This chapter explains how to configure an Oracle WebLogic Server domain for Oracle Enterprise Content Management Suite applications, in these topics:
Preparing to Configure Oracle Enterprise Content Management Suite
Installing Libraries and Setting Environment Variables for Outside In Technology
Reassociating the Identity Store with an External LDAP Authentication Provider
Installing Fonts for National Language Support on a UNIX System
After you have successfully run the Oracle Fusion Middleware 11g Oracle Enterprise Content Management Suite Installer and created application schemas, you can deploy and configure the following Oracle Enterprise Content Management Suite products as applications:
Oracle Universal Content Management (Oracle UCM)
Oracle Inbound Refinery (Oracle IBR)
Oracle Imaging and Process Management (Oracle I/PM)
Oracle Information Rights Management (Oracle IRM)
Oracle Universal Records Management (Oracle URM)
To configure any of these applications, you need to create or extend an Oracle WebLogic Server domain, which includes a Managed Server for each deployed application and one Administration Server. Each of these servers is an Oracle WebLogic Server instance.
Notes:
Before you configure Oracle IRM, you need to apply a patch. For information about the Oracle IRM patch, see Section 3.3, "Applying Patch 12369706 for Oracle Information Rights Management."
For information about application schemas, see Chapter 2, "Creating Schemas for Oracle Enterprise Content Management Suite."
Each of these applications needs to run in its own Managed Server or its own cluster of Managed Servers. You cannot deploy Oracle UCM, Oracle IBR, Oracle I/PM, Oracle IRM, or Oracle URM to a Managed Server or cluster that already has another application deployed. Oracle ECM applications should not be deployed to the Administration Server.
You can create a domain to include one or more of these applications (one Managed Server each). Or you can create a domain to include a Managed Server for at least one application and then extend the domain with Managed Servers for one or more other applications.
Note:
Oracle Enterprise Content Management Suite 11g does not support running Oracle UCM, Oracle IBR, or Oracle URM as a service on a Windows operating system.For Oracle I/PM to take advantage of Business Process Management (BPM) and Oracle BPEL Process Manager within an existing domain, the domain must be extended with Oracle BPM Suite. If you want to use Oracle BPEL Process Manager and not BPM, you can extend the domain with Oracle SOA Suite. For information about connecting to BPM or Oracle BPEL Process Manager as a workflow server, see "Creating a Workflow Connection" in Oracle Fusion Middleware Administrator's Guide for Oracle Imaging and Process Management.
Note:
The Oracle I/PM product deployment provides for up to 10 GB of disk space to be used to stage simultaneous document uploads through the user interface. This limit exists to provide an upper limit to thwart malicious server attacks.If you have not successfully run the installer on your system, first see Chapter 3, "Installing Oracle Enterprise Content Management Suite."
To create a domain for one or more Oracle Enterprise Content Management Suite applications, follow the instructions in Section 4.2, "Creating an Oracle WebLogic Server Domain."
To extend an existing domain for one or more Oracle Enterprise Content Management Suite applications, follow the instructions in Section 4.3, "Extending an Existing Domain."
Note:
You cannot extend a domain that has an Oracle ECM 11.1.1.2.1 or 11.1.1.3.0 application to include an Oracle ECM 11.1.1.4.0 application.During the configuration, if you need additional help with any of the screens, either click the name of the screen in the instructions to see its description in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens," or click Help on the screen in the installer to access the online help.
After you create or extend a domain, you can configure Oracle Enterprise Manager Fusion Middleware Control for administration of Oracle Enterprise Content Management Suite applications. Fusion Middleware Control is deployed to the Administration Server when a domain is created. You can use Fusion Middleware Control for additional configuration tasks.
You can create an Oracle WebLogic Server domain for Oracle Enterprise Content Management Suite with Fusion Middleware Configuration Wizard. When you create a domain for the suite, you configure one or more of its applications.
The configuration wizard is in the following directory. ECM_ORACLE_HOME
represents the ECM Oracle home directory, where Oracle Enterprise Content Management Suite is installed:
UNIX path: ECM_ORACLE_HOME
/common/bin
Windows path: ECM_ORACLE_HOME
\common\bin
To create a log file of your configuration session, start Fusion Middleware Configuration Wizard with the -log
option:
UNIX script: ECM_ORACLE_HOME
/common/bin/config.sh -log=
log_file_name
Your log file will be created in your oraInventory_location/logs /installActions
/logs
directory.
Windows script: ECM_ORACLE_HOME
\common\bin\config.cmd -log=
log_file_name
Your log file will be created in your inventory_location
\logs\installActions\logs
directory. The default inventory_location
value follows:
%PROGRAMFILES%\Oracle\Inventory
Table 4-1 describes the steps for creating a domain and provides links to descriptions of the screens in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens."
Table 4-1 Procedure for Creating a New Domain
Step | Screen | When This Screen Appears | Description and Action Required |
---|---|---|---|
1 |
None. |
Always |
Start Fusion Middleware Configuration Wizard:
|
2 |
Always |
Select Create a new WebLogic Domain. Click Next to continue. |
|
3 |
Always |
Select Generate a domain configured automatically to support the following products, and then select one or more of these products:
When you select Oracle Imaging and Process Management, you also need to select Oracle Universal Content Management - Content Server. When you select any Oracle ECM application on the Select Domain Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle ECM application will also be deselected. If you want a remote deployment of a Site Studio for External Applications web site, you can select Oracle Universal Content Management - SSXA Server to create an Oracle WebLogic Server domain with a Managed Server that has the files required to run the web site. To create a domain that includes Oracle Web Services Manager (Oracle WSM) Policy Manager, select Oracle WSM Policy Manager. Click Next to continue. |
|
4 |
Always |
Enter the name of the domain you want to create in the Domain name field. The default location for the domain follows (
You can specify a different location in the Domain location field. Note: Record the domain name and location from this screen because you will need them later to start the Administration Server. You can specify the location of the Oracle Enterprise Content Management Suite application in the Application location field. The default location is Click Next to continue. |
|
5 |
Always |
The User name field has the default administrator user name, In the User password field, enter the password for the administrator user. Note: Record the administrator user name and password from this screen because you will need them later to start the Managed Servers and to access the domain through the Oracle WebLogic Server Administration Console or Fusion Middleware Control. Click Next to continue. |
|
6 |
Always |
Under WebLogic Domain Startup Mode, Development Mode is the default mode. For a production system, select Production Mode. Under JDK Selection, you can leave Available JDKs and the default JDK selected, or you can change them. The default JDK for development mode is Sun SDK 1.6.0_21, and the default JDK for production mode is JRockit SDK 1.6.0_20, except on a 64-bit system, where the default JDK is the one you installed. To specify a different JDK, select Other JDK, and enter its location. Click Next to continue. |
|
7 |
Always |
Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), by selecting a schema checkbox and then completing the following fields:
Click Next to continue. |
|
8 |
Always |
The configuration wizard automatically tests the connection to the JDBC component schema. If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection. After the test succeeds, click Next to continue. |
|
9 |
Always |
Optionally, select any or all of these options for configuring the Administration Server and Managed Servers:
Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it. For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services. Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition. Click Next to continue to the configuration screens for the selected option or, if you did not select any options, to the Configuration Summary screen. |
|
10 |
If you selected Administration Server on the Select Optional Configuration screen |
The default listen port number for the Administration Server is If you want to change the configuration of SSL for the Administration Server, you can select SSL enabled. The SSL port is set to 7002 by default in the SSL Listen Port field. If SSL enabled is selected, you can change the SSL listen port value. Note: If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of the
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName
Click Next to continue. |
|
11 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value. For increased security, you can specify a nondefault port number. Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications. If you want to change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value. For Oracle IRM, SSL is enabled by default, with port number Click Next to continue. |
|
12 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Optionally, configure one or more clusters. Notes:
Click Next to continue. |
|
13 |
If you configured any clusters on the Configure Clusters screen |
Assign two or more of the Managed Servers in the domain to each cluster. Click Next to continue. |
|
14 |
If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster |
Create a proxy application for each Managed Server that you did not assign to a cluster in the domain. Click Next to continue. |
|
15 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine. Click Next to continue. |
|
16 |
If you added any machines on the Configure Machines screen |
Assign at least one server to each machine. Click Next to continue. |
|
17 |
If you selected Deployments and Services on the Select Optional Configuration screen. |
Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers. Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses When deploying Oracle IRM to a cluster, make sure that the Oracle IRM application is deployed to all nodes. Click Next to continue. |
|
18 |
If you selected Deployments and Services on the Select Optional Configuration. |
Optionally, modify how your services are targeted to servers or clusters. Click Next to continue. |
|
19 |
If you selected RDBMS Security Store on the Select Optional Configuration screen. |
Optionally, make changes to your RDBMS security store. Click Next to continue. |
|
20 |
Always |
Review your configuration and make any corrections or updates by following the instructions on the screen. You can click Previous on each screen to go back to a screen where you want to change the configuration. When the configuration is satisfactory, click Create to create the domain. |
|
21 |
Always |
On a Windows operating system, you can select Start Admin Server to start the Administration Server as soon as the configuration is done. When the domain is created successfully, click Done. |
Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications.
Table 4-2 Default Ports for Managed Servers
Managed Server | Default Listen Port | Default SSL Port | Port Range |
---|---|---|---|
Oracle I/PM |
|
|
|
Oracle IRM |
|
|
|
Oracle UCM |
|
|
|
Oracle IBR |
|
|
|
Oracle URM |
|
|
|
The following operations should have completed successfully:
Creation of an Oracle WebLogic Server domain, with an Administration Server
Creation of a Managed Server for each application that you selected on the Select Domain Source screen
Deployment of each application to its Managed Server
An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 10.2, "Starting Managed Servers."
You can extend an existing Oracle WebLogic Server domain to configure one or more Oracle Enterprise Content Management Suite applications. Fusion Middleware Configuration Wizard is in the following directory:
UNIX path: ECM_ORACLE_HOME
/common/bin
Windows path: ECM_ORACLE_HOME
\common\bin
Note:
You cannot extend a domain that has an Oracle ECM 11.1.1.2.1 or 11.1.1.3.0 application to include an Oracle ECM 11.1.1.4.0 application.You can also extend a domain to include other applications in the same domain. For example, you could extend an Oracle WebCenter domain to include an Oracle IRM Managed Server. Or you could extend an Oracle I/PM domain to include Oracle SOA Suite.
Note:
Before you extend a domain to include Oracle SOA Suite on an AIX platform, you need to confirm that thesoa-ibm-addon.jar
file is in the SOA_ORACLE_HOME
/soa/modules
directory. Make sure that the file is there, and add the following entry to the SOA_ORACLE_HOME
/bin/ant-sca-compile.xml
file at line 65:
<include name="soa-ibm-addon.jar"/>
Table 4-3 describes the steps for extending a domain and provides links to descriptions of the screens in Appendix B, "Oracle Enterprise Content Management Suite Configuration Screens."
Table 4-3 Procedure for Extending an Existing Domain
Step | Screen | When This Screen Appears | Description and Action Required |
---|---|---|---|
1 |
None. |
Always |
Start Fusion Middleware Configuration Wizard:
|
2 |
Always |
Select Extend an existing WebLogic Domain. Click Next to continue. |
|
3 |
Always |
Select a directory for adding your applications or services, or both. Click Next to continue. |
|
4 |
Always |
Select Extend my domain automatically to support the following added products, and then select one or more of these products:
When you select Oracle Imaging and Process Management, you also need to select Oracle Universal Content Management - Content Server, if Oracle UCM is not already configured. When you select any Oracle ECM application on the Select Extension Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle ECM application will also be deselected. If you want a remote deployment of a Site Studio for External Applications web site, you can select Oracle Universal Content Management - SSXA Server to extend an Oracle WebLogic Server domain with a Managed Server that has the files required to run the web site. To extend a domain that includes Oracle Web Services Manager (Oracle WSM) Policy Manager, select Oracle WSM Policy Manager. Click Next to continue. |
|
5 |
Always |
Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), in the following fields:
Click Next to continue. |
|
6 |
Always |
The configuration wizard automatically tests the connection to the JDBC component schema. If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection. After the test succeeds, click Next to continue. |
|
7 |
Always |
Optionally, select any or all of these options for configuring Managed Servers:
Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it. Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition. For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services. If you are extending a domain that already includes Oracle UCM with Oracle I/PM and plan to use Oracle UCM 11g as the Oracle I/PM repository, select Managed Servers, Clusters and Machines so you can configure a separate machine for running the Oracle I/PM Managed Server. Click Next to continue to the configuration screens for the selected option, or if you did not select any options, to the Configuration Summary screen. |
|
8 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value or, for increased security, specify a nondefault port number. Table 4-2 lists the default port values for the Managed Servers that run Oracle Enterprise Content Management Suite applications. To change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value. For Oracle IRM, SSL is enabled by default, with port number Click Next to continue. |
|
9 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Optionally, change the cluster configuration. Notes:
Click Next to continue. |
|
10 |
If you configured any clusters on the Configure Clusters screen |
Assign two or more of the Managed Servers in the domain to each cluster. Click Next to continue. |
|
11 |
If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster |
Create a proxy application for each Managed Server in the domain that you did not assign to a cluster. Click Next to continue. |
|
12 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine. If you are extending a domain that already includes Oracle UCM with Oracle I/PM and plan to use Oracle UCM 11g as the Oracle I/PM repository, configure a separate machine and assign the Oracle I/PM Managed Server to it. Click Next to continue. |
|
13 |
If you added any machines on the Configure Machines screen |
Assign at least one server to each machine. Click Next to continue. |
|
14 |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers. Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses Make sure that the Oracle IRM application is not deployed to one of the servers in a cluster. Click Next to continue. |
|
15 |
If you selected Deployments and Services on the Select Optional Configuration. |
Optionally, modify how your services are targeted to servers or clusters. Click Next to continue. |
|
16 |
Always. |
When the configuration is satisfactory, click Extend to extend the domain. |
|
17 |
Always |
On a Windows operating system, you can select Start Admin Server to start the Administration Server as soon as the configuration is done. When the domain is successfully extended, click Done. |
The following operations should have completed successfully:
Extension of an existing Oracle WebLogic Server domain to include the application or applications that you selected on the Extend Domain Source screen
Creation of a Managed Server for each application that you selected
Deployment of each application to its Managed Server
An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 10.2, "Starting Managed Servers."
If your Oracle WebLogic Server domain connects to a database through an SSL port, you need to back up your data source and SSL parameters and remove the SSL configuration from the data source before running Fusion Middleware Configuration Wizard to extend the domain. After you have successfully extended the domain, you can restore the SSL configuration to your data source.
To extend a domain in an SSL environment with Fusion Middleware Configuration Wizard:
In the Oracle WebLogic Server Administration Console, select your data source, and save a backup of all SSL parameters.
Back up the URL, javax.net.ssl.trustStorePassword
, javax.net.ssl.trustStore
, javax.net.ssl.trustStoreType
, and any other SSL parameters that have been configured for the data source.
Temporarily replace the SSL configuration for the data source with a non-SSL configuration.
Use a non-SSL URL and remove all SSL properties. You should end with something like this configuration:
URL:
: jdbc:oracle:thin:@myhost.example.com:1521:db11107
Properties:
user=MAR20SSL_OCS
oracle.net.CONNECT_TIMEOUT=10000
sendStreamAsBlob=true
Using Fusion Middleware Configuration Wizard, extend the domain, as described in Table 4-3.
After successfully extending the domain, restore the SSL configuration to your data source. You should end with something like this configuration:
URL:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.example.com)(PORT=2490)))(CONNECT_DATA=(SERVICE_NAME=db11107.example.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=myhost.example.com,OU=QA,O=ECM,L=RedwoodShores,ST=California,C=US")))
Properties:
javax.net.ssl.trustStorePassword=DemoTrustKeyStorePassPhrase
user=MAR20SSL_OCS
javax.net.ssl.trustStore=/mw_home/wlserver_10.3/server/lib/DemoTrust.jks
oracle.net.CONNECT_TIMEOUT=10000
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStoreType=JKS
sendStreamAsBlob=true
If during step 3 you updated your domain with a new product that creates its own data source, you may need to add SSL configuration to it as well.
You need to increase the size of the heap allocated for the Java Virtual Machine (VM) on which each Managed Server runs to at least 1 GB (1024 MB) for the JRockit JDK or to 512 MB for the Sun JDK. If you do not increase the Java VM heap size, then Oracle support and development will not accept any escalation of runtime issues, especially out-of-memory issues.
For a Managed Server using the Sun JDK, you need to set the size of the heap allocated for the Java VM to 512 MB rather than 1 GB so that programs configured to use all available space will not fail at initialization. Address space must be reserved for the permanent generation, and the MaxPermSize
setting for each Managed Server reduces the space available for the rest of the heap.
There are two common ways to adjust the runtime memory parameters for a Managed Server:
Setting Server Startup Parameters for Managed Servers with the Administration Console
This method is required if the Managed Server process will be run from Node Manager. For more information about running Managed Servers from Node Manager, see Section 10.4, "Starting Node Manager."
Setting the USER_MEM_ARGS Environment Variable for a Managed Server
This method is required if the managed server process will be run directly from the command line. For more information about running Managed Servers from the command line, see Section 10.2, "Starting Managed Servers."
You can set server startup parameters with the Oracle WebLogic Server Administration Console. This is the preferred approach for setting startup parameters because it ensures that the parameters are correctly pushed to each server, and it avoids problems that might occur during manual editing of server startup scripts. To increase the Java VM heap size, you set the value of the -Xmx
parameter.
To set server startup parameters for Managed Servers with the Administration Console:
Log in to the Oracle WebLogic Server Administration Console at this URL:
http://adminServerHost:adminServerPort/console
For adminServerHost
, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort
, specify the listen port number for the Administration Server. The default number is 7001
. For example:
http://myhost.example.com:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Click Environment under Domain Structure, on the left.
Click Servers on the Summary of Environment page.
Set the memory parameters for each Managed Server:
Click the name of a Managed Server in the Servers table.
On the Configuration tab, in the second row of tabs, click Server Start.
In the Arguments box, paste a string that specifies the memory parameters.
Table 4-4 shows parameters to specify for Sun and JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.
Table 4-4 Java VM Memory Parameters
Java VM | Operating System | Parameters |
---|---|---|
Sun |
UNIX |
|
Sun |
Windows |
|
JRockit |
UNIX |
|
JRockit |
Windows |
|
Save the configuration changes.
Restart any running Managed Servers, as described in Section 10.3, "Restarting a Managed Server."
You can set server startup parameter for a Managed Server by setting the USER_MEM_ARGS environment variable in its startup script or command file. To increase the Java VM heap size, you set the value of the -Xmx
parameter.
To set the USER_MEM_ARGS Environment Variable for a Managed Server:
UNIX shell script (.sh
) entry
export USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
UNIX C shell script (.csh
) entry
setenv USER_MEM_ARGS "-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
Windows command file (.cmd
) entry
set USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
Note:
Table 4-4 shows parameters to specify for Sun and JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.On a UNIX operating system, you need to make sure TrueType fonts are set up for Oracle I/PM, Oracle IBR, and Oracle UCM Dynamic Converter. If you are using a language other than English, you also need to set up fonts for national language support.
For Oracle I/PM, Oracle IBR, and Oracle UCM Dynamic Converter to work correctly on a UNIX operating system, you need to set up TrueType fonts on the machine where Oracle I/PM, Oracle IBR, or the Dynamic Converter is running. If these fonts are not available on your system, you need to install them. Then you can configure Oracle IBR with the path to the font directory, as follows. For information about configuring the path to the font directory for Oracle I/PM once the fonts are installed, see Section 7.1.4, "Configuring the GDFontPath MBean for a UNIX System."
Some standard font locations on different UNIX platforms follow:
Solaris SPARC: /usr/openwin/lib/X11/fonts/TrueType
Note:
For document conversions on a Solaris SPARC platform, Oracle I/PM requires the GNU Compiler Collection (GCC) package 3.4.2 or later in the/usr/local/packages
directory.
Install this package on the Solaris operating system that will run Oracle I/PM. You can download GCC from the Sunfreeware web site at
http://www.sunfreeware.com
You also need to set the LD_LIBRARY_PATH environment variable to /usr/local/packages/gcc-3.4.2/lib
before starting the Oracle I/PM Managed Server. If you are using a later version of GCC, set that version instead of 3.4.2
.
AIX: /usr/lpp/X11/lib/X11/fonts/TrueType
HP-UX Itanium: /usr/lib/X11/fonts/TrueType
To set the path to the font directory in Oracle IBR:
Log in to Oracle IBR.
Select Conversion Settings, then Third-Party Application Settings, and then General OutsideIn Filter Options.
Click Options.
Enter the path to the TrueType fonts in the Path to fonts field.
For example:
/usr/share/x11/fonts/FTP
Click Update.
For languages other than English, the following installation steps need to be done on a UNIX operating system before you start a Managed Server:
Copy MW_HOME
/oracle_common/jdk/jre/lib/fonts
to the /jre/lib/fonts
directory in the Sun JDK installation directory for the Middleware home.
Copy MW_HOME
/oracle_common/jdk/jre/lib/fonts
to the /jre/lib/fonts
directory in the Oracle JRockit JDK directory for the Middleware home.
Oracle UCM, Oracle IBR, Oracle I/PM, and the Oracle I/PM Advanced Viewer for clients use Outside In Technology (OIT), which requires certain libraries that are not part of Oracle ECM. Before an Oracle UCM, Oracle IBR, or Oracle I/PM Managed Server is started, you need to install the libraries for your platform. For a UNIX platform, you also need to set an environment variable to reference the libraries in the library path for the user who will start the Managed Server.
Before you start an Oracle UCM, Oracle IBR, or Oracle I/PM Managed Server, the libraries required for your platform need to be available on your system.
Many of the required libraries are normally installed on the machine, including the C, math, X11, dynamic loader, and pthreads libraries, among others. The libgcc_s
and libstdc++
libraries are part of the GNU Compiler Collection (GCC) package.
OIT requires the following libraries for the specified UNIX platform. The libraries in bold are part of the GCC package 3.4.2 or later.
Solaris Sparc 32-bit requires GCC package 3.4.2 or later, which you can download from the Sunfreeware web site at
http://www.sunfreeware.com
HPUX Itanium requires GCC package 3.3.6, which you can download from the following web site:
http://hpacxx.external.hp.com/gcc
If a libgcc_s
or libstdc++
library is required for your platform, install the GCC package in the /usr/local/packages/gcc-3.4.2/lib
directory in a Solaris Sparc system or the /usr/local/packages/gcc-3.3.6/lib
or directory in an HPUX ia64 system, on the machine where Oracle I/PM or Oracle UCM will run. If you are using a later version of GCC, specify that version instead of 3.4.2
or 3.3.6
.
OIT requires the following libraries for the specified UNIX platform. The libraries in bold are part of the GCC package.
Solaris Sparc 32-bit
/usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1 libICE.so.6 libSM.so.6 libX11.so.4 libXext.so.0 libXm.so.4 libXt.so.4 libc.so.1 libdl.so.1 libgcc_s.so.1 libgen.so.1 libm.so.1 libmp.so.2 libnsl.so.1 libpthread.so.1 libsocket.so.1 libstdc++.so.6 libthread.so.1
HPUX ia64
libCsup.so.1 libICE.so.1 libSM.so.1 libX11.so.1 libXext.so.1 libXm.so.1 libXp.so.1 libXt.so.1 libc.so.1 libdl.so.1 libgcc_s_hpux64.so.0 libm.so.1 libpthread.so.1 libstd_v2.so.1 libstdc++.so.5 libuca.so.1 libunwind.so.1
AIX 32-bit
/usr/lib/libC.a(ansi_32.o) /usr/lib/libC.a(shr.o) /usr/lib/libC.a(shr2.o) /usr/lib/libC.a(shr3.o) /usr/lib/libICE.a(shr.o) /usr/lib/libIM.a(shr.o) /usr/lib/libSM.a(shr.o) /usr/lib/libX11.a(shr4.o) /usr/lib/libXext.a(shr.o) /usr/lib/libXi.a(shr.o) /usr/lib/libXm.a(shr_32.o) /usr/lib/libXt.a(shr4.o) /usr/lib/libc.a(shr.o) /usr/lib/libcrypt.a(shr.o) /usr/lib/libgaimisc.a(shr.o) /usr/lib/libgair4.a(shr.o) /usr/lib/libi18n.a(shr.o) /usr/lib/libiconv.a(shr4.o) /usr/lib/libodm.a(shr.o) /usr/lib/libpthreads.a(shr.o) /usr/lib/libpthreads.a(shr_comm.o) /usr/lib/libpthreads.a(shr_xpg5.o) /usr/lib/libpthreads_compat.a(shr.o)
HPUX PA/RISC 32-bit
/lib/libCsup.2 /lib/libCsup_v2.2 /lib/libX11.3 /lib/libXm.4 /lib/libXt.3 /lib/libc.2 /lib/libcl.2 /lib/libm.2 /lib/libstd.2 /lib/libstd_v2.2 /lib/libstream.2 /usr/lib/libCsup.2 /usr/lib/libCsup_v2.2 /usr/lib/libX11.3 /usr/lib/libXm.4 /usr/lib/libXt.3 /usr/lib/libc.2 /usr/lib/libcl.2 /usr/lib/libdld.2 /usr/lib/libisamstub.1 /usr/lib/libm.2 /usr/lib/libstd.2 /usr/lib/libstd_v2.2 /usr/lib/libstream.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libICE.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libSM.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libX11.3 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXext.3 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXp.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXt.3
SUSE Linux
For an SUSE Linux operating system, the file /usr/lib/libstdc++.so.5
is required. You can find this file in the compat-libstdc++
or libstdc++33
package.
Before Oracle Inbound Refinery or the Oracle UCM Dynamic Converter uses Outside In Technology for document and image conversions, the following environment variables must be set for the Oracle UCM Managed Server on the specified UNIX platforms:
Environment variables for library paths for Oracle I/PM
Solaris Sparc:
LD_LIBRARY_PATH=/usr/local/packages/gcc-3.4.2/lib
If you are using a later version of GCC, specify that version instead of 3.4.2.
AIX:
LIBPATH=DomainHome/oracle/imaging/imaging-server
HP-UX Itanium:
LD_PRELOAD=/usr/lib/hpux64/libpthread.so.1
LD_LIBRARY_PATH=DomainHome/oracle/imaging/imaging-server
Environment variables for library paths for Oracle UCM with Dynamic Converter and Oracle IBR
Solaris Sparc:
LD_LIBRARY_PATH=/usr/local/packages/gcc-3.4.2/lib
If you are using a later version of GCC, specify that version instead of 3.4.2.
Add the following line to the Oracle IBR intradoc.cfg
file at DomainHome
/ucm/ibr/bin
:
ContentAccessExtraLibDir=/usr/local/packages/gcc-3.4.2/lib
Then restart Oracle IBR, as described in Section 10.3, "Restarting a Managed Server."
HP-UX Itanium:
export LD_LIBRARY_PATH=/opt/hp-gcc/3.3.6/lib/:/opt/hp-gcc/3.3.6/lib/hpux64:$LD_LIBRARY_PATH
The Dynamic Converter on HP-UX Itanium needs the 3.3.6 version of the GCC libraries installed before the Oracle UCM server is started.
DISPLAY environment variable
On a UNIX operating system running XWindows, when redirecting the display to a system with suitable graphic capabilities, export DISPLAY to a valid X Server before starting the Oracle I/PM, the Oracle IBR Managed Server, or the Oracle UCM Dynamic Converter.
OutsideIn Technology requires the Visual C++ libraries included in the Visual C++ Redistributable Package for a Windows operating system. Three versions of this package (x86, x64, and IA64) are available from the Microsoft Download Center at
http://www.microsoft.com/downloads
Search for and download the version of the package that corresponds to the version of your Windows operating system:
vcredist_x86.exe
vcredist_x64.exe
vcredist_IA64.exe
The required version of each of these downloads is the Microsoft Visual C++ 2005 SP1 Redistributable Package. The redistributable module that Outside In requires is msvcr80.dll
.
The WinNativeConverter has some vb.Net code, so it also requires Microsoft .NET Framework 3.5 Service Pack 1.
You can configure SSL for Oracle ECM applications running in a production environment or development environment.
Note:
If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of thewlst.sh
file or set them in the CONFIG_JVM_ARGS environment variable:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName
KeyStoreName
is the name of the keystore in use (DemoTrust
for the built-in demonstration certificate). The wlst.sh
file is in the bin
subdirectory of the common
directory in the ECM Oracle home directory.
Oracle IRM requires SSL to be enabled on the front-end application, whether it is Oracle HTTP Server (OHS) or a Managed Server running Oracle IRM as an application deployed to Oracle WebLogic Server. Communication between Oracle IRM Desktop and the Oracle IRM server application must be over SSL because sensitive information such as passwords are communicated.
Other uses of SSL, such as between OHS and Managed Servers, the Administration Server, and the LDAP authentication provider are optional.
For information about configuring SSL for a production environment, see "SSL Configuration in Oracle Fusion Middleware" in Oracle Fusion Middleware Administrator's Guide.
For a development environment, you can also configure one-way SSL with a server-specific certificate. One-way SSL means that only the server certificate passes from the server to the client but not the other way around. After you configure one-way SSL for a development environment on the server, you have to configure every client to accept the server certificate.
For a development environment, you might want to configure SSL, but it is not required. The application will work correctly without SSL configuration, but if you are using basic authentication or form-based authentication, credentials will be transferred from the client to the server unencrypted.
You can configure one-way SSL with a server certificate for the Managed Server so that the client application can be configured to trust the certificate.
In the following procedure, the keystore
commands relate only to SSL and not to Oracle IRM encryption keys.
To configure one-way SSL for a development environment:
Run the setWLSEnv
script to set the environment:
UNIX script: MW_HOME
/wlserver_10.3/server/bin/setWLSEnv.sh
Windows script: MW_HOME
\wlserver_10.3\server\bin \setWLSEnv.cmd
For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar
file in the MW_HOME
/wlserver_10.3/server/lib
or MW_HOME
\wlserver_10.3\server\lib
directory.
Use the CertGen
utility to create a server-specific, private key and certificate, as follows (in a single command line):
java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer -keyfile MyOwnSelfKey.key -keyfilepass mykeypass -cn "hostname" -keyusagecritical false -keyusage digitalSignature,keyEncipherment,keyCertSign
The last two lines are not needed for pure certificate use, but are needed if the certificate is also to be used for Java applications using Oracle Web Services over SSL.
For mykeypass
, substitute a password for the key, and for hostname
, substitute the name of the machine where Oracle IRM is deployed. You should use the same name while accessing Oracle Web Services. For example, to generate the server certificate for a machine named myhost.us.example.com
, the command would be as follows (in a single command line):
java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer -keyfile MyOwnSelfKey.key -keyfilepass mykeypass -cn "myhost.us.example.com" -keyusagecritical false -keyusage digitalSignature,keyEncipherment,keyCertSign
This command will generate a server certificate for the machine myhost.us.example.com
.
The parameter -cn "
machine-name
"
must be set to the fully qualified domain name of the Oracle IRM server, which is the name that Oracle IRM will use to connect to the machine. Verify that the certificate has been issued to the machine name you specified.
CertGen
creates a unique and secret Private Key for Oracle IRM and a Self-Signed Root Certificate.
Run the ImportPrivateKey
utility to package the Private Key and Self-Signed Root Certificate into a key store, as follows (in a single command line):
java utils.ImportPrivateKey -keystore MyOwnIdentityStore.jks -storepass identitypass -keypass keypassword -alias trustself -certfile MyOwnSelfCA.cer.pem -keyfile MyOwnSelfKey.key.pem -keyfilepass mykeypass
Substitute an identity store password for identitypass
, a key password for keypassword
, and a key-file password for mykeypass
.
Run the keytool
utility to package the key and certificate into a separate key store named Trust Keystore.
In the following keytool
commands (each a single command line), JAVA_HOME represents the location of the JDK. For information about the JAVA_HOME environment variable, see Section 3.1.2, "Installing Oracle WebLogic Server in a Middleware Home."
UNIX operating system
JAVA_HOME/bin/keytool -import -trustcacerts -alias trustself
-keystore TrustMyOwnSelf.jks
-file MyOwnSelfCA.cer.der -keyalg RSA
Windows operating system
JAVA_HOME\bin\keytool -import -trustcacerts -alias trustself
-keystore TrustMyOwnSelf.jks
-file MyOwnSelfCA.cer.der -keyalg RSA
Click Next
On a Windows operating system, follow the instructions on the wizard screens.
Set Up a Custom Identity Keystore and Trust Store:
Log in to the Oracle WebLogic Server Administration Console, at this URL:
http://adminServerHost:adminServerPort/console
For adminServerHost
, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort
, specify the listen port number for the Administration Server. The default number is 7001
. For example:
http://myHost.example.com:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Select Environment under your domain from Domain Structure.
Select Servers from Environment.
From Summary of Servers, select the server for which to enable SSL.
Click the Keystores tab on the Settings for servername page.
In the Keystores field, select Custom Identity and Custom Trust.
If the server is in production mode, you need to click the Lock & Edit button before you can make changes.
Enter values in the following fields on the Keystores tab:
Custom Identity Keystore
Custom Identity Keystore Type
Custom Identity Keystore Passphrase
Confirm Custom Identity Keystore Passphrase
Custom Trust Keystore
Custom Trust Keystore Type
Custom Trust Keystore Passphrase
Confirm Custom Trust Keystore Passphrase
Save the changes.
Click the SSL tab.
In the Identity and Trust Locations field, select Keystores.
Enter values in the other fields on the SSL tab:
Private key alias
Private key passphrase
Confirm Private key passphrase
Save the changes.
If the server is running in development mode, then the changes need to be activated.
After you create a server certificate to configure one-way SSL, you must install it on every machine running the client application. Then you can import the certificate into the client application so that it will trust the certificate and not show prompts when it connects to the Managed Server.
To configure clients to accept the server certificate:
On the client machine, double-click the certificate file to open the Certificate window, and then click Install Certificate to start the Certificate Import Wizard.
For a Windows operating system, the certificate file needs to be copied to the client machine that accesses this server through a browser.
For a UNIX operating system that is accessing a web site over SSL rather than using the client application on the machine, follow the procedure required for your operating system to trust the certificate.
In the Certificate Import Wizard, explicitly select a certificate store for Trusted Root Certification Authorities. The root certificate must be trusted on all client computers that will access the server.
On a Windows operating system, install the certificate under Trusted Root Certification Authorities in Internet Explorer.
In a production system, Oracle Enterprise Content Management Suite applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. You need to reassociate the identity store for your application with one of the following external LDAP authentication providers before you complete the configuration of a Managed Server, before you connect a Managed Server to a repository, and before the first user logs in to the application:
For an Oracle I/PM application, the user who logs in first to an Oracle I/PM Managed Server is provisioned with full security throughout the server. It is easier to reassociate the identity store for Oracle I/PM with an external LDAP authentication provider before the first user logs in, completes the configuration of the Oracle I/PM Managed Server, and connects it to the Oracle Universal Content Management (Oracle UCM) repository.
For an Oracle IRM application, the Oracle IRM domain, which is different from the Oracle WebLogic Server domain, gets created the first time a user logs in to the Oracle IRM Management Console. The first user who logs in to the console is made the Domain Administrator for the Oracle IRM instance. Before you migrate user data for Oracle IRM, the users need to be in the target LDAP identity store. If you do not reassociate the identity store with an external LDAP authentication provider before the first user logs in to the Oracle IRM console, the general process for reassociating Oracle IRM users and migrating data follows:
Back up existing data with the setIRMExportFolder
script.
Reassociate the identity store with an external LDAP directory.
Verify that all users and groups exist in target LDAP identity store.
Migrate data with the setIRMImportFolder
script.
You can reassociate the identity store for an Oracle WebLogic Server domain with Oracle Internet Directory and migrate users from the embedded LDAP directory to Oracle Internet Directory. The following procedure describes how to reassociate the identity store with Oracle Internet Directory.
You can use a similar procedure to reassociate the identity store with other LDAP authentication providers. Each provider has a specific authenticator type, and only that type should be configured. Table 4-5 lists the available authenticator types.
Table 4-5 LDAP Authenticator Types
LDAP Authentication Provider | Authenticator Type |
---|---|
Microsoft AD |
ActiveDirectoryAuthenticator |
SunOne LDAP |
IPlanetAuthenticator |
Directory Server Enterprise Edition (DSEE) |
IPlanetAuthenticator |
Oracle Internet Directory |
OracleInternetDirectoryAuthenticator |
Oracle Virtual Directory |
OracleVirtualDirectoryAuthenticator |
EDIRECTORY |
NovellAuthenticator |
OpenLDAP |
OpenLDAPAuthenticator |
EmbeddedLDAP |
DefaultAuthenticator |
To reassociate the identity store with Oracle Internet Directory:
Ensure that there is no user in Oracle Internet Directory with the same name as the administrator of the Oracle WebLogic Server domain, which is weblogic
by default.
Set both embedded and external LDAP providers to SUFFICIENT
.
For Oracle IRM, log in to the management console as a user from Oracle Internet Directory, to be the Oracle IRM domain administrator.
Do not log in to the management console with the user name of the Oracle WebLogic Server domain administrator. The Oracle recommendation is to not use the weblogic
user account as the Oracle IRM administration user account. If you use a different account for the Oracle IRM domain administrator, you can use the Oracle WebLogic Server domain administrator, weblogic
by default, to start and stop Oracle WebLogic Server as well as to alter server settings. If you have a problem with Oracle Internet Directory, you will not need to fix it before you can do maintenance on Oracle WebLogic Server.
For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the WebLogic Scripting Tool (WLST) setIRMExportFolder
command before identity store reassociation.
Use this command to set an export folder for exporting the user and group details referenced by Oracle IRM. Oracle IRM uses the export folder path to decide where to write out the user and group details, so the Managed Server must have write access to the folder path. The export folder must exist before you run the setIRMExportFolder
command.
The following example sets /scratch/irm-data
as the export folder:
cd ECM_ORACLE_HOME/common/bin ./wlst.sh > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort') > setIRMExportFolder('/scratch/irm-data')
In the example, adminServerHost
is the host name and adminServerPort
is the port number for the Administration Server of the Oracle WebLogic Server domain.
Note:
If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS section of thewlst.sh
file or set them in the CONFIG_JVM_ARGS environment variable:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName
KeyStoreName
is the name of the keystore in use (DemoTrust
for the built-in demonstration certificate). The wlst.sh
file is in the bin
subdirectory of the common
directory in the ECM Oracle home directory.
After the Oracle IRM Managed Server picks up this configuration change, normally right away, it will write out a series of XML documents in the export folder. This process is complete when a folder named accounts
appears under the export folder. The accounts
folder will contain one or more folders named batch
XXX
, with each batch folder containing a set of XML documents that include the user and group details. For example:
/scratch /irm-data /accounts /batch1 user1.xml user2.xml group1.xml
The batch folders are used to ensure that the operating system limit of the maximum number of files in a folder is not exceeded.
After this process is complete, reset the export folder:
setIRMExportFolder('')
This reset ensures that Oracle IRM does not perform any further data exporting when the Managed Server restarts.
Configure the Oracle Internet Directory authentication provider:
Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, "Starting the Administration Server."
Log in to the Oracle WebLogic Server Administration Console as the domain Administration user, at this URL:
http://adminServerHost:adminServerPort/console
For adminServerHost
, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort
, specify the listen port number for the Administration Server. The default number is 7001
. For example:
http://myHost.example.com:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Under Domain Structure on the left, select Security Realms.
In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.
Click the Providers tab, and then click New under the Authentication Providers table on the Authentication tab.
In the Create a new Authentication Provider dialog box, enter a provider name in the Name field, change the type to OracleInternetDirectoryAuthenticator
, and then click OK.
For a list of authenticator types for different LDAP Authentication Providers, see Table 4-5.
In the Authentication Providers table, click Reorder, move the provider you just created to the top of the list, and then click OK.
Click DefaultAuthenticator, change the Control Flag value to OPTIONAL
, and then click Save.
Go back to the Providers tab.
Click the name of the authentication provider you just created to navigate to the Configuration tab for the provider.
The Configuration tab has two tabs, Common and Provider Specific. On the Common tab, change the Control Flag value to SUFFICIENT
, and then click Save.
SUFFICIENT
means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.
REQUIRED
means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL
and Oracle Internet Directory has been set to REQUIRED
, the embedded LDAP user is no longer valid.
Click the Provider Specific tab.
Set Provider Specific values in the following fields, and leave default values in the other fields:
Host: The host name or IP address of the LDAP server.
Port: The Oracle Internet Directory Port, 389
by default.
Principal: The Distinguished Name (DN) of the LDAP user that Oracle WebLogic Server should use to connect to the LDAP server; for example:
cn=orcladmin
Credential: The credential used to connect to the LDAP server (usually a password).
Confirm Credential: The same value as for the Credential field.
User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users; for example:
cn=users,dc=example,dc=com
In Oracle Internet Directory, this is the value of the User Search Base attribute, which you can look up in the OIDDAS administration dialog.
Note:
Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.Use Retrieved User Name as Principal: Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal value.
Select this attribute for Oracle IRM.
Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups; for example:
cn=groups,dc=example,dc=com
In Oracle Internet Directory, this is the value of the Group Search Base attribute, which you can look up in the OIDDAS administration dialog.
Note:
Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.Propagate Cause For Login Exception: Propagates exceptions thrown by Oracle Internet Directory, like password expired exceptions, to Oracle WebLogic Server so they show in the console and the logs.
For Oracle IRM, select this attribute in the General area of the tab.
Click Save.
Shut down the Administration Server, and then restart it to activate the changes.
Note:
Authentication providers in an Oracle WebLogic Server domain are chained. This means that user authentication needs to run successfully through all authentication providers. With the Control Flag value set toOPTIONAL
for the default provider, it is allowed to fail without a server startup or user authentication failure.After the server is up again, log in to the Administration Console again, and click Security Realms under Domain Structure.
In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.
Click the Providers tab, then click the Users and Groups tab to see a list of users contained in the configured authentication providers, on the Users tab, and then click the Groups tab to see a list of groups.
You should see user names from the Oracle Internet Directory configuration, which implicitly verifies that the configuration is working.
Check that you have switched the security provider successfully, with either or both of these basic tests:
After the creation of the new security provider is complete, verify that all the users in that security provider are listed in that same user-group presentation as the list from Step 3.
Access the Managed Server URL, and log in as any of the Oracle Internet Directory users.
For information about accessing a Managed Server, see Section 10.2, "Starting Managed Servers."
If the Oracle Internet Directory instance is configured successfully, change the Control Flag value to SUFFICIENT
, and then click Save.
SUFFICIENT
means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.
REQUIRED
means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL
and Oracle Internet Directory has been set to REQUIRED
, the embedded LDAP user is no longer valid.
Restart the Administration Server and the Managed Server, as described in Section 10.3, "Restarting a Managed Server."
For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the setIRMImportFolder
WLST command after identity store reassociation. Use this command to set the import folder to point to the export folder that was set before identity store reassociation.
Note:
You should take a backup of the export folder before performing the import process because the import process deletes the contents of the folder during successful processing of the user and group details.This operation should be performed with only one Managed Server running a deployed Oracle IRM application, to ensure that only one Managed Server performs the user and group processing. After the import process is complete, all Managed Servers running the Oracle IRM application can be started.
The following example sets /scratch/irm-data
as the import folder:
cd ECM_ORACLE_HOME/common/bin ./wlst.sh > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort') > setIRMImportFolder('/scratch/irm-data')
After the Oracle IRM Managed Server picks up this configuration change, it will read the contents of the folder and update the global user ID (GUID) values in the Oracle IRM system to reflect the values in the new identity store. When a user or group has been processed, the import process deletes the corresponding XML file. After the import process is complete, the import folder will be empty:
/scratch /irm-data
If an error occurs during the processing of a user or group, the import process writes the error to a file that matches the user or group name. For example, if the user details in user1.xml
cause an error during processing, the import process writes the error details to the file user1.xml.fail
:
/scratch /irm-data /accounts /batch1 user1.xml user1.xml.fail
If you can fix the error, then rerun the setIRMImportFolder
WLST command to rerun the import process. For example, if user or group processing fails because the user or group does not exist in the new identity store, adding the user or group to Oracle Internet Directory will fix the error, and you can rerun the import process:
> connect('weblogic', 'password', 'adminServerHost:adminServerPort') > setIRMImportFolder('/scratch/irm-data')
After this process is complete, reset the import folder:
setIRMImportFolder('')
This reset ensures that Oracle IRM does not perform any further data importing when the Managed Server restarts.
Note:
When reassociating an LDAP identity store, the Oracle IRM process for exporting user and group information has an issue if user and group names are identical. If a user and group have identical names, the export process will lose either the user or the group details during the export step. This is because the user or group name is used as the file name, so one file overwrites the other. A postreassociation workaround is to check user and group right assignments, and to manually reassign any that are missing.After the reassociation of the identity store, users in Oracle Internet Directory have the same rights that their namesakes had in the Oracle WebLogic Server embedded LDAP server before the migration of user data. For example, if a user existed in the embedded LDAP server before the migration with the user name weblogic
and an Oracle IRM role of Domain Administrator, then, after migration, the user in Oracle Internet Directory with the user name weblogic
would have the Oracle IRM role of Domain Administrator.
If you change the LDAP providers, the global user IDs (GUIDs) in the Oracle I/PM security tables will be invalid. Oracle I/PM caches the GUIDs from an external LDAP provider in its local security tables and uses these IDs for authentication. You can refresh the GUID values in the Oracle I/PM security tables with WLST commands or with Fusion Middleware Control.
Only users and groups that exist in both LDAP providers will have GUIDs refreshed. Oracle I/PM permissions assigned to users and groups from the previous LDAP will be refreshed to the users and groups that match in the new LDAP. If users and/or groups do not match any users and/or groups in the new LDAP provider, refreshIPMSecurity
will ignore them.
Note:
During the refresh, users or groups for whom matching identifying information is not found are ignored. As security changes are made, invalid users or groups are removed from the Oracle I/PM database.If you want to refresh GUID values from a command line, you can use Oracle WebLogic Scripting Tool (WLST).
To refresh GUID values in Oracle I/PM security tables with WLST:
Log in to Oracle WebLogic Server Administration Server.
Navigate to the Oracle ECM home directory: MW_HOME/ECM_ORACLE_HOME.
Invoke WLST:
cd common/bin ./wlst.sh
At the WLST command prompt, enter these commands:
wls:/offline> connect() Please enter your username :weblogic Please enter your password : XXXXXXXXXXXXX Please enter your server URL [t3://localhost:7001] :t3://host_name:16000 Connecting to t3://host_name:16000 with userid weblogic ... Successfully connected to Managed Server 'IPM_server1' that belongs to domain 'domainName'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/domainName/serverConfig> listIPMConfig() <This is just to check that the connection is to the right IPM server> wls:/domainName/serverConfig> refreshIPMSecurity() <This is the command that will refresh the GUIDs in the Security tables.> wls:/domainName/serverConfig> exit()
Log in to Oracle I/PM to verify user and group security.
If you want to refresh GUID values through an MBean, you can use the System MBean Browser in Fusion Middleware Control.
To refresh GUID values in Oracle I/PM security tables with Fusion Middleware Control:
Log in to Fusion Middleware Control.
In the navigation tree on the left, expand WebLogic Domain, then the Oracle ECM domain folder, then IPM_Cluster, and then the name of the Oracle I/PM server, such as IPM_server1.
On the right, click the WebLogic Server drop-down menu, and choose System MBean Browser.
In the System MBean Browser navigation tree, expand Application Defined MBeans, then oracle.imaging, then Server: IPM_server1, and then cmd, and click cmd.
Click refreshIPMSecurity on the right.
Press the Invoke button.
Log in to Oracle I/PM to verify user and group security.
You can add users to Oracle Internet Directory with Oracle Directory Services Manager, which is part of Oracle Identity Management. To add an entry to the directory with Oracle Directory Services Manager, you must have write access to the parent entry, and you must know the Distinguished Name (DN) to use for the new entry.
Note:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.For information about adding a group entry, see "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. For more information about entries, see "Managing Directory Entries" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
To add users to Oracle Internet Directory:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server.
From the task selection bar, select Data Browser.
On the toolbar, select the Create a new entry icon. Alternatively, right-click any entry and choose Create.
The Create New Entry wizard starts.
Specify the object classes for the new entry.
To select object class entries, click the Add icon and use the Add Object Class dialog box. Optionally, use the search box to filter the list of object classes. To add the object class, select it, and then click OK. (All the superclasses from this object class through top
are also added.)
Note:
You must assign user entries to theinetOrgPerson
object class for the entries to appear in the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services.In the Parent of the entry field, you can specify the full DN of the parent entry for the entry you are creating.
You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.
Click Next.
Choose an attribute that will be the Relative Distinguished Name (RDN) value for this entry and enter a value for that attribute.
You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson
, attributes cn
(common name) and sn
(surname or last name) are required, even if neither of them is the RDN value.
Click Next.
The wizard displays the next page. (Alternatively, you can click Back to return to the previous page.)
Click Finish.
To manage optional attributes, navigate to the entry you have just created in the Data Tree.
If the entry is a person, click the Person tab and use it to manage basic user attributes.
Click Apply to save your changes or Revert to discard them.
If the entry is a group, see "Managing Dynamic and Static Groups" in Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions.
If this is a person entry, you can upload a photograph.
To upload a photograph, click Browse, navigate to the photograph, then click Open.
To update the photograph, click Update and follow the same procedure.
To delete the photograph, click the Delete icon.
Click Apply to save your changes or Revert to discard them.
For languages other than English, the following installation steps need to be done on a UNIX operating system before you start a Managed Server:
Copy MW_HOME
/oracle_common/jdk/jre/lib/fonts
to the /jre/lib/fonts
directory in the Sun JDK installation directory for the Middleware home.
Copy MW_HOME
/oracle_common/jdk/jre/lib/fonts
to the /jre/lib/fonts
directory in the Oracle JRockit JDK directory for the Middleware home.
You can configure one of these single sign-on (SSO) solutions for an Oracle Enterprise Content Management Suite product:
Oracle Access Manager 11g SSO
Oracle Access Manager 10g SSO
Oracle Single Sign-On (OSSO)
Windows Native Authentication (WNA)
Table 4-6 shows which SSO solutions you can use with which Oracle ECM applications. The sections that follow provide references to information about using SSO with these applications.
Table 4-6 Single Sign-On Solutions for Oracle ECM Applications
Application | Oracle Access Manager 11g | Oracle Access Manager 10g | OSSO | WNA |
---|---|---|---|---|
Oracle UCM Content Server |
Supported |
Supported |
Supported |
Supported |
Oracle I/PM |
Supported |
Supported |
Supported |
Supported |
Oracle IRM Web Interface |
Supported |
Not supported |
Supported |
Supported |
Oracle IRM Desktop |
Not supported |
Supported (limited) |
Not supported |
Supported |
Oracle URM |
Supported |
Supported |
Supported |
Supported |
For an overview of Oracle WebLogic Server authentication providers, see "Configuring Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Oracle Access Manager enables users to seamlessly gain access to web applications and other IT resources across your enterprise. Oracle IRM supports Basic authentication with Oracle Access Manager, which contains an authorization engine that grants or denies access to particular resources based on properties of the user requesting access as well as on the environment from which the request was made.
For information about configuring Oracle Access Manager single sign-on (SSO) for Oracle IRM, see Section 8.4, "Integrating Oracle IRM with Oracle Access Manager 11g." For information about configuring it for Oracle I/PM, see Oracle Fusion Middleware Administrator's Guide for Oracle Imaging and Process Management. For information about configuring it for Oracle UCM, Oracle IBR, or Oracle URM, see "Configuring Oracle UCM for Single Sign-On" in Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server.
For more information, see "Deploying the Oracle Access Manager Solutions" in Oracle Fusion Middleware Application Security Guide.
Table 4-7 shows where to get more information about configuring Oracle Access Manager 11g for Oracle ECM applications.
Table 4-7 Oracle Access Manager 11g Configuration for Oracle ECM Applications
Application | Configuration Information |
---|---|
Oracle UCM Content Server |
"Configuring Oracle Access Manager 11g with Oracle UCM" in Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server |
Oracle I/PM |
"Integrating Oracle Access Manager 11g With Oracle I/PM" in Oracle Fusion Middleware Administrator's Guide for Oracle Imaging and Process Management |
Oracle IRM Web Interface |
Section 8.4, "Integrating Oracle IRM with Oracle Access Manager 11g" |
Oracle IRM Desktop |
Not supported |
Oracle URM |
"Configuring Oracle Access Manager 11g with Oracle UCM" in Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server |
Table 4-8 shows where to get more information about configuring Oracle Access Manager 10g for Oracle ECM applications.
Table 4-8 Oracle Access Manager 10g Configuration for Oracle ECM Applications
Application | Configuration Information |
---|---|
Oracle UCM Content Server |
"Configuring Oracle Access Manager 10g with Oracle UCM" in Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server |
Oracle I/PM |
"Integrating Oracle Access Manager 10g With Oracle I/PM" in Oracle Fusion Middleware Administrator's Guide for Oracle Imaging and Process Management |
Oracle IRM Web Interface |
Not supported |
Oracle IRM Desktop |
Section 8.4, "Integrating Oracle IRM with Oracle Access Manager 11g" |
Oracle URM |
"Configuring Oracle Access Manager 11g with Oracle UCM" in Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server |
For an overview of Oracle Single Sign-On (OSSO), see "Introduction to Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Application Security Guide.
Table 4-9 shows where to get more information about configuring OSSO for Oracle ECM applications.
Table 4-9 OSSO Configuration for Oracle ECM Applications
Application | Configuration Information |
---|---|
Oracle UCM Content Server |
"Configuring Oracle Single Sign-On for Oracle UCM" in Oracle Fusion Middleware System Administrator's Guide for Oracle Content Server |
Oracle I/PM |
"Configuring Oracle Single Sign-On for Oracle I/PM" in Oracle Fusion Middleware Administrator's Guide for Oracle Imaging and Process Management |
Oracle IRM Web Interface |
"Configuring Single Sign-On using OracleAS SSO 10g" in Oracle Fusion Middleware Application Security Guide |
Oracle IRM Desktop |
Not supported |
Oracle URM |
"Configuring Single Sign-On using OracleAS SSO 10g" in Oracle Fusion Middleware Application Security Guide |
For information about configuring Windows Native Authentication (WNA), see "Configuring Single Sign-On with Microsoft Clients" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Table 4-10 shows where to get more information about configuring WNA for Oracle ECM applications.
Table 4-10 WNA Configuration for Oracle ECM Applications
For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple Oracle WebLogic Server instances running simultaneously and working together to provide increased scalability and reliability. In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing.
A single domain can contain multiple Oracle WebLogic Server clusters, as well as multiple Managed Servers that are not configured as clusters. The key difference between clustered and nonclustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.
Note:
To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.For an overview of clusters, see "Understanding WebLogic Server Clustering" in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.
If you select Managed Servers, Clusters, and Machines on the Select Optional Configuration screen, you will see the screens that Table 4-11 describes.
Table 4-11 Managed Servers, Clusters, and Machines Advanced Settings Screens
No. | Screen | Description and Action Required |
---|---|---|
1 |
Add new Managed Servers, or edit and delete existing Managed Servers. Click Next to continue. |
|
2 |
Create clusters if you are installing in a high availability environment. For more information, see Oracle Fusion Middleware High Availability Guide. Click Next to continue. |
|
3 |
If you configured any clusters on the Configure Clusters screen Click Next to continue. |
|
4 |
If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster Click Next to continue. |
|
5 |
Configure the machines that will host the Managed Servers in a cluster, and assign each Managed Server to a machine. Click Next to continue. |
|
6 |
Assign your Managed Servers to clusters or servers in your domain. Click Next to continue. |
|
7 |
Use this screen to target your services (such as JMS and JDBC) to servers or clusters so that your applications can use the services. Click Next to continue. |
You can add a Managed Server to a cluster later, with the Oracle WebLogic Server Administration Console or Fusion Middleware Control. For more information, see "Scaling Your Environment" in Oracle Fusion Middleware Administrator's Guide.
To set up Oracle Web Services Manager (Oracle WSM) security policies for Oracle Enterprise Content Management Suite, you need to do these tasks:
Installing Oracle WebLogic Server and Oracle Enterprise Content Management Suite
Securing Web Services with a Key Store and Oracle WSM Policies
Install Oracle WebLogic Server with the Typical option, which also installs Oracle Coherence and the Sun and JRockit JDKs. For information about how to install Oracle WebLogic Server, see Section 3.1.2, "Installing Oracle WebLogic Server in a Middleware Home."
The installation of Oracle WebLogic Server creates an Oracle Fusion Middleware home, where you can install Oracle Enterprise Content Management Suite, which creates an ECM Oracle home. Oracle WSM can be installed from the Oracle ECM suite. The Middleware home includes an Oracle Common home, where the Oracle WSM files are installed. For information about how to install Oracle Enterprise Content Management Suite, which installs the files necessary for deploying Oracle UCM to Oracle WebLogic Server, see Section 3.2, "Installing Oracle Enterprise Content Management Suite in Oracle Fusion Middleware."
Make the following selection on the Repository Creation Utility (RCU) Select Components Screen to create the MDS schema, which you need for setting up Oracle WSM security:
Metadata Services under AS Common Schemas
The selection is for creating an Oracle WSM Policy Manager schema.
This schema will provide a back-end repository for Oracle UCM and the Oracle WSM Policy Manager. If an MDS schema already exists in your database, you can reuse the schema.
For more information about creating the Oracle WSM MDS schemas with RCU, see Section 2.2, "Creating Oracle Enterprise Content Management Suite Schemas."
To configure one or more Oracle ECM applications and Oracle WSM Policy Manager, you need to create or extend an Oracle WebLogic Server domain. For information about creating a domain to include Oracle WSM Policy Manager, see Section 4.2, "Creating an Oracle WebLogic Server Domain." For information about extending a domain with Oracle WSM Policy Manager, see Section 4.3, "Extending an Existing Domain."
During post-installation configuration of a Managed Server, you can configure the Server Socket Port and Incoming Socket Connection Address Security Filter values for Oracle WSM.
Make sure that the following settings exist along with other default settings:
Server socket port: 4444
This value is stored in the configuration file for the Managed Server as IntradocServerPort=4444
.
Incoming Socket Connection Address Security Filter: *.*.*|0:0:0:0:0:0:0:1
This value is stored in the configuration file for the Managed Server as SocketHostAddressSecurityFilter=*.*.*.*|0:0:0:0:0:0:0:1
.
Before any changes to these settings take effect, you need to restart the Managed Server, as described in Section 10.3, "Restarting a Managed Server."
For more information about the post-installation configuration of a Managed Server, see one or more of these sections:
To secure web services, you can set up a key store and apply Oracle WSM policies to the web services.
The keytool
command will generate a key store, which requires a password to open. Inside the key store, a key will be stored, and access to the key requires an additional password.
The suggested location for the key store is in a directory under the domain home:
UNIX path: MW_HOME
/user_projects/domains/
DomainHome
/config/fmwconfig
Windows path: MW_HOME
\user_projects\domains\
DomainHome
\config\fmwconfig
Placing the key store in this location ensures that the key store file is backed up when the domain and corresponding credential store files are backed up.
Creating the key store and key alias orakey
:
JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass welcome -keyalg RSA \
-dname "CN=orakey, O=oracle C=us" \
-keystore default-keystore.jks -storepass welcome
Copy default-keystore.jks
to the domain's fmwconfig
directory:
cp default-keystore.jks DomainHome/config/fmwconfig
Save the credentials in a credential store (using WLST commands):
MW_HOME/ECM_ORACLE_HOME/common/bin/wlst.sh connect() createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="welcome1") createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="welcome") createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="welcome1")
This step creates a file, cwallet.sso
, under DomainHome
/config/fmwconfig
.
Both default-keystore.jks
and cwallet.sso
are needed for the client to access the server.
For more information about setting up a key store, see Section 8.1.2, "Configuring a Key Store for Oracle IRM."
The following procedure shows how to apply a policy to the Oracle UCM web services IdcWebLoginService
and GenericSoapService
. The policy to be applied is oracle/wss11_saml_token_with_message_protection_service_policy
You can use the Oracle WebLogic Server Administration Console to handle the application of Oracle WSM policies to web services
To apply an Oracle WSM policy to a web service:
Log in to the Oracle WebLogic Server Administration Console as the Oracle WebLogic Server administrator.
Click Deployments in the navigation tree on the left.
In the Deployments table, page to Oracle UCM Native Web Services, and expand it.
Click IdcWebLoginService.
On the Settings for IdcWebLoginService page, click Configuration.
Select the WS-Policy tab.
Apply the OWSM policy oracle/wss11_saml_token_with_message_protection_service_policy
to IdcWebLoginPort
.