 Extending an Existing Domain

You can extend an existing Oracle WebLogic Server domain to configure one or more Oracle Enterprise Content Management Suite applications. Fusion Middleware Configuration Wizard is in the ECM_ORACLE_HOME/common/bin directory (UNIX system) or ECM_ORACLE_HOME\common\bin directory (Windows system).

You can also extend a domain to include other applications in the same domain. For example, you could extend an Oracle WebCenter domain to include an Oracle IRM Managed Server. Or you could extend an Oracle I/PM domain to include Oracle SOA Suite.

Note: Before you extend a domain to include Oracle SOA Suite on an AIX platform, you need to confirm that the soa-ibm-addon.jar file is in the SOA_ORACLE_HOME/soa/modules directory. Make sure that the file is there, and add the following entry to the SOA_ORACLE_HOME/bin/ant-sca-compile.xml file at line 65: <include name="soa-ibm-addon.jar"/>

Table 4-3 describes the steps for extending a domain and provides links to descriptions of the screens in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens."

Table 4-3 Procedure for Extending an Existing Domain

Step	Screen	When This Screen Appears	Description and Action Required
1	None.	Always	Start Fusion Middleware Configuration Wizard. On a UNIX operating system: cd ECM_ORACLE_HOME/common/bin ./config.sh On a Windows operating system: cd ECM_ORACLE_HOME\common\bin config.cmd
2	Welcome	Always	Select Extend an existing WebLogic Domain. Click Next to continue.
3	Select a WebLogic Domain Directory	Always	Select the Oracle WebLogic Server directory to which you want to add your applications or services, or both. Click Next to continue.
4	Select Extension Source	Always	Select Extend my domain automatically to support the following added products and either or both of these products: Oracle Information Rights Management Oracle Imaging and Process Management When you select Oracle Imaging and Process Management or Oracle Information Rights Management on the Select Domain Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. Click Next to continue.
5	Configure JDBC Component Schema	Always	Configure each component schema, including OWSM MDS Schema if it was created with Repository Creation Utility (RCU), in the following fields: Component Schema: Select a component schema row. Vendor: Select a database vendor from the list. Driver: Leave the default driver for the database vendor selected, or select a driver for the component schema from the list. Schema Owner: Enter the user name of the application schema owner, specified during schema creation with Repository Creation Utility (RCU). Schema Password: Enter the schema password, specified during schema creation with RCU. DBMS/Service: Enter the name of the database instance if Oracle's Driver (Thin) for Instance connections is selected in the Driver field, or enter the service name (global database name) if Oracle's Driver (Thin) for Service connections is selected in the Driver field. For SQL Server, you must enter a database name because there is no service name. Specify the database that contains the application schema or schemas. For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: sales.example.com. Host Name: Specify the name of the machine on which your database resides, in the format host.example.com. For Oracle RAC databases, specify the Virtual IP name or one of the node names as the host name. Listen Port: Specify the database listen port number. The default port number for an Oracle Database instance is 1521. The default port number for SQL Server is 1433. Click Next to continue.
6	Test Component Schema	Always	The configuration wizard automatically tests the connection to the JDBC component schema. If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection. After the test succeeds, click Next to continue.
7	Select Optional Configuration	Always	Optionally, select any or all of these options for configuring Managed Servers: Managed Servers, Clusters and Machines Deployments and Services JMS File Store Click Next to continue to the configuration screens for the selected option or if you did not select any options, to the Configuration Summary screen.
8	Configure Managed Servers	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value or, for increased security, specify a nondefault port number. Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications. To change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value. For Oracle IRM, SSL is enabled by default, with port number 16101. SSL needs to be enabled so that Oracle IRM Desktop does not show prompts to accept certificates when it contacts the Managed Server. The certificate used must be trusted by Microsoft Internet Explorer on computers running Oracle IRM Desktop. Click Next to continue.
9	Configure Clusters	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Optionally, change the cluster configuration. Click Next to continue.
10	Configure Machines	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Optionally, configure machines to host Oracle WebLogic Server. Click Next to continue.
11	Target Deployments to Clusters or Servers	If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen.	Optionally, assign each Managed Server to a cluster. Oracle IRM should be deployed on a cluster or on a managed server that is not a member of any cluster because Oracle IRM uses persistent-store-type as replicated_if_clustered. If the Oracle IRM Web application is deployed on a clustered server, the in-effect persistent-store-type will be replicated. Otherwise, memory is the default. Make sure that the Oracle IRM application is not deployed to one of the servers in a cluster. Click Next to continue.
12	Target Services to Clusters or Servers	If you selected Deployments and Services on the Select Optional Configuration.	Optionally, modify how your services are targeted to servers or clusters. If OWSM MDS Schema was created with RCU, target it to the Administration Server by selecting AdminServer on the left and mds-owsm under JDBC and JDBC System Resource on the right. Click Next to continue.
13	Configuration Summary	Always.	When the configuration is satisfactory, click Extend to extend the domain.
14	Creating Domain (Extended Domain)	Always	When the domain is successfully extended, click Done.

The following operations should have completed successfully:

• Extension of an existing Oracle WebLogic Server domain to include the application or applications that you selected on the Extend Domain Source screen

• Creation of a Managed Server for each application that you selected

• Deployment of each application to its Managed Server

  An application is not active until its Managed Server is started. For more information, see Section 7.2, "Starting Managed Servers."

4.4 Reassociating the Identity Store with an External LDAP Authentication Provider

In a production system, Oracle Enterprise Content Management Suite applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. You need to reassociate the identity store for your application with one of the following external LDAP authentication providers before you complete the configuration of a Managed Server and before you connect a Managed Server to a repository:

• Oracle Internet Directory

• Oracle Virtual Directory

• Third-party LDAP server

The user who logs in first to an Oracle I/PM Managed Server is provisioned with full security throughout the server. It is easier to reassociate the identity store for Oracle I/PM with an external LDAP authentication provider before the first user logs in completes the configuration of the Oracle I/PM Managed Server, and connects it to the Oracle Universal Content Management (Oracle UCM) repository.

The Oracle IRM domain, which is different from the Oracle WebLogic Server domain, gets created the first time a user logs in to the Oracle IRM Management Console. The first user who logs in to the console with the WebLogic Administrator role is made the Domain Administrator for the Oracle IRM instance. Before you migrate user data for Oracle IRM, the users need to be in the target LDAP identity store. The general process for reassociating Oracle IRM users and migrating data follows:

1. Back up existing data with the preIRMUserStoreUpgrade script.

2. Reassociate the identity store with an external LDAP directory.

3. Verify that all users and groups exist in target LDAP identity store.

4. Migrate data with the postIRMUserStoreUpgrade script.

You can reassociate the identity store for an Oracle WebLogic Server domain with Oracle Internet Directory and migrate Oracle I/PM or Oracle IRM users from the embedded LDAP directory to Oracle Internet Directory. The following procedure describes how to reassociate the identity store with Oracle Internet Directory.

You can use a similar procedure to reassociate the identity store with other LDAP authentication providers. Each provider has a specific authenticator type, and only that type should be configured. Table 4-4 lists the available authenticator types.

Table 4-4 LDAP Authenticator Types

LDAP Authentication Provider	Authenticator Type
Microsoft AD	ActiveDirectoryAuthenticator
SunOne LDAP	IPlanetAuthenticator
Oracle Internet Directory	OracleInternetDirectoryAuthenticator
Oracle Virtual Directory	OracleVirtualDirectoryAuthenticator
EDIRECTORY	NovellAuthenticator
OpenLDAP	OpenLDAPAuthenticator
EmbeddedLDAP	DefaultAuthenticator

To reassociate the identity store with an external LDAP authentication provider:

1. Create the same Administration user in Oracle Internet Directory that was created during configuration of the domain that includes the Managed Server for your application; for example, weblogic.

   For optional user attributes, set the userPassword and user name attributes to whatever you configured for the domain Administration user name. For example, if uid was configured as a user name attribute, then you would need to set the same value for the uid attribute in Oracle Internet Directory.

2. Enter the same password for the Oracle Internet Directory user that was specified for the corresponding domain user.

3. If a user with the Administrator role has already logged into the Oracle IRM Management Console, before switching over to a new identity store, run preIRMUserStoreUpgrade() to back up the User information, as follows:

   cd ECM_ORACLE_HOME/common/bin 
   ./wlst.sh 
   wls:/offline> connect('weblogic','password','t3://managedServerHost:ManagedServerPort')
   Connecting to t3://managedServerHost:ManagedServerPort with userid weblogic ...
   Successfully connected to managed Server 'IRM_server1' that belongs to domain
   'base_domain'. 
   wls:/base_domain/serverConfig> preIRMUserStoreUpgrade()
   Enter Server URL: t3://managedServerHost:ManagedServerPort
   Enter Username: weblogic
   Enter Password:
   Connecting to server...
   No. of accounts retrieved so far: 1
   Done! 
   wls:/base_domain/serverConfig> exit() 
   

4. Configure the Oracle Internet Directory authentication provider:

   1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 7.1, "Starting the Administration Server."

   2. Log in to the Administration Console as the domain Administration user, at this URL:

      http://adminServerHost:adminServerPort/console
      

      For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

      http://myHost:7001/console
      

      To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

   3. Under Domain Structure on the left, select Security Realms.

   4. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

   5. Click the Providers tab, and then click New under the Authentication Providers table on the Authentication tab.

   6. In the Create a new Authentication Provider dialog box, enter a provider name in the Name field, change the type to OracleInternetDirectoryAuthenticator, and then click OK.

      For a list of authenticator types for different LDAP Authentication Providers, see Table 4-4.

   7. In the Authentication Providers table, click Reorder, move the provider you just created to the top of the list, and then click OK.

   8. Click DefaultAuthenticator, change the Control Flag value to OPTIONAL, and then click Save.

   9. Go back to the Providers tab.

   10. Click the name of the authentication provider you just created to navigate to the Configuration tab for the provider.

       For Oracle IRM, do not change the Control Flag value until you have verified that the Oracle Internet Directory configuration is valid.

       For Oracle I/PM, change the Control Flag value to SUFFICIENT, and then click Save.

       SUFFICIENT means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.

       REQUIRED means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL and Oracle Internet Directory has been set to REQUIRED, the embedded LDAP user is no longer valid.

   11. Click the Provider Specific tab.

       Set Provider Specific values in the following fields, and leave default values in the other fields:

       • Host: The host name or IP address of the LDAP server.

       • Port: The Oracle Internet Directory Port, 389 by default.

       • Principal: The Distinguished Name (DN) of the LDAP user that Oracle WebLogic Server should use to connect to the LDAP server; for example:

         cn=orcladmin
         

       • Credential: The credential used to connect to the LDAP server (usually a password).

       • Confirm Credential: The same value as for the Credential field.

       • User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users; for example:

         cn=users,dc=example,dc=com
         

         In Oracle Internet Directory, this is the value of the User Search Base attribute, which you can look up in the OIDDAS administration dialog.

         
         

         Note: Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by an Oracle IRM or Oracle I/PM application.

         
         

       • Use Retrieved User Name as Principal: Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal value.

         Select this attribute for Oracle IRM.

       • Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups; for example:

         cn=groups,dc=example,dc=com
         

         In Oracle Internet Directory, this is the value of the Group Search Base attribute, which you can look up in the OIDDAS administration dialog.

         
         

         Note: Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by an Oracle IRM or Oracle I/PM application.

         
         

       • Propagate Cause For Login Exception: Propagates exceptions thrown by Oracle Internet Directory, like password expired exceptions, to Oracle WebLogic Server so they show in the console and the logs.

         Select this attribute for Oracle IRM, in the General area of the tab.

       If you modify a user name attribute to something other than the default value set for the LDAP server in the authenticator, you must also edit the jps-config.xml file to correspond to the modified value. Specifically, you need to add the username.attr and user.login.attr properties, shown in the following example, for user lookups to function correctly.

       <!-- JPS WLS LDAP Identity Store Service Instance -->
       <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
       <property name="idstore.config.provider"
       value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
       <property name="username.attr" value="uid"/>
       <property name="user.login.attr" value="uid"/>
       </serviceInstance>
       

   12. Click Save.

5. Shut down the Administration Server, and then restart it to activate the changes.

   
   

   Note: Authentication providers in an Oracle WebLogic Server domain are chained. This means that user authentication needs to run successfully through all authentication providers. With the Control Flag value set to OPTIONAL for the default provider, it is allowed to fail without a server startup or user authentication failure.

   
   

6. After the server is up again, log in to the Administration Console again, and click Security Realms under Domain Structure.

7. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

8. Click the Providers tab, then click the Users and Groups tab to see a list of users contained in the configured authentication providers, on the Users tab, and then click the Groups tab to see a list of groups.

   You should see user names from the Oracle Internet Directory configuration, which implicitly verifies that the configuration is working.

9. Check that you have switched the security provider successfully, with either or both of these basic tests:

   • After the creation of the new security provider is complete, verify that all the users in that security provider are listed in that same user-group presentation as the list from Step 3.

   • Access the Managed Server URL, and log in as any of the Oracle Internet Directory users.

     For information about accessing a Managed Server, see Section 7.2, "Starting Managed Servers."

10. For Oracle IRM, if the Oracle Internet Directory instance is configured successfully, change the Control Flag value to SUFFICIENT, and then click Save.

    SUFFICIENT means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.

    REQUIRED means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL and Oracle Internet Directory has been set to REQUIRED, the embedded LDAP user is no longer valid.

11. For Oracle IRM, restart the Administration Server and the Managed Server.

12. For Oracle IRM, if a user with the Administrator role has already logged into the Management Console, run postIRMUserStoreUpgrade() to update the user information in the Oracle IRM database with new GUIDs, as follows:

    wls:/offline> connect('weblogic','password','t3://managedServerHost:managedServerPort')
    Connecting to t3://hostname:port with userid weblogic ...
    Successfully connected to managed Server 'IRM_server1' that belongs to domain
    'base_domain'. 
    wls:/base_domain/serverConfig> postIRMUserStoreUpgrade()
    Enter Server URL: t3://managedServerHost:ManagedServerPort
    Enter Username: weblogic
    Enter Password:
    Connecting to server...
    Migrating account name: weblogic
    Migration Succeeded
    .
    Migration Summary
    -----------------
    Total number of accounts: 1
    No. of accounts migrated: 1
    No. of failures: 0 
    

After the reassociation of the identity store, users in Oracle Internet Directory have the same rights that their namesakes had in the Oracle WebLogic Server embedded LDAP server before the migration of user data. For example, if a user existed in the embedded LDAP server before the migration with the user name weblogic and an Oracle IRM role of Domain Administrator, then after migration the user in Oracle Internet Directory with the user name weblogic would have the Oracle IRM role of Domain Administrator.

4.5 Adding Users to Oracle Internet Directory

You can add users to Oracle Internet Directory with Oracle Directory Services Manager, which is part of Oracle Identity Management. To add an entry to the directory with Oracle Directory Services Manager, you must have write access to the parent entry, and you must know the Distinguished Name (DN) to use for the new entry.

Note: When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.

For information about adding a group entry, see "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. For more information about entries, see "Managing Directory Entries" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

To add users to Oracle Internet Directory:

1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server.

2. From the task selection bar, select Data Browser.

3. On the toolbar, select the Create a new entry icon. Alternatively, right-click any entry and choose Create.

   The Create New Entry wizard starts.

4. Specify the object classes for the new entry.

   To select object class entries, click the Add icon and use the Add Object Class dialog box. Optionally, use the search box to filter the list of object classes. To add the object class, select it, and then click OK. (All the superclasses from this object class through top are also added.)

   
   

   Note: You must assign user entries to the inetOrgPerson object class for the entries to appear in the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services.

   
   

5. In the Parent of the entry field, you can specify the full DN of the parent entry for the entry you are creating.

   You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.

6. Click Next.

7. Choose an attribute that will be the Relative Distinguished Name (RDN) value for this entry and enter a value for that attribute.

   You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson, attributes cn (common name) and sn (surname or last name) are required, even if neither of them is the RDN value.

8. Click Next.

   The wizard displays the next page. (Alternatively, you can click Back to return to the previous page.)

9. Click Finish.

10. To manage optional attributes, navigate to the entry you have just created in the Data Tree.

11. If the entry is a person, click the Person tab and use it to manage basic user attributes.

    Click Apply to save your changes or Revert to discard them.

    If the entry is a group, see "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions.

12. If this is a person entry, you can upload a photograph.

    To upload a photograph, click Browse, navigate to the photograph, then click Open.

    To update the photograph, click Update and follow the same procedure.

    To delete the photograph, click the Delete icon.

13. Click Apply to save your changes or Revert to discard them.

4.6 Configuring Desktop Authentication

You can configure single sign-on (SSO), Oracle Access Manager (OAM), SAML with single sign-on (SSO), and Windows Native Authentication.

For an overview of SSO, see "Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Security Guide.

For an overview of Oracle WebLogic Server authentication providers, see "Configuring Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

4.6.1 Configuring Oracle Access Manager

Oracle Access Manager enables users to seamlessly gain access to Web applications and other IT resources across your enterprise. OAM provides a centralized and automated single sign-on (SSO) solution, which includes an extensible set of authentication methods and the ability to define workflows around them. OAM also contains an authorization engine, which grants or denies access to particular resources based on properties of the user requesting access as well as on the environment from which the request was made. Comprehensive policy management, auditing, and integration with other components of your IT infrastructure enrich this core functionality.

For more information about Oracle Access Manager, see "Deploying the Oracle Access Manager Solutions" in Oracle Fusion Middleware Security Guide.

4.6.2 Configuring SAML with SSO

To configure the Oracle WebLogic Server SAML authentication provider with SSO for Oracle IRM to share authentication with Oracle I/PM, you need to move the Assertion consumer service (ACS) inside Oracle IRM. Specify contextRoot/samlacs/acs (for example, /irm_rights/samlacs/acs),instead of simply /samlacs/acs, as the ACS URI when configuring the destination site federation services and the Relying Party on the source site.

SSO authentication enables users to log in once and seamlessly navigate between applications without having to log in to each application separately. For information about LDAP and SSO configuration, see "Managing Security" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.

For SAML configuration information, see "Configuring the SAML Authentication Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

4.6.3 Configuring Windows Native Authentication

For information about configuring Windows Native Authentication (Kerberos), see "Configuring a Windows NT Authentication Provider" in Oracle Fusion Middleware Securing Oracle WebLogic Server.

4.7 Configuring Managed Server Clusters

For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple Oracle WebLogic Server server instances running simultaneously and working together to provide increased scalability and reliability. In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing. A single domain can contain multiple Oracle WebLogic Server clusters, as well as multiple Managed Servers that are not configured as clusters. The key difference between clustered and nonclustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.

For an overview of clusters, see "Understanding WebLogic Server Clustering" in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.

If you select Managed Servers, Clusters, and Machines on the Select Optional Configuration screen, you will see the screens described in Table 4-5.

Table 4-5 Managed Servers, Clusters, and Machines Advanced Settings Screens

No.	Screen	Description and Action Required
1	Configure Managed Servers	Add new managed servers, or edit and delete existing managed servers. Click Next to continue.
2	Configure Clusters	Create clusters if you are installing in a high availability environment. For more information, refer to Oracle Fusion Middleware High Availability Guide. Click Next to continue.
5	Configure Machines	Configure the machines that will host the managed servers. Click Next to continue.
3	Target Deployments to Clusters or Servers	Assign your managed servers to clusters or servers in your domain. Click Next to continue.
4	Target Services to Clusters or Servers	Use this screen to target your services (such as JMS and JDBC) to servers or clusters so that your applications can use the services. Click Next to continue.

You can add a Managed Server to a cluster later, with the Administration Console or Fusion Middleware Control. For more information, see "Scaling Your Environment" in Oracle Fusion Middleware Administrator's Guide.

4.8 Migrating a Domain with Pack and Unpack

When an Oracle IRM domain is created, the weblogic user is made the domain administrator. A relation is created in the Oracle IRM database schema for the user GUID.

When a second domain is created with pack and unpack, users need to be migrated with Oracle IRM user migration commands. After the new domain is created, the GUIDs of the users change in the Oracle WebLogic Server embedded LDAP server, but the Oracle IRM schema still contains the old GUIDs. You have to use user migration commands synch up the new GUIDs (for the second domain).

User migration should be performed for any additional Oracle IRM domains created using same database schema. With the embedded LDAP server, only one of the domains that share the schema can be active at a time. More than one active domain can share a schema if you reassociate the first domain with an external LDAP authentication provider, as described in Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider," and then point each additional domain to the external LDAP authentication provider.

Note: Before packing and unpacking an Oracle IRM domain, you need to configure a key store. For more information, see Section 6.1.2, "Configuring a Key Store for Oracle IRM."

To migrate an Oracle IRM domain with Pack and Unpack:

1. Run Fusion Middleware Configuration Wizard to create an Oracle WebLogic Server domain with Oracle IRM deployed to a Managed Server, as described in Section 4.2, "Creating an Oracle WebLogic Server Domain."

2. Reassociate the identity store of the domain with an external LDAP, as described in Section 4.4, "Reassociating the Identity Store with an External LDAP Authentication Provider."

3. Navigate to the bin directory under the common directory in the ECM Oracle home.

   • UNIX operating system: MW_HOME/ECM_ORACLE_HOME/common/bin

   • Windows operating system: MW_HOME\ECM_ORACLE_HOME\common\bin

4. Before creating a second domain, run the preIRMUserStoreUpgrade() script to back up the user information, as follows:

   preIRMUserStoreUpgrade() 
   
   wls:/offline> connect() 
   Please enter your username [weblogic] :weblogic 
   Please enter your password [weblogic] : 
   Please enter your server URL [t3://localhost:7001] 
   :t3://host:7210 
   Connecting to t3://host:7210 with userid weblogic ... 
   Successfully connected to managed Server 'IRM_server1' that belongs to domain 
   'base_domain4'. 
   
   @Warning: An insecure protocol was used to connect to the 
   server. To ensure on-the-wire security, the SSL port or 
   Admin port should be used instead. 
   
   wls:/base_domain4/serverConfig> preIRMUserStoreUpgrade() 
   Enter Server URL: t3://host:7210 
   Enter Username: weblogic 
   Enter Password: 
   Connecting to server... 
   No. of accounts retrieved so far: 1 
   Done! 
   wls:/base_domain4/serverConfig> exit() 
   

5. Pack base_domain4, as in the following UNIX example:

   ./pack.sh -domain=$MW_HOME/user_projects/domains/base_domain4 
   -template=$MW_HOME/user_projects/templates/base_domain4.jar 
   -template_name="IRM DOMAIN TEMPLATE" -template_author="name" 
   -template_desc="IRM Domain" -managed="false" 
   -log=$MW_HOME/user_projects/templates/pack_base_domain4.log 
   -log_priority=debug 
   

6. Create a second domain by unpacking the file created in the preceding step (base_domain4.jar); for example:

   ./unpack.sh -template=$MW_HOME/user_projects/templates/base_domain4.jar 
   @ -domain=$MW_HOME/user_projects/domains/base_domain5 
   @ -app_dir=$MW_HOME/user_projects/applications/base_domain5 
   @ -log=$MW_HOME/user_projects/templates/base_domain5.log
   

7. Stop the Administration Server and Oracle IRM Managed Server in the first domain (base_domain4,) as described in Section 8.2, "Stopping Oracle Fusion Middleware Server and Processes."

8. Start the Administration Server and Oracle IRM Managed Server in the second domain (base_domain5).

9. Connect to the Oracle IRM Managed Server in the second domain, and run the postIRMUserStoreUpgrade() script to update the user information in the Oracle IRM database schema with the new GUIDs, as follows:

   postIRMUserStoreUpgrade() 
   
   wls:/offline> connect() 
   Please enter your username [weblogic] :weblogic 
   Please enter your password [weblogic] : 
   Please enter your server URL [t3://localhost:7001] 
   :t3://host:7210 
   Connecting to t3://host:7210 with userid weblogic ... 
   Successfully connected to managed Server 'IRM_server1' that belongs to domain 
   'base_domain5'. 
   
   Warning: An insecure protocol was used to connect to the 
   server. To ensure on-the-wire security, the SSL port or 
   Admin port should be used instead. 
   
   wls:/base_domain5/serverConfig> postIRMUserStoreUpgrade() 
   Enter Server URL: t3://host:7210 
   Enter Username: weblogic 
   Enter Password: 
   Connecting to server... 
   Migrating account name: weblogic 
   Migration Succeeded 
   
   Migration Summary 
   ----------------- 
   Total number of accounts: 1 
   No. of accounts migrated: 1 
   No. of failures: 0 
   
   

10. Configure the Oracle Internet Directory authentication provider:

    1. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 7.1, "Starting the Administration Server."

    2. Log in to the Administration Console as the domain Administration user, at this URL:

       http://adminServerHost:adminServerPort/console
       

       For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example:

       http://myHost:7001/console
       

       To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

    3. Under Domain Structure on the left, select Security Realms.

    4. In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.

    5. Click the Providers tab, and then click the name of the external LDAP authentication provider in the Authentication Providers table on the Authentication tab.

    6. Click Save.

11. Restart the Oracle IRM Managed Server.

12. Access the Managed Server URL of the unpacked domain (base_domain5)

    In general, whatever privileges were present for users in the first domain would continue to exist in new domain, provided user migration commands are used. To verify that the user migration commands were successful, make sure that user names are same in the first domain and the second domain.