1 Installing Oracle RTD Decision Management

Terminology:

The term "reference implementation" is used in this chapter to refer to the specific Oracle RTD Decision Management application Oracle RTD for Marketing Optimization (also referred to as the RTD for Marketing Optimization application) released with Oracle RTD Base Application.

This chapter contains the following topics:

• Section 1.1, "Installation Overview"

• Section 1.2, "Installing Oracle RTD Decision Management for Development"

• Section 1.3, "Preparing Your Development Application for Production"

• Section 1.4, "Installing Oracle RTD Decision Management for Production on WebLogic"

• Section 1.5, "Installing Oracle RTD Decision Management for Production on WebSphere"

• Section 1.6, "Security Configuration"

1.1 Installation Overview

The steps that lead to the deployment of a Oracle RTD Decision Management application are as follows:

• Using Oracle JDeveloper, a developer configures the Oracle RTD Decision Management application and deploys it to the Weblogic Server that comes with JDeveloper.

  The application server for this stage must be WebLogic.

• After the application has been properly configured, the developer creates an Oracle RTD Decision Management application EAR file, preparing for the file to be deployed to a target production (or test) environment.

  The target environment may use either WebLogic or WebSphere for its application server, and the preparation steps - performed in the development environment - are slightly different for the two different target application servers.

• The domain administrator deploys the EAR file to either a WebSphere server or to a remote Oracle WebLogic Server using Enterprise Manager to be used in the production (or test) environment.

Summarizing, there are two environments:

• Development environment - the environment for the configuration of Oracle RTD Decision Management (must use WebLogic)

• Production environment - the environment for the use of the configured Oracle RTD Decision Management application either for testing or production (must use either WebLogic or WebSphere)

Note:

When following references to the Oracle Real-Time Decisions Installation and Administration Guide, please first follow the installation instructions bundled with the specific Oracle RTD platform version required for Oracle RTD Decision Management (as specified in Oracle Real-Time Decisions Applications System Requirements and Supported Platforms).

1.2 Installing Oracle RTD Decision Management for Development

This section contains the following topics:

• Section 1.2.1, "Preparing for Installation"

• Section 1.2.2, "Installing Oracle RTD Decision Management"

1.2.1 Preparing for Installation

The outline steps to perform in preparing to install Oracle RTD Decision Management are as follows (if details are required, use the appropriate product documentation):

1. Install Oracle Database.

2. Install Oracle JDeveloper 11g Rel 1.

3. Install Oracle RTD for WebLogic, then create and initialize the Oracle RTD database.

4. Create a WebLogic domain with an Administration Server only.

5. Configure Oracle RTD to run on the Administration Server.

The rest of this section contains the following topics:

• Section 1.2.1.1, "Preparing to Use Oracle JDeveloper"

• Section 1.2.1.2, "Setting Up Oracle RTD and the Oracle RTD Database"

• Section 1.2.1.3, "Creating the WebLogic Domain"

• Section 1.2.1.4, "Configuring Oracle RTD"

1.2.1.1 Preparing to Use Oracle JDeveloper

After installing Oracle JDeveloper 11g Rel 1, perform the following steps:

1. In JDeveloper:

   • Select Tools, then Preferences.

   • Select the Environment tab and set the Encoding to UTF-8.

   • Click OK.

2. Create the following environment variables:

   • ANT_HOME=<Oracle Middleware Install dir>\jdeveloper\ant

   • JAVA_HOME=<Oracle Middleware Install dir>\<jdk_version>

   Add %ANT_HOME%\bin and %JAVA_HOME%\bin to your PATH.

3. Create a file called clm-build.properties in your home directory (on Windows, this folder can be reached using the variable %HOMEPATH%). This file should contain:

   • jdeveloper.home=<Oracle Middleware Install dir>

     For example, C:/Oracle/Middleware.

     Note:

     Use the forward slash character "/" in the file, even on Windows.

1.2.1.2 Setting Up Oracle RTD and the Oracle RTD Database

To set up Oracle RTD and the Oracle RTD database, install Oracle RTD for WebLogic, then create and initialize the Oracle RTD database, as described in Sections 2.1 and 2.2 of Oracle Real-Time Decisions Installation and Administration Guide.

Note:

In addition to the instructions in the specified sections, you must make the following extra provision for the Oracle RTD database SDDB:

• Before you can initialize the database either by using SDDBTool or by running the database initialization command line scripts, you must have the system privilege CREATE VIEW.

1.2.1.3 Creating the WebLogic Domain

The WebLogic domain to create for the development environment will have the following properties:

• The domain will be configured to support Oracle JRF

• The domain will have only one Administration Server

To create the development WebLogic domain, perform the following steps:

1. Start the Configuration Wizard.

   On Windows, this is available via Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> WebLogic Server 11gR1 -> Tools -> Configuration Wizard

2. In the Welcome window, select Create a new WebLogic domain, then click Next.

3. In the Select Domain Source window:

   • Select Generate a domain configured automatically to support the following products.

   • Select the Oracle JRF - 11.1.1.0 [oracle_common] option.

   • Click Next.

4. In the Specify Domain Name and Location, specify a name and location for your domain, then click Next.

   Note:

   You can specify any name for the domain. The generic name name <RTDCLM_Dev_Domain> will be used to refer to the development environment domain name in all the setup steps of this and other sections.

5. In the Configure Administrator User Name and Password window, specify a user name and password for the administrator account, then click Next.

6. In the Configure Server Start Mode and JDK window, keep the default values in the WebLogic Domain Startup Mode and Available JDKs areas, then click Next.

7. In the Select Optional Configuration window, for the development environment select only Administration Server, then click Next.

8. In the Configure the Administration Server window:

   • Keep the default values for Name and Listen address.

   • For Listen port, either keep the default value of 7001 or enter the port number that you require for the Administration Server.

   • Click Next.

9. Review the domain configuration details in the Configuration Summary window, then click Create.

1.2.1.4 Configuring Oracle RTD

This section describes the configuring of Oracle RTD to run on the Administration Server.

Note:

The rationale for running Oracle RTD on the Administration Server in the development environment is to use less memory. However this should never be used in a production environment.

With reference to the instructions in chapter 5 of the Oracle Real-Time Decisions Installation and Administration Guide, perform the following steps:

1. If you are running Oracle RTD in a Managed Server, perform the instructions in Section 5.4.

   If you are running Oracle RTD in the Administration Server instead of a Managed Server, replace Section 5.4 with these instructions:

   For Windows: In the bin subfolder of your domain, edit startWebLogic.cmd and add the following entries at the top of the file:

   set JAVA_OPTIONS=%JAVA_OPTIONS% -Dorg.eclipse.emf.ecore.EPackage.Registry.INSTANCE=com.sigmadynamics.emf.util.SDEMFRegistry
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Dcom.sun.management.jmxremote=true
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Dcom.sun.management.jmxremote.port=12345
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Dcom.sun.management.jmxremote.authenticate=false
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Dcom.sun.management.jmxremote.ssl=false
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.wsee.skip.async.response=true
   set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.net.preferIPv4Stack=true
   

   For Unix: In the bin subfolder of your domain, edit startWebLogic.sh and add at the top of the file:

   JAVA_OPTIONS="${JAVA_OPTIONS} -Dorg.eclipse.emf.ecore.EPackage.Registry.INSTANCE=com.sigmadynamics.emf.util.SDEMFRegistry"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Dcom.sun.management.jmxremote=true"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Dcom.sun.management.jmxremote.port=12345"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Dcom.sun.management.jmxremote.authenticate=false"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Dcom.sun.management.jmxremote.ssl=false"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.wsee.skip.async.response=true"
   JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true" 
   

2. Do not perform the steps in Section 5.5.

3. If you are running Oracle RTD in a Managed Server, perform the instructions as they appear from Section 5.6 to the end of Chapter 5.

   If you are running Oracle RTD in the Administration Server instead of a Managed Server, perform the operations from Section 5.7 to the end of Chapter 5 on the Administration Server instead of the Managed Server.

1.2.2 Installing Oracle RTD Decision Management

After you have created the WebLogic domain and configured Oracle RTD to run on the Administration Server, you are ready to install Oracle RTD Decision Management.

Note:

This section describes how to install Oracle RTD Decision Management and the specific RTD for Marketing Optimization application, as released with Oracle RTD Base Application. For setting up other Oracle RTD Decision Management applications, see Section 2.2, "Configuring Oracle RTD Decision Management."

This section contains the following topics:

• Section 1.2.2.1, "Unzipping the Oracle RTD Decision Management Product"

• Section 1.2.2.2, "Oracle RTD Decision Management Database Creation"

• Section 1.2.2.3, "Oracle RTD Decision Management Data Source Setup"

• Section 1.2.2.4, "Oracle RTD Decision Management Data Source Access by Oracle RTD Setup"

• Section 1.2.2.5, "Inline Service Deployment"

• Section 1.2.2.6, "Storing Credentials to Enable Web Service Calls"

• Section 1.2.2.7, "Oracle RTD Decision Management Application Deployment"

1.2.2.1 Unzipping the Oracle RTD Decision Management Product

Unzip RTD_Designer.zip from the Oracle RTD Base Application distribution into the directory of your choice.

Note:

Some zip extraction utilities impose a limit on the combined length of the target directory path and the full directory+file name in the zip file. Oracle recommends that select your target directory with this in mind when you unzip RTD_Designer.zip.

1.2.2.2 Oracle RTD Decision Management Database Creation

Note:

For running the SQL commands and SQL scripts specified in this section, use SQL*Plus or an equivalent tool that can run on your database, such as the Database Navigator of Oracle JDeveloper.

To create an Oracle RTD Decision Management database, perform the following steps:

1. Create a database user for the Oracle RTD Decision Management schema.

   CREATE USER <username> IDENTIFIED BY <password> DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users;

   GRANT CREATE VIEW, CONNECT, RESOURCE TO <username>;

   Note:

   If you are going to use non 7-bit ASCII characters in choice group id or choice attribute ids, you must set the environment variable NLS_LANG to .UTF8 before running the sql scripts in the steps that follow.

2. Create the schema, by performing the following steps:

   1. Preliminary step if you want to use Oracle JDeveloper:

      Open Oracle JDeveloper, open Database Navigator, then connect as the user that you just created.

   2. Go to the subfolder clm\Database\sql of where you unzipped RTD_Designer.zip, then run the file load core.sql.

      Note:

      The file load core.sql contains generic commands, required for all Oracle RTD Decision Management applications. The commands in load ils.sql, as released, are for the RTD for Marketing Optimization application.

   3. Go to the subfolder clm\Database\sql\ils of where you unzipped RTD_Designer.zip, then run the file load ils.sql.

      Make sure you have committed your changes.

   Note:

   The following step is specific to the installation of the application RTD for Marketing Optimization, as released with Oracle RTD Base Application. The step seeds the database with some sample data.

3. Load the sample seed data into the Oracle RTD Decision Management database for the reference implementation application, by performing the following steps:

   • Run clm\Build\metadata\ref\sql\insert ils data.sql first to create some channels, placements, slots and slot types.

   • Run clm\Build\metadata\ref\sql\insert marketing data.sql to create some campaigns, offers and creatives.

   You may notice the drop core.sql and drop ils.sql files. These can be used to drop the schema. Call drop ils.sql first, then drop core.sql.

1.2.2.3 Oracle RTD Decision Management Data Source Setup

To set up an Oracle RTD Decision Management data source, perform the following steps:

1. Start the Administration Server.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -> <RTDCLM_Dev_Domain> -> Start Admin Server for Weblogic Server Domain

2. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -> <RTDCLM_Dev_Domain> -> Admin Server Console.

3. Log in with the administrator username and password, which was specified during domain creation (see Section 1.2.1.3, "Creating the WebLogic Domain.").

4. Navigate the path Services -> Data Sources -> New -> Generic Data Source, then enter:

   • Name: DM_DS or a similar value

   • JNDI Name: CLMDS

   • Database Type: Oracle

   Click Next.

5. For the Database Driver, select Oracle's Driver (Thin) for Instance connections; Versions: 9.0.1 and later, then click Next.

6. In the Transaction Options window, deselect Supports Global Transactions, then click Next.

7. For the Connection Properties:

   • Specify the database settings that match your configuration, for example:

     
     

     Ensure that the Database User name and Password match the values that you set up in step 1 of Section 1.4.3.2, "Oracle RTD Decision Management Database Creation."

   • Click Next.

8. Leave all the settings already filled, except enter CHOICE for the Test Table Name, and click Test Configuration. Then click Next.

9. Select AdminServer as a target, then click Finish.

1.2.2.4 Oracle RTD Decision Management Data Source Access by Oracle RTD Setup

Section 8.3.3 of Oracle Real-Time Decisions Installation and Administration Guide describes the general steps to add a data source to Oracle RTD. Follow the steps in that section, and, specifically for the Oracle RTD Decision Management data source, add the following in web.xml for rtis.war:

<resource-ref id="CLM_RTIS">
    <res-ref-name>CLMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Unshareable</res-sharing-scope>
</resource-ref>

and add the following in web.xml for soap.war:

<resource-ref id="CLM_Axis">
    <res-ref-name>CLMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Unshareable</res-sharing-scope>
</resource-ref>

1.2.2.5 Inline Service Deployment

To deploy the Oracle RTD Decision Management application, you must have a specific Inline Service running in the Oracle RTD instance on the same server as Oracle RTD Decision Management. You need to deploy that Inline Service to the Oracle RTD server using Decision Studio, as described in Oracle Real-Time Decisions Platform Developer's Guide.

By convention, the Inline Service is located in a sub-folder called service of the application module folder. For the reference implementation, that folder is clm\Build\metadata\ref\service.

1.2.2.6 Storing Credentials to Enable Web Service Calls

Oracle RTD Decision Management makes web service calls from the Decision Management server side to Oracle RTD. Credentials for these calls are stored in the WebLogic credential store. In summary form, the credential setup process is as follows:

• First, you create a user that will be used to authenticate the web service calls

• Then, you store the credentials of this user in the WebLogic credential store, so that the Decision Management application can retrieve them

To create the user, perform the following steps:

1. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -> <RTDCLM_Dev_Domain> -> Admin Server Console.

2. Log in with the administrator username and password.

3. Select Security Realms and select the security realm you are using (myrealm by default).

4. Select the Users and Groups tab, and click New to create a new user.

5. Specify a username and password (generic names <clmclient_user> and <clmclient_password>).

6. Click OK.

7. Select the user that you just created and select the Groups tab.

8. Select the RTDDCUserGroup group, shuttle it to the right.

9. Click Save:

To store the username and password in the WebLogic credential store, perform the following steps:

1. In a command window, go to the directory <middleware_home>\oracle_common\common\bin\, and run wlst.cmd on Windows or wlst.sh on Unix.

   Note:

   <middleware_home>\wlserver_10.3\common\bin includes similarly named command files - do not execute those.

2. Using the values appropriate to your environment (specified during domain creation), type the following command:

   connect('<admin_user>', '<admin_password>', '<server_name>:<port>')

3. Using the same username and password that you created previously in this section, enter:

   updateCred(map="oracle.rtd.clm", key="clm.client", user="<clmclient_user>", password="<clmclient_password>")

4. Verify that this worked, by entering:

   listCred(map="oracle.rtd.clm", key="clm.client")

5. Complete the process by entering:

   exit()

Note:

The user name and password are required as part of the SSO setup for Decision Management, as described in Section 1.6.7.4, "Creating Groups and Users in LDAP Server."

1.2.2.7 Oracle RTD Decision Management Application Deployment

Deploy the Oracle RTD Decision Management application in JDeveloper, by performing the following steps:

1. Open JDeveloper from Start Menu, Programs -> Oracle Fusion Middleware <11g_version> -> JDeveloper Studio <11g_version>.

   If prompted, select Default Role.

2. Click Open Application... and select clm.jws in the clm subfolder of where you unzipped RTD_Designer.zip.

3. Select Application -> Deploy -> clm_application1... and, in the Deployment Action window, select Deploy to Application Server.

4. At top right of the Select Server window, click the green plus button.

   The Create Application Server Connection process that opens up has five steps:

   • Name and Type: Select AdminServer and WebLogic 10.3.

   • Authentication: Specify the administrator username and password.

   • Configuration: Specify the Weblogic domain <RTDCLM_Dev_Domain>, and the Hostname and port values that apply to your environment.

   • Test: Click Test Connection.

   • Finish: Click Finish.

5. In the Select Server window, select the newly created AdminServer connection, and click Next.

6. In the WebLogic options window, leave the options as they are, and click Finish.

   You should see this in the deployment tab:

   • Application Deployed Successfully.

   • Elapsed time for deployment: [...]

   • ---- Deployment finished. ---

[Next time you can deploy the application by choosing the menu item Application -> Deploy -> clm_application1 to AdminServer.]

The Oracle RTD Decision Management application is now deployed and accessible at the URL: http://<server>:<port>/dm

1.3 Preparing Your Development Application for Production

After you have finished configuring Oracle RTD Decision Management for your needs, you are ready to generate the clm.ear file to provide it to the domain administrator so it can be installed in your production or test environment. The instructions for this subsequent installation are application server specific and appear in later sections of this manual.

Note:

The preparation steps in this section are largely the same whether your target production (or test) environment uses WebLogic or WebSphere. Unless marked as being specific to a particular target application server, the instructions in this section apply to both.

To generate the clm.ear file, first review the Oracle RTD Decision Management configuration:

• (For WebLogic production and test systems)

  In clm\Build\metadata\<metadata_module>\security.xml (and any other xml files in the same directory clm\Build\metadata\<metadata_module>), remove any <users> or <enterprise-roles> as the domain administrator will map Oracle RTD Decision Management application roles to your enterprise users and groups using Enterprise Manager (see Section 1.6.4, "Mapping Users and Groups to Intermediary Roles in Production").

• (For WebSphere production and test systems)

  In clm\Build\metadata\<metadata_module>\security.xml (and any other xml files in the same directory clm\Build\metadata\<metadata_module>), remove any <users> and create <enterprise-role> for each <application-role>.For example if you have:

  <application-roles>
    <application-role>
        <name>CLMAdministrator</name>
  ...
    </application-role>
          ...
  </application-roles>
  

  then add:

  <enterprise-roles>
  ...
    <enterprise-role>
          <application-roles>CLMAdministrator</application-roles>
          <name>CLMAdministratorGroup</name>
    </enterprise-role>
  ...
  </enterprise-roles>
  

  The domain administrator will map these enterprise roles to its own enterprise users and groups. See Section 1.6.4, "Mapping Users and Groups to Intermediary Roles in Production."

• Review clm\Build\metadata\<metadata_module>\config\config.xml.

  You will probably have to change the workbenchService url port from the development-site port number to the port where your production managed server will be running.

  For example, for WebLogic environments, from the development-site Administration Server port 7001 to the production-site Managed Server port 7003, and for WebSphere servers, the default port is 9080.

  Note the JNDI name for your data source.

  This is the name identified by <datasourceJNDIName>, CLMDS by default. You will need this when setting up your production system.

If you have made changes to the configuration, go to the clm\Build directory and run the command ant generate:

Then run the command ant ear:

The clm.ear file is now located in the folder clm\deploy and is ready to be used in production.

You need to provide load core.sql and load ils.sql to set up the production database. These are located in folder clm\Database\sql and clm\Database\sql\ils respectively.

You also need to provide the Inline Service. It should be located in the folder clm\Build\metadata\<metadata_module>\service.

1.4 Installing Oracle RTD Decision Management for Production on WebLogic

This section contains the following topics:

• Section 1.4.1, "Preparing for Installation"

• Section 1.4.2, "Production WebLogic Domain Creation"

• Section 1.4.3, "Installing Oracle RTD Decision Management"

1.4.1 Preparing for Installation

The steps to perform in preparing to install Oracle RTD Decision Management are as follows:

1. Install Oracle Database.

2. Install Oracle WebLogic Server 11gR1.

   Oracle Coherence and Oracle Enterprise Pack for Eclipse do not need to be installed and can be deselected during install.

3. Install Application Development Runtime.

4. Configure the Oracle RTD database following chapter 2 of Oracle Real-Time Decisions Installation and Administration Guide.

   Note:

   In addition to the instructions in the specified chapter, you must make the following extra provision for the Oracle RTD database SDDB:

   • Before you can initialize the database either by using SDDBTool or by running the database initialization command line scripts, you must have the system privilege CREATE VIEW.

5. Create a WebLogic domain with a Managed Server, as explained in Section 1.4.2, "Production WebLogic Domain Creation."

6. Modify nodemanager.properties in <middleware_home>/wlserver_10.3/common/nodemanager and set StartScriptEnabled and StopScriptEnabled to true (you have to start Node Manager once for this file to exist).

7. Configure Oracle RTD to run on the Managed Server following chapter 5 (but not sections 5.1, 5.3, nor 5.5) of Oracle Real-Time Decisions Installation and Administration Guide.

1.4.2 Production WebLogic Domain Creation

To create a production WebLogic domain, perform the following steps:

1. Start the Fusion Middleware Configuration Wizard.

   On Windows, this is available via Start Menu: Programs -> Oracle Application Developer 11g -> Configure Application Server.

2. In the Welcome window, select Create a new WebLogic domain, then click Next.

3. In the Select Domain Source window:

   • Select Generate a domain configured automatically to support the following products.

   • Select the Oracle Enterprise Manager - 11.1.1.0 [oracle_common] and Oracle JRF - 11.1.1.0 [oracle_common] options.

   • Click Next.

4. In the Specify Domain Name and Location, specify a name and location for your domain, then click Next.

   Note:

   You can specify any name for the domain. The generic name name <RTDCLM_Prod_Domain> will be used to refer to the production environment domain name in all the setup steps of this and other sections.

5. In the Configure Administrator User Name and Password window, specify a user name and password for the administrator account, then click Next.

6. In the Configure Server Start Mode and JDK window, select Production Mode, then click Next.

7. In the Select Optional Configuration window, select the following options, then click Next.

   • Administration Server

   • Managed Servers, Clusters and Machines

   • Deployment and Services

8. In the Configure the Administration Server window, optionally change the values as required for your production environment, then click Next

9. In the Configure Managed Servers window, add a managed server specifying a name of your choice, with address and port information appropriate to your environment, then click Next.

10. In the Configure Clusters window, click Next.

11. In the Configure Machines window:

    • Select the Machine tab (for Windows) or the UNIX Machine tab (for UNIX)

      
      
      

    • Add a machine specifying a name of your choice, and with address and port information appropriate to your environment

      Note the extra "Post bind" fields on the Unix Machine tab. Click Help in the Configure Machines window for further information on these fields, to determine their relevance for your environment.

    • Click Next

12. In the Assign Servers to Machines window, assign your managed server to the machine that you just specified, then click Next.

13. In the Target Deployments to Clusters or Servers window:

    • Select ManagedServer as the Target

    • Select the applications DMS Application#11.1.1.1.0 and wsil-wls

    • Select Library (which automatically selects all the libraries)

      
      

    • Click Next

14. In the Target Services to Clusters or Servers window:

    • Specify that all the services should be targeted to the Managed Server.

      
      

    • Click Next.

15. Review the domain configuration details in the Configuration Summary window, then click Create.

Note:

If you have performed these domain creation steps in sequence from Section 1.4.1, "Preparing for Installation," continue those steps at step 6.

Other Configurations

For your own installation, you may have a different configuration based on your topology. For example:

• You can have the Administration Server on a different machine

• You can have multiple Managed Servers

• You can use a cluster

• You can enable SSL (see Section 1.6.5, "Using SSL with Oracle RTD Decision Management Applications on WebLogic")

1.4.3 Installing Oracle RTD Decision Management

After you have created the WebLogic domain and configured Oracle RTD to run on the Managed Server, you are ready to install Oracle RTD Decision Management.

This section contains the following topics:

• Section 1.4.3.1, "Files Required from Development Environment"

• Section 1.4.3.2, "Oracle RTD Decision Management Database Creation"

• Section 1.4.3.3, "Oracle RTD Decision Management Data Source Setup"

• Section 1.4.3.4, "Oracle RTD Decision Management Data Source Access by Oracle RTD Setup"

• Section 1.4.3.5, "Storing Credentials to Enable Web Service Calls"

• Section 1.4.3.6, "Oracle RTD Decision Management Application Deployment"

• Section 1.4.3.7, "Inline Service Deployment"

1.4.3.1 Files Required from Development Environment

The Oracle RTD Decision Management configuration performed in the development environment is the source of the following files, required for the production environment:

• clm.ear

• load core.sql

• load ils.sql

• The Inline Service that is part of this application (see Section 1.2.2.5, "Inline Service Deployment")

Note:

The .sql files are generated when you run ant generate (and before you run ant ear).

1.4.3.2 Oracle RTD Decision Management Database Creation

Note:

For running the SQL commands and SQL scripts specified in this section, use SQL*Plus or an equivalent tool that can run on your database.

To create an Oracle RTD Decision Management database, perform the following steps:

1. Create a database user for the Oracle RTD Decision Management schema.

   CREATE USER <username> IDENTIFIED BY <password> DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users;

   GRANT CREATE VIEW, CONNECT, RESOURCE TO <username>;

   Note:

   If you are going to use non 7-bit ASCII characters in choice group id or choice attribute ids, you must set the environment variable NLS_LANG to .UTF8 before running the sql scripts in the steps that follow.

2. Create the schema, by performing the following steps:

   • Go to the subfolder clm\Database\sql of where you unzipped RTD_Designer.zip, then run the file load core.sql.

   Note:

   The file load core.sql contains generic commands, required for all Oracle RTD Decision Management applications. The commands in load ils.sql, as released, are for the RTD for Marketing Optimization application.

   • Go to the subfolder clm\Database\sql\ils of where you unzipped RTD_Designer.zip, then run the file load ils.sql.

     Make sure you have committed your changes.

1.4.3.3 Oracle RTD Decision Management Data Source Setup

To set up an Oracle RTD Decision Management data source, perform the following steps:

1. Start the Administration Server.

   On Windows, this is available via the Start Menu: Programs -> Oracle WebLogic -> User Projects -> <RTDCLM_Prod_Domain> -> Start Admin Server for Weblogic Server Domain

2. Enter the administrator username and password, which was specified during domain creation (see Section 1.2.1.3, "Creating the WebLogic Domain").

3. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle WebLogic -> User Projects -> <RTDCLM_Prod_Domain> -> Admin Server Console.

4. Log in with the administrator username and password.

5. Click Lock & Edit to make change.

6. Navigate the path Services -> Data Sources -> New -> Generic Data Source, then enter:

   • Name: DM_DS or a similar value

   • JNDI Name: Enter the proper JNDI name.

     The JNDI name must be the JNDI name you specify in config.xml and in your Inline Service application parameter, CLMDS by default.

   • Database Type: Oracle

   Click Next.

7. For the Database Driver, select Oracle's Driver (Thin) for Instance connections; Versions: 9.0.1 and later, then click Next.

8. In the Transaction Options window, deselect Supports Global Transactions, then click Next.

9. For the Connection Properties:

   • Specify the database settings that match your configuration, for example:

     
     

     Ensure that the Database User name and Password match the values that you set up in step 1 of Section 1.4.3.2, "Oracle RTD Decision Management Database Creation."

   • Click Next.

10. Leave all the settings already filled, except enter CHOICE for the Test Table Name, and click Test Configuration. Then click Next.

11. Select the Managed Server that you created in Section 1.4.2, "Production WebLogic Domain Creation" as the target, then click Finish.

12. Select Activate Changes.

1.4.3.4 Oracle RTD Decision Management Data Source Access by Oracle RTD Setup

Section 8.3.3 of Oracle Real-Time Decisions Installation and Administration Guide describes the general steps to add a data source to Oracle RTD. Follow the steps in that section, and, specifically for the Oracle RTD Decision Management data source, add the following in web.xml for rtis.war:

Note:

The code lines that follow show CLMDS as the value for <res-ref-name>. <ref-ref-name> refers to the JNDI data source name, which must be the JNDI name you specify in config.xml and in your Inline Service application parameter. Replace CLMDS, if necessary, with your particular JNDI name.

<resource-ref id="CLM_RTIS">
    <res-ref-name>CLMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Unshareable</res-sharing-scope>
</resource-ref>

and add the following in web.xml for soap.war:

<resource-ref id="CLM_Axis">
    <res-ref-name>CLMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
     <res-sharing-scope>Unshareable</res-sharing-scope>
</resource-ref>

1.4.3.5 Storing Credentials to Enable Web Service Calls

Oracle RTD Decision Management makes web service calls from the Decision Management server side to Oracle RTD. Credentials for these calls are stored in the WebLogic credential store. In summary form, the credential setup process is as follows:

• First, you create a user that will be used to authenticate the web service calls

• Then, you store the credentials of this user in the WebLogic credential store, so that the Decision Management application can retrieve them

To create the user and to store the user credentials in the WebLogic credential store, perform the following steps:

1. Open the Admin Server Console.

   On Windows, this is available via Start Menu: Programs -> Oracle WebLogic -> User Projects -> <RTDCLM_Prod_Domain> -> Admin Server Console.

2. Log in with the administrator username and password.

3. Select Security Realms and select the security realm you are using (myrealm by default).

4. Select the Users and Groups tab, and click New to create a new user.

5. Specify a username and password (generic names <clmclient_user> and <clmclient_password>).

6. Click OK.

7. Select the user that you just created and select the Groups tab.

8. Select the RTDDCUserGroup group, shuttle it to the right.

9. Click Save.

10. Open the Enterprise Manager on the Administration Server.

11. Log in with the administrator username and password.

12. In the Target Navigation Pane, select WebLogic Domain -> <RTDCLM_Prod_Domain>.

13. In the <RTDCLM_Prod_domain> window, from the WebLogic Domain dropdown menu, select Security -> Credentials.

14. In the Credentials area, click Create Map, and in the Create Map window, enter oracle.rtd.clm and click OK.

15. Click Create Key, and in the Create Key window:

    • Enter the Key clm.client for the map that you just created

    • Enter the same User Name and Password as you created previously in this process

    • Click OK

This completes the set up of the credentials for accessing Oracle RTD from Oracle RTD Decision Management.

1.4.3.6 Oracle RTD Decision Management Application Deployment

The final step is to deploy the Oracle RTD Decision Management application. You should have a clm.ear file that was generated from the development environment. The clm.ear application will be deployed to the production environment.

Note:

Enterprise Manager must be used to deploy the Oracle RTD Decision Management application, Weblogic Admin console cannot be used.

1. Start Node Manager.

   On Windows, Node Manager is either running as a service, or you can start it from the Start Menu: Programs -> Oracle WebLogic -> WebLogic 11gR1 -> Tools -> Node Manager.

2. Open the Enterprise Manager on the Administration Server.

3. Log in with the administrator username and password.

4. In the Target Navigation Pane, select WebLogic Domain -> <RTDCLM_Prod_Domain>.

5. In the <RTDCLM_Prod_Domain> window, from the WebLogic Domain dropdown menu, select Control -> Start Up.

6. In the <RTDCLM_Prod_Domain> window, from the WebLogic Domain dropdown menu, select Application Deployment -> Deploy....

7. In the Select Archive window, select the .ear file that was originally generated in the development environment.

8. In the Select Target window, select the managed server only.

9. In the Application Attributes window, do not alter any values.

10. In the Deployment Settings window, click Configure Application Security.

11. In the Configure Application Security window, for your first deployment, select Append for the Application Policy Migration and click Apply.

    Note:

    Use the Append options for first-time deployment only. For subsequent deployments:

    • For Application Policy Migration, select Overwrite.

12. Back in the Deployment Settings window, click Deploy.

    The Oracle RTD Decision Management application is now deployed and accessible at the URL: http://<server>:<port>/dm.

1.4.3.7 Inline Service Deployment

The application that you deployed requires a specific Inline Service to be running in the Oracle RTD instance on the same server as Oracle RTD Decision Management.

You should have received this Inline Service with the clm.ear file. Using Decision Studio, you must deploy that Inline Service to the Oracle RTD instance running on the same server as Oracle RTD Decision Management.

1.5 Installing Oracle RTD Decision Management for Production on WebSphere

This section contains the following topics:

• Section 1.5.1, "Preparing for Installation"

• Section 1.5.2, "Installing Oracle RTD Decision Management"

1.5.1 Preparing for Installation

To prepare for the installation of Oracle RTD Decision Management, perform the following steps (if details are required, use the appropriate product documentation):

1. Install Oracle RTD for WebSphere following chapters 2 and 4 of the Oracle Real-Time Decisions Installation and Administration Guide (and any documentation specific to the version of Oracle RTD that you are installing).

   Note:

   Due to a limitation with Oracle Application Development Runtime on Windows, the path to the location where you install WebSphere cannot contain any spaces, therefore do not install in Program Files, which is the default location.

2. Install Application Development Runtime.

3. Install Enterprise Manager.

4. Set up the SOAP JVM custom property.

5. Modify the Oracle RTD Data Source.

6. Set up the DisableMultiThreadedServletConnectionMgmt custom property.

The rest of this section contains the following topics:

• Section 1.5.1.1, "Setting Up SOAP JVM Custom Property"

• Section 1.5.1.2, "Modifying the Oracle RTD Data Source"

• Section 1.5.1.3, "Setting Up DisableMultiThreadedServletConnectionMgmt Custom Property"

1.5.1.1 Setting Up SOAP JVM Custom Property

To set up the SOAP JVM custom property, perform the following steps:

1. Start WebSphere.

2. Login to the console with your user name and password.

3. From the left side of the console, expand Servers and choose Server types, then click WebSphere application servers.

4. Click the name of the application server where Oracle RTD is running (for example, server1).

5. Under Server Infrastructure, expand Java and Process Management, click Process definition, then select Java Virtual Machine.

6. Under Additional Properties, click Custom properties.

7. Click New, and under General properties, enter the following:

   • For Name, enter javax.xml.soap.SOAPConnectionFactory.

   • For Value, enter com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnectionFactory.

8. Click OK, then click Save.

9. Restart the WebSphere application server.

1.5.1.2 Modifying the Oracle RTD Data Source

You must modify the Oracle RTD data source (SDDS) to enable it to work in this Oracle RTD Decision Management setup.

To modify the Oracle RTD data source, perform the following steps:

1. Login to the console with your user name and password.

2. From the left side of the Console window, expand Resources, then expand JDBC and choose Data sources.

3. Check RTD_DS and click Delete.

4. Click Save.

5. From the left side of the Console window, expand Resources, then expand JDBC and choose JDBC Providers.

6. Check RTDDataProvider and click Delete.

7. Click Save.

8. Still under JDBC providers, ensure that the scope is set correctly (to Node=host_nameNode_number), then perform the following steps:

   • Click New.

   • For Database type, select Oracle.

   • For Provider type, select Oracle JDBC Driver.

   • For Implementation Type, select Connection Pool Data Source.

   • For Name, enter RTDDataProvider.

9. Click Next.

10. Click Next.

11. Click Finish, and then click Save.

12. Click on RTDDataProvider.

13. Change the class path to RTD_HOME/lib/jdbc/ojdbc14.jar.

14. Check Isolate this resource provider.

15. Click OK, and then click Save.

16. Click on RTDDataProvider.

17. Under the Additional Properties heading, click Data sources.

18. Click New, and enter the following values:

    • For Data source name, enter RTD_DS, or a similar value.

    • For JNDI name, enter SDDS.

    The JNDI name must be SDDS for Oracle RTD to access the database.

19. Click Next.

20. For URL, enter jdbc:oracle:thin:@db_host:db_port:sid.

    For example: jdbc:oracle:thin:@dbhost.company.com:1521:orcl.

21. For Data store helper class name, select Oracle 10g data store helper or Oracle 11g data store helper, depending on your Oracle RTD database.

22. Uncheck the option Use this data source in container managed persistence (CMP), and click Next.

23. For both Component-managed authentication alias and Container-managed authentication alias, select RTDDS_auth.

    Note:

    Do not change the values for Mapping-configuration alias.

24. Click Next.

25. Click Finish, and then click Save.

26. Restart WebSphere, then launch the Integrated Solutions Console again.

27. Expand Resources, then expand JDBC and choose Data Sources.

28. Select RTD_DS and click Test Connection.

    If the connection fails, ensure that your data source settings are correct, then test the data source again.

1.5.1.3 Setting Up DisableMultiThreadedServletConnectionMgmt Custom Property

To set up the DisableMultiThreadedServletConnectionMgmt custom property, perform the following steps:

1. Start WebSphere.

2. Login to the console with your user name and password.

3. From the left side of the console, expand Servers and choose Server types, then click WebSphere application servers.

4. Click the name of the application server where Oracle RTD is running (for example, server1).

5. Under Container Settings, expand Web Container Settings and click on Web container.

6. Under Additional Properties, click Custom properties.Click New, and under General properties, enter the following:

   • For Name, enter DisableMultiThreadedServletConnectionMgmt

   • For Value, enter true

7. Click OK, then click Save.

8. Restart the WebSphere application server.

1.5.2 Installing Oracle RTD Decision Management

After you have created the WebSphere Server and configured Oracle RTD to run on this server, you are ready to install Oracle RTD Decision Management.

This section contains the following topics:

• Section 1.5.2.1, "Files Required from Development Environment"

• Section 1.5.2.2, "Oracle RTD Decision Management Database Creation"

• Section 1.5.2.3, "Oracle RTD Decision Management Data Source Setup"

• Section 1.5.2.4, "Oracle RTD Decision Management Data Source Access by Oracle RTD Setup"

• Section 1.5.2.5, "Storing Credentials to Enable Web Service Calls"

• Section 1.5.2.6, "Oracle RTD Decision Management Application Deployment"

• Section 1.5.2.7, "Inline Service Deployment"

• Section 1.5.2.8, "Setting HttpOnly Flag"

1.5.2.1 Files Required from Development Environment

The Oracle RTD Decision Management configuration performed in the development environment is the source of the following files, required for the production environment:

• clm.ear

• load core.sql

• load ils.sql

• The Inline Service that is part of this application (see Section 1.2.2.5, "Inline Service Deployment")

Note:

The .sql files are generated when you run ant generate (and before you run ant ear).

1.5.2.2 Oracle RTD Decision Management Database Creation

Note:

For running the SQL commands and SQL scripts specified in this section, use SQL*Plus or an equivalent tool that can run on your database.

To create an Oracle RTD Decision Management database, perform the following steps:

1. Create a database user for the Oracle RTD Decision Management schema.

   CREATE USER <username> IDENTIFIED BY <password> DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users;
   
   GRANT CREATE VIEW, CONNECT, RESOURCE TO <username>;
   

   Note:

   If you are going to use non 7-bit ASCII characters in choice group id or choice attribute ids, you must set the environment variable NLS_LANG to .UTF8 before running the sql scripts in the steps that follow.

2. Create the schema, by performing the following steps:

   1. Go to the subfolder clm\Database\sql of the root folder where you unzipped RTD_Designer.zip was unzipped, then run the file load core.sql.

      Note:

      The file load core.sql contains generic commands, required for all Oracle RTD Decision Management applications. The commands in load ils.sql, as released, are for the RTD for Marketing Optimization application.

   2. Go to the subfolder clm\Database\sql\ils of the folder where you unzipped RTD_Designer.zip was unzipped, then run the file load ils.sql.

      Make sure you have committed your changes.

1.5.2.3 Oracle RTD Decision Management Data Source Setup

Use the Integrated Solutions Console to create a JDBC provider for the Oracle RTD Decision Manager Database.

Note:

Before you begin, ensure that WebSphere is started.

To create a JDBC provider for the Oracle RTD Decision Manager Database, perform the following steps:

1. Login to the console with your user name and password.

2. From the left side of the console window, expand Resources, then expand JDBC and choose JDBC Providers.

3. Ensure that the scope is set correctly (to Node=host_nameNode_number), then click New, and select or enter the following:

   • For Database type, select Oracle.

   • For Provider type, select Oracle JDBC Driver.

   • For Implementation Type, select Connection Pool Data Source.

   • For Name, enter DMDataProvider.

4. Click Next.

5. Click Next.

6. Click Finish, and then click Save.

7. Click on DMDataProvider.

8. In the General properties of the page, replace the value in the Class path field with the following:

   • ${COMMON_COMPONENTS_HOME}/modules/oracle.jdbc_11.1.1/ojdbc6dms.jar

   • ${COMMON_COMPONENTS_HOME}/modules/oracle.dms_11.1.1/dms.jar

   • ${COMMON_COMPONENTS_HOME}/modules/oracle.odl_11.1.1/ojdl.jar

9. Note:

   Press Enter to separate the path locations so they appear on separate lines.

10. Click OK, to return to the JDBC Providers page.

11. Click Save to save your changes to the master configuration.

12. From the left side of the Console window, choose Security, then Global Security.

13. Under the Authentication section in the right column, expand the Java Authentication and Authorization Service option.

14. Choose the J2C Authentication data option.

15. To create a new authentication data entry, click New, and enter the following values:

    • For Alias, enter DMDS_auth.

    • For User ID, enter the name of the database run-time user.

    • For Password, enter the corresponding password for the database user.

16. Click OK, then click Save

17. From the left side of the Console window, choose JDBC, then JDBC providers.

18. On the JDBC providers page, click DMDataProvider. Then, under the Additional Properties heading, click Data sources.

19. Click New, and enter the following values:

    • For Data source name, enter DM_DS, or a similar value.

    • For JNDI name, enter the proper JNDI name. The JNDI name must be the JNDI name you specify in config.xml and in your Inline Service application parameter, CLMDS by default.

20. Click Next.

21. For URL, enter jdbc:oracle:thin:@db_host:db_port:sid.

    For example: jdbc:oracle:thin:@dbhost.company.com:1521:orcl.

22. For Data store helper class name, select Oracle 10g data store helper or Oracle 11g data store helper, depending on your Oracle RTD Decision Management database.

23. Uncheck the option Use this data source in container managed persistence (CMP), and click Next.

24. For both Component-managed authentication alias and Container-managed authentication alias, select DMDS_auth.

    Note:

    Do not change the value for Mapping-configuration alias.

25. Click Next.

26. Click Finish, and then Save.

27. Click your Decision Manager data source, for example, DM_DS.

28. Under Additional Properties, click WebSphere Application Server data source properties.

29. Select Non-transactional data source.

30. Click OK, then click Save.

31. Restart WebSphere, then launch the Integrated Solutions Console again.

32. Expand Resources, then expand JDBC and choose Data Sources.

33. Select DM_DS and click Test Connection.

    If the connection fails, ensure that your data source settings are correct, then test the data source again.

1.5.2.4 Oracle RTD Decision Management Data Source Access by Oracle RTD Setup

Section 8.2.2 of Oracle Real-Time Decisions Installation and Administration Guide describes the general steps to add a data source to Oracle RTD. Follow the steps in that section, and, specifically for the Oracle RTD Decision Management data source, add the following in web.xml for rtis.war:

Note:

The code lines that follow show CLMDS as the value for <res-ref-name>. <ref-ref-name> refers to the JNDI data source name, which must be the JNDI name you specify in config.xml and in your Inline Service application parameter. Replace CLMDS, if necessary, with your particular JNDI name.

<resource-ref id="CLM_RTIS">
    <res-ref-name>CLMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    <res-sharing-scope>Unshareable</res-sharing-scope>
</resource-ref>

and add the following in web.xml for soap.war:

<resource-ref id="CLM_Axis">
    <res-ref-name>CLMDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
     <res-sharing-scope>Unshareable</res-sharing-scope>
</resource-ref>

After you add resource references to the web.xml files, you must configure the resource references in WebSphere.

Follow the steps in Section 8.2.3 of Oracle Real-Time Decisions Installation and Administration Guide, and for the Target Resource JNDI Name, use the JNDI Name that you specified for your data source.

1.5.2.5 Storing Credentials to Enable Web Service Calls

Oracle RTD Decision Management makes web service calls from the Decision Management server side to Oracle RTD. Credentials for these calls are stored in the WebSphere credential store. In summary form, the credential setup process is as follows:

• First, you create a user that will be used to authenticate the web service calls.

• Then, you store the credentials of this user in the WebSphere credential store, so that the Decision Management application can retrieve them.

To create the user and to store the user credentials in the WebSphere credential store, perform the following steps:

1. Access the Integrated Solutions Console at the URL http://<websphere_host>:<port>/ibm/console. On Windows, you can also access the Integrated Solutions Console through Start > Programs.

2. At the login prompt, enter the administrator user name and password.

3. In the tree on the left, expand Users and Groups and select Manage Users.

4. Click Create.

5. In the Create a User form, specify a User ID and Password (generic names <clmclient_user> and <clmclient_password>).

6. Confirm the password and optionally enter other information about user.

7. Click Group Membership.

8. In the Group Membership form, add RTDDCUserGroup to the Current groups, then click Close.

9. Back in the Create a User form, click Create.

To store user credentials for web service calls, perform the following steps:

1. Open the Enterprise Manager.

2. Log in with the administrator username and password.

3. Select WebSphere Cell, then Security, then Credentials.

4. In the Credentials area, click Create Map, and in the Create Map window, enter oracle.rtd.clm and click OK.

5. Click Create Key, and in the Create Key window:

   Enter the Key clm.client for the map that you just created

   Enter the same User Name (<clmclient_user>) and Password (<clmclient_password>) as the User Id and Password that you created previously in this process.

   Click OK.

1.5.2.6 Oracle RTD Decision Management Application Deployment

The final step is to deploy the Oracle RTD Decision Management application. You should have a clm.ear file that was generated from the development environment. The clm.ear application will be deployed to the production environment.

To deploy the Oracle RTD Decision Management application, perform the following steps:

1. Login to the console with your user name and password.

2. From the left side of the Console window, expand Applications, and then choose Application types, then WebSphere enterprise applications.

3. Click Install.

4. In the Path to the new application section, enter or browse to select the clm.ear file.

5. Click Next.

6. Click Next again.

7. Accept the default settings of the Select installation options section, and click Next.

8. Accept the default settings of the Map modules to servers section, and click Next.

9. Click Finish, and then Save.

10. Click the Enterprise Application Name clm (unless you modified this name in config.xml).

11. Under Modules, click Manage Modules.

12. Click Oracle Real-Time Decisions Manager.

13. Under Additional Properties, click Session Management.

14. Select and Open Enable Cookies.

15. Enter cookie path: /dm (if you chose a different context root then specify it here).

16. Click OK.

17. Select Override session management.

18. Click OK twice.

19. Click Save to save it directly to the master configuration.

20. Open Applications, then Application Types, then WebSphere enterprise application and start clm.

    The Oracle RTD Decision Management application is now deployed and accessible at the URL: http://<server>:<port>/dm.

1.5.2.7 Inline Service Deployment

The application that you deployed requires a specific Inline Service to be running in the Oracle RTD instance on the same server as Oracle RTD Decision Management.

You should have received this Inline Service with the clm.ear file. Using Decision Studio, you must deploy that Inline Service to the Oracle RTD instance running on the same server as Oracle RTD Decision Management.

1.5.2.8 Setting HttpOnly Flag

For additional security, you can optionally restrict the Decision Manager cookies to HttpOnly, to prevent malicious JavaScript code accessing them.

To set the HttpOnly flag, perform the following steps:

1. Start WebSphere.

2. Login to the console with your user name and password.

3. From the left side of the console, expand Servers and choose Server types, then click WebSphere application servers.

4. Click the name of the application server where Oracle RTD is running (for example, server1).

5. Under Container Settings, expand Web Container Settings and click on Web container.

6. Under Additional Properties, click Custom properties.

7. Click New, and under General properties, enter the following:

   • For Name, enter com.ibm.ws.webcontainer.HTTPOnlyCookies

   • For Value, enter *

8. Click OK, then click Save.

9. Restart the WebSphere application server.

1.6 Security Configuration

There are three ways to setup authentication for Oracle RTD Decision Management:

• In the development environment on WebLogic, you can manage the users within JDeveloper.

• In the production environment on WebLogic, you can map your enterprise users and groups to Decision Management application roles using Enterprise Manager.

• In both development environment and production environments, on both WebLogic and WebSphere, you can map your enterprise users and groups to Decision Management application roles using intermediary enterprise roles.

This section also describes how to setup SSL to secure connections between the end user browser and the application server. Setting up SSL is not required if you do not wish to use this encryption.

This section also describes how to setup SSO to enable integration of Decision Center reports within Decision Manager. Setting up SSO is not required if you do not wish to see these reports within Decision Manager and will use Decision Center for viewing the reports.

This section contains the following topics:

• Section 1.6.1, "Managing Users in JDeveloper in a Development Environment under WebLogic"

• Section 1.6.2, "Mapping Users or Groups to Application Roles for Production under WebLogic"

• Section 1.6.3, "Mapping Users and Groups to Intermediary Roles in Development"

• Section 1.6.4, "Mapping Users and Groups to Intermediary Roles in Production"

• Section 1.6.5, "Using SSL with Oracle RTD Decision Management Applications on WebLogic"

• Section 1.6.6, "Using SSL with Oracle RTD Decision Management Applications on WebSphere"

• Section 1.6.7, "Using SSO with Oracle RTD Decision Management Applications on WebLogic"

• Section 1.6.8, "Using SSO with Oracle RTD Decision Management Applications on WebSphere"

1.6.1 Managing Users in JDeveloper in a Development Environment under WebLogic

The simplest way to configure access to a Decision Management application in development mode is to specify users in Oracle RTD Decision Management metadata and map them to Decision Management application roles in Oracle RTD Decision Management metadata. When deploying from JDeveloper, this will automatically create the users in WebLogic and map them to the Decision Management application roles.

This is done with these steps:

• Retrieve the encrypted password for your user

• Add the user in Oracle RTD Decision Management metadata and map the user to Decision Management application roles

• Run application generation

• Deploy the Decision Management application

• Add the user to Oracle RTD groups

This section contains the following topics:

• Section 1.6.1.1, "Retrieving the Encrypted Password for Your User"

• Section 1.6.1.2, "Adding Users in Metadata and Mapping Them to Application Roles"

• Section 1.6.1.3, "Running Application Generation"

• Section 1.6.1.4, "Deploying the Oracle RTD Decision Management Application"

• Section 1.6.1.5, "Adding Users to Oracle RTD Groups"

1.6.1.1 Retrieving the Encrypted Password for Your User

Passwords are stored encrypted in jazn-data.xml. You will need to access the encrypted password and add the encrypted password explicitly to Oracle RTD Decision Management metadata in a subsequent setup step.

You can use JDeveloper to get the encrypted password string, as follows:

1. Open JDeveloper from Start Menu, Programs -> Oracle Fusion Middleware <11g_version> -> JDeveloper Studio <11g_version>.

2. Select Default Role.

3. Click Open Application... and select clm.jws in the clm subfolder of where you unzipped RTD_Designer.zip.

4. In Application Navigator, open Application Resources.

5. Expand Descriptors -> META-INF, and double-click jazn-data.xml.

6. In the Users tab, create a user by clicking on the + icon next to Users.

7. Enter a user Name and a Password.

8. Click the Source tab (from the tab list at the bottom of the window).

   In the source XML, you can now locate the credentials for the user that you just created. The credentials value is the encrypted password for the user.

   For example, after entering user name clmuser and a password for clmuser, this could appear in the Source (with the encrypted password highlighted in bold in the example below) as:

   <user>
       <name>clmuser</name>
       <credentials>{903}loyIIwIDNKqdw4D9XrMhQDZ4yEFLXim+</credentials>
   </user>
   

9. Copy the encrypted password into your standard machine buffer (Ctrl-C).

   Retain it there for use in the subsequent setup step, Section 1.6.1.2, "Adding Users in Metadata and Mapping Them to Application Roles.".

1.6.1.2 Adding Users in Metadata and Mapping Them to Application Roles

The description in this section assumes that you are editing the Decision Manager for Marketing Optimization implementation. If you use a different application, see Chapter 2, "Configuring Oracle RTD Decision Management" for the differences.

To add users in Oracle RTD Decision Management metadata and to map them to Decision Management application roles, perform the following steps:

1. Go to the clm/Build/metadata/ref folder.

2. Edit security.xml, or create a different file, such as users.xml.

   Add user information (including the encrypted password that you saved in the previous setup step) using the following as an example (this example assigns the CLMAdministrator application role to the user clmuser):

   <users>
       <user>
            <name>clmuser</name>
            <display-name>clmuser</display-name>
            <description>this is a clm user</description>
            <credentials>{903}loyIIwIDNKqdw4D9XrMhQDZ4yEFLXim+</credentials>
            <application-roles>CLMAdministrator</application-roles>
       </user>
   </users>
   

1.6.1.3 Running Application Generation

To run application generation, perform the following steps

1. Open a command prompt in the clm/Build directory.

2. Run the command ant generate -Dchanges=overwrite.

   Note:

   You must overwrite changes because you made changes to jazn-data.xml in the previous setup step when you manually entered a password in JDeveloper, and here the ant generation overwrites this file.

In JDeveloper, verify that the user now shows up in jazn-data.xml and is mapped to the CLMAdministrator application role.

1.6.1.4 Deploying the Oracle RTD Decision Management Application

In JDeveloper, deploy the Decision Management application to AdminServer by choosing menu item: Application -> Deploy -> clm_application1.

1.6.1.5 Adding Users to Oracle RTD Groups

After the user has been created in WebLogic, you must add the user to the RTDDCUserGroup and the RTDChoiceEditorGroup groups, by performing the following steps:

1. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -> <RTDCLM_Dev_Domain> -> Admin Server Console.

2. Log in with the administrator username and password.

3. Select Security Realms and select the security realm you are using (myrealm by default).

4. Select the Users and Groups tab.

5. Click the user that you created in Section 1.6.1.1, "Retrieving the Encrypted Password for Your User."

6. Select the Groups tab.

7. Select RTDDCUserGroup and RTDChoiceEditorGroup, and shuttle them to the right.

8. Click Save.

1.6.2 Mapping Users or Groups to Application Roles for Production under WebLogic

In a WebLogic production environment, you typically manage your enterprise users and groups outside of Oracle RTD Decision Management, and only map these users and groups to Decision Management application roles.

In this section, we will use "clmuser" and "clmgroup" as examples of your enterprise users and groups.

This section contains the following topics:

• Section 1.6.2.1, "Mapping Users or Groups to Decision Management Application Roles"

• Section 1.6.2.2, "Adding the User or Group to Oracle RTD Groups"

1.6.2.1 Mapping Users or Groups to Decision Management Application Roles

To map users or groups to Decision Management application roles, perform the following steps:

1. Open the Enterprise Manager on the Administration Server.

2. Log in with the administrator username and password.

3. In the Target Navigation Pane, select the clm deployment: Application Deployments -> Internal Applications -> clm.

4. In the clm window, from the Application Deployment dropdown menu, select Security -> Application Roles and click the "Search application roles" button.

5. Click CLMAdministrator.

6. Click Edit the selected application role.

7. Click Add roles.

8. Change Application role to User in the Type dropdown list.

9. Search for your user and click OK.

10. To add a group, click Add roles, change Application role to Group in the Type dropdown list.

11. Search for your group and click OK.

12. Click OK.

1.6.2.2 Adding the User or Group to Oracle RTD Groups

To use Oracle RTD Decision Management, your user or groups must be in the RTDDCUserGroup and RTDChoiceEditorGroup groups.

To add users or groups to the Oracle RTD groups, perform the following steps:

1. Open the Admin Server Console.

   On Windows, this is available via Start Menu: Programs -> Oracle WebLogic -> User Projects -> <RTDCLM_Prod_Domain> -> Admin Server Console.

2. Log in with the administrator username and password.

3. Select Security Realms and select the security realm you are using (myrealm by default).

4. Select the Users and Groups tab.

5. Click clmuser.

6. Select the Groups tab.

7. Select RTDDCUserGroup and RTDChoiceEditorGroup, and shuttle them to the right.

8. Go back to the Users and Groups tab.

9. Select the Groups tab.

10. Click clmgroup, and click the Membership tab.

11. Select RTDDCUserGroup and RTDChoiceEditorGroup, and shuttle them to the right.

12. Click Save.

1.6.3 Mapping Users and Groups to Intermediary Roles in Development

If you want to use your enterprise users and groups in development mode, you specify enterprise roles in Decision Management metadata and map them to Decision Management application roles. When deploying from JDeveloper, this will automatically create groups in WebLogic for these enterprise roles and map them to the Decision Management application roles.

This is done with these steps:

• Add the enterprise role in Decision Management metadata and map it to Decision Management application roles

• Run application generation

• Deploy the Oracle RTD Decision Management application

• Specify this group as a member of Oracle RTD groups

• Map your enterprise users or groups to this Decision Management group

This section contains the following topics:

• Section 1.6.3.1, "Mapping the Enterprise Role to Decision Management Application Roles"

• Section 1.6.3.2, "Running Decision Management Application Generation"

• Section 1.6.3.3, "Deploying the Decision Management Application"

• Section 1.6.3.4, "Specifying the WebLogic Group as a Member of Oracle RTD Groups"

• Section 1.6.3.5, "Mapping Enterprise Users or Groups to the Decision Management Group"

1.6.3.1 Mapping the Enterprise Role to Decision Management Application Roles

The description in this section assumes that you are editing the RTD for Marketing Optimization implementation. If you use a different application, see Chapter 2, "Configuring Oracle RTD Decision Management" for the differences.

To add the enterprise role in Oracle RTD Decision Management metadata and to map it to Decision Management application roles, perform the following steps:

1. Go to the clm/Build/metadata/ref folder.

2. Edit security.xml, or create a different file, such as groups.xml.

   Add the following (here we create a clmgroup enterprise role and map it to the CLMAdministrator application role):

   <enterprise-roles>
       <enterprise-role>
           <name>clmgroup</name>
           <application-roles>CLMAdministrator</application-roles>
       </enterprise-role>
   </enterprise-roles>
   

1.6.3.2 Running Decision Management Application Generation

To run application generation, perform the following steps

1. Open a command prompt in the clm/Build directory.

2. Run the command ant generate.

In JDeveloper, verify that the group now shows up in jazn-data.xml and is mapped to the CLMAdministrator application role.

1.6.3.3 Deploying the Decision Management Application

In JDeveloper, deploy the Decision Management application to AdminServer by choosing the menu item: Application -> Deploy -> clm_application1.

1.6.3.4 Specifying the WebLogic Group as a Member of Oracle RTD Groups

After the enterprise role has been created as a group in WebLogic, you must make it a member of the RTDDCUserGroup and the RTDChoiceEditorGroup groups, by performing the following steps:

1. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -> <RTDCLM_Dev_Domain> -> Admin Server Console.

2. Log in with the administrator username and password.

3. Select Security Realms and select the security realm you are using (myrealm by default).

4. Select the Users and Groups tab.

5. Select the Groups tab.

6. Click clmgroup.

7. Click the Membership tab.

8. Select RTDDCUserGroup and RTDChoiceEditorGroup, and shuttle them to the right.

9. Click Save.

1.6.3.5 Mapping Enterprise Users or Groups to the Decision Management Group

You can now grant access to Oracle RTD Decision Management to your users by adding them the clmgroup group.

You can also grant access to Oracle RTD Decision Management to your groups by making them a member of the clmgroup group.

1.6.4 Mapping Users and Groups to Intermediary Roles in Production

One way to use your enterprise users and groups in production mode on WebLogic or WebSphere is to specify enterprise roles in Decision Management metadata and map them to Decision Management application roles. Create groups in WebLogic or WebSphere for these enterprise roles and, after deploying the Decision Manager enterprise application using the WebLogic or WebSphere console, these groups will be mapped to the corresponding Decision Management application roles.

This is done with these steps:

• Add the enterprise role in Decision Management metadata and map it to Decision Management application roles

• Run application generation

• Create the group and specify it as a member of Oracle RTD groups

• Deploy the Oracle RTD Decision Management application

• Map your enterprise users or groups to this Decision Management group

This section contains the following topics:

• Section 1.6.4.1, "Mapping the Enterprise Role to Decision Management Application Roles"

• Section 1.6.4.2, "Running Decision Management Application Generation"

• Section 1.6.4.3, "Creating the Group and Specifying it as a Member of Oracle RTD Groups"

• Section 1.6.4.4, "Deploying the Decision Management Application"

• Section 1.6.4.5, "Mapping Enterprise Users or Groups to the Decision Management Group"

1.6.4.1 Mapping the Enterprise Role to Decision Management Application Roles

The description in this section assumes that you are editing the RTD for Marketing Optimization implementation. If you use a different application, see Chapter 2, "Configuring Oracle RTD Decision Management" for the differences.

To add the enterprise role in Oracle RTD Decision Management metadata and to map it to Decision Management application roles, perform the following steps:

1. Go to the clm/Build/metadata/ref folder.

2. Edit security.xml, or create a different file, such as groups.xml.

   Add the following (here we create a clmgroup enterprise role and map it to the CLMAdministrator application role):

   <enterprise-roles>
       <enterprise-role>
           <name>clmgroup</name>
           <application-roles>CLMAdministrator</application-roles>
       </enterprise-role>
   </enterprise-roles>
   

1.6.4.2 Running Decision Management Application Generation

To run application generation, perform the following steps

1. Open a command prompt in the clm/Build directory.

2. Run the command ant generate.

In JDeveloper, verify that the group now shows up in jazn-data.xml and is mapped to the CLMAdministrator application role.

1.6.4.3 Creating the Group and Specifying it as a Member of Oracle RTD Groups

Using the WebLogic or WebSphere console, create a group with the same name as the enterprise role, for example, clmgroup, and make it a member of the RTDDCUserGroup and the RTDChoiceEditorGroup groups.

1.6.4.4 Deploying the Decision Management Application

For details of deployment on Weblogic, see Section 1.4.3.6, "Oracle RTD Decision Management Application Deployment."

For details of deployment on WebSphere, see Section 1.5.2.6, "Oracle RTD Decision Management Application Deployment."

1.6.4.5 Mapping Enterprise Users or Groups to the Decision Management Group

You can now grant access to Oracle RTD Decision Management to your users by adding them the clmgroup group.

You can also grant access to Oracle RTD Decision Management to your groups by making them a member of the clmgroup group.

1.6.5 Using SSL with Oracle RTD Decision Management Applications on WebLogic

This section, which is for WebLogic environments, contains the following topics:

• Section 1.6.5.1, "SSL for Development Environment"

• Section 1.6.5.2, "SSL for Production Environment"

1.6.5.1 SSL for Development Environment

To set up SSL for the development environment, perform the following steps:

1. Configure keystore and trust store as described in Chapter 2.6, "Using SSL with Oracle Real-Time Decisions" in Oracle Real-Time Decisions Installation and Administration Guide.

2. Perform the instructions in Section 5.13, "Configuring SSL for Real-Time Decision Server" of Oracle Real-Time Decisions Installation and Administration Guide.

   The remainder of this sequence assumes that you have successfully installed the Oracle RTD certificates and can access the non-SSL ports, but does not assume that you have disabled the SSL ports.

   Please note that the Oracle RTD certificates are for testing only and should not be used in production.

3. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -><RTDCLM_Dev_domain> -> Admin Server Console.

4. Log in with the administrator username and password.

5. Navigate the path Environments > Servers > AdminServer.

6. Select AdminServer, then Configuration tab -> SSL tab > Advanced.

7. Select "Use Server Certs". Save your changes to the SSL tab.

8. Add the following to <domain>\bin\setDomainEnv.cmd:

   -Djavax.net.ssl.trustStore=<RTD_HOME>\RTD\etc\ssl\sdtrust.store

   or (Unix)

   -Djavax.net.ssl.trustStore=<RTD_HOME>/RTD/etc/ssl/sdtrust.store

9. Change clm\Build\metadata\<metadata_module>\config\config.xml workbenchClient to https://<server>:<SSL port>.

10. Run ant generate.

11. Stop and delete the existing Oracle RTD Decision Management application deployment.

12. Redeploy the application from JDeveloper using the connection you set up in Section 1.2.2.7, "Oracle RTD Decision Management Application Deployment."

13. Verify that both the Admin Server Console and the Oracle RTD Decision Management application are accessible using the SSL port. After you have determined this, you should consider disabling the non-SSL Admin Server port.

    Ignore the certificate errors from the browser. Note again that the Oracle RTD test certificate is for testing only.

14. Stop and restart all services.

15. Access Oracle RTD Decision Management through the appropriate secure port, for example, https://myserver:7002/dm.

1.6.5.2 SSL for Production Environment

To set up SSL for the production environment, perform the following steps:

1. Configure keystore and trust store as described in Chapter 2.6, "Using SSL with Oracle Real-Time Decisions" in Oracle Real-Time Decisions Installation and Administration Guide.

2. Perform the instructions in Section 5.13, "Configuring SSL for Real-Time Decision Server" of Oracle Real-Time Decisions Installation and Administration Guide.

   The remainder of this sequence assumes that you have successfully installed the Oracle RTD certificates and can access the non-SSL ports, but does not assume that you have disabled the SSL ports.

   Please note that the Oracle RTD certificates are for testing only and should not be used in production.

3. Open the Admin Server Console.

   On Windows, this is available via the Start Menu: Programs -> Oracle Fusion Middleware <11g_version> -> User Projects -><RTDCLM_Prod_domain> -> Admin Server Console.

4. Log in with the administrator username and password.

5. Navigate the path Environments > Servers > <Managed_Server>.

6. Select the Managed Server, then Configuration tab -> SSL tab > Advanced.

7. Select "Use Server Certs". Save your changes to the SSL tab.

8. Add the following to <domain>\bin\setDomainEnv.cmd:

   -Djavax.net.ssl.trustStore=<RTD_HOME>\RTD\etc\ssl\sdtrust.store

   or (Unix)

   -Djavax.net.ssl.trustStore=<RTD_HOME>/RTD/etc/ssl/sdtrust.store

   Alternatively, add this to the managed server "Server Start" -> "Arguments" box.

9. Change clm\Build\metadata\<metadata_module>\config\config.xml workbenchClient to https://<server>:<SSL port>.

10. Run ant generate.

11. Stop and delete the existing Oracle RTD Decision Management application deployment.

12. Redeploy the application to non-SSL port. Do this by using Enterprise Manager deployed on Admin Server and listening non-SSL port.

13. Verify that the Oracle RTD Decision Management application is accessible using the SSL port.

    Ignore the certificate errors from the browser. Note that the Oracle RTD test certificate is for testing only.

14. Stop and restart all services.

15. Access Oracle RTD Decision Management through the appropriate secure port, for example, https://myserverx:7002/dm.

1.6.6 Using SSL with Oracle RTD Decision Management Applications on WebSphere

SSL is enabled by default when installing WebSphere, so you will be able to use Decision Manager using SSL out of the box.

Note:

You can see the default port for SSL in the WebSphere Administration Console.

For example: Servers > Server Types > WebSphere Application servers > server1 > Communications > Ports > WC_defaulthost_secure 9443.

For a proper configuration, you must acquire a server certificate for your domain and configure WebSphere to use the certificate. Refer to the WebSphere documentation for more details.

1.6.7 Using SSO with Oracle RTD Decision Management Applications on WebLogic

This section contains the following topics:

• Section 1.6.7.1, "Configuration Tasks for Oracle RTD Decision Management"

• Section 1.6.7.2, "Understanding SSO Authentication and Oracle RTD Decision Management"

• Section 1.6.7.3, "Prerequisites"

• Section 1.6.7.4, "Creating Groups and Users in LDAP Server"

• Section 1.6.7.5, "Installing and Configuring Oracle Access Manager (OAM) Client Software"

• Section 1.6.7.6, "Configuring Domain for Oracle RTD and Decision Manager"

• Section 1.6.7.7, "Troubleshooting"

1.6.7.1 Configuration Tasks for Oracle RTD Decision Management

This section provides a summary reference of the tasks required to set up single sign-on (SSO) solution with Oracle RTD Decision Management on WebLogic:

1. Installing and configuring Oracle Identity Management 11g and Oracle Access Manager (OAM) 11g.

   For details of how to install and configure these components, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

2. Creating Groups and Users in LDAP Server.

3. Installing and Configuring Oracle Access Manager (OAM) Client Software.

4. Configuring Domain for Oracle RTD and Decision Manager.

This section also includes a Troubleshooting section that describes issues that may be encountered during installation and configuration.

1.6.7.2 Understanding SSO Authentication and Oracle RTD Decision Management

Integrating a single sign-on (SSO) solution enables a user to log on (sign-on) and be authenticated once. Thereafter, the authenticated user is given access to system components or resources according to the permissions and privileges granted to that user. Oracle RTD Decision Management can be configured to trust incoming HTTP requests authenticated by a SSO solution that is configured for use with Oracle Fusion Middleware and Oracle WebLogic Server. For more information about configuring SSO for Oracle Fusion Middleware, see "Configuring Single Sign-On in Oracle Fusion Middleware" in Oracle Fusion Middleware Application Security Guide.

When Oracle RTD Decision Management is configured to use SSO authentication, it accepts authenticated users from whatever SSO solution OAM Webgate is configured to use. If SSO is not enabled, then Oracle RTD Decision Management challenges each user for authentication credentials. When Oracle RTD Decision Management is configured to use SSO, a user is first redirected to the SSO solution's login page for authentication. After the user is authenticated the SSO solution forwards the user name to Decision Manager where this name is extracted.

Configuring Oracle RTD Decision Management to work with SSO authentication requires minimally that Oracle Fusion Middleware and Oracle WebLogic Server are configured to accept SSO authentication.

How an Identity Asserter Works

This section describes how Oracle Access Manager authentication provider works with Oracle WebLogic Server using Identity Asserter for single sign-on, providing the following features:

• Identity Asserter for Single Sign-on

  This feature uses the Oracle Access Manager authentication services and validates already-authenticated Oracle Access Manager users through a suitable token and creates a WebLogic-authenticated session. It also provides single sign-on between WebGate and portals. WebGate is a plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization.

• Authenticator

  This feature uses Oracle Access Manager authentication services to authenticate users who access an application deployed in Oracle WebLogic Server. Users are authenticated based on their credentials, for example a user name and password.

After the authentication provider for Oracle Access Manager is configured as the Identity Asserter for single sign-on, the Web resources are protected. Perimeter authentication is performed by WebGate on the Web tier and by the appropriate token to assert the identity of users who attempt access to the protected WebLogic resources.

All access requests are routed to a reverse proxy Web server. These requests are in turn intercepted by WebGate. The user is challenged for credentials based on the authentication scheme configured within Oracle Access Manager (form-based login recommended).

After successful authentication, WebGate generates a token and the Web server forwards the request to Oracle WebLogic Server, which in turn invokes Oracle Access Manager Identity Asserter for single sign-on validation. The WebLogic Security Service invokes Oracle Access Manager Identity Asserter for single sign-on, which next gets the token from the incoming request and populates the subject with the WLSUserImpl principal. The Identity Asserter for single sign-on adds the WLSGroupImpl principal corresponding to the groups the user is a member of. Oracle Access Manager then validates the cookie.

Figure 1-1 depicts the distribution of components and the flow of information when the Oracle Access Manager Authentication Provider is configured as an Identity Asserter for SSO with Oracle Fusion Middleware.

Figure 1-1 Oracle Access Manager Single Sign-On Solution for Web Resources Only

How Decision Manager Operates with SSO Authentication

After a user logs into Decision Manager, the SSO cookies are used to display parts of the Oracle RTD web application as integrated parts of the user interface.

SSO Implementation Considerations

When implementing a SSO solution with Oracle RTD Decision Management you should consider the following:

• As WebLogic server trusts Webgate to provide authentication information, it is essential to secure the machines that communicate directly with Decision Manager. Possible solutions are network-level router settings, or WebLogic's connection filtering, or mutual SSL authentication.

1.6.7.3 Prerequisites

This section provides a checklist of the components that are required for the installations and configurations in the sections that follow.

Oracle Access Manager 11g must be properly installed and configured.

Oracle Identity Management 11g must be installed.

Oracle Web Tier Utilities 11g and Oracle Webgate 11g must be installed.

For details of how to install and configure these products, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management and Oracle Fusion Middleware Installation Guide for Oracle Web Tier.

Note:

1. The information described in this chapter assumes that Oracle Internet Directory is running and the proper naming context is configured. If your deployment is going to use a different LDAP solution, align your settings accordingly.

2. Oracle recommends that you register the Web Tier management component in the same WebLogic domain (referred to as DM_domain) as where Oracle RTD and the Decision Manager web application are to be deployed. This can be achieved by first choosing the installation type for Web Tier to be "Do Not Configure," and then configuring Oracle HTTP Server (OHS).

1.6.7.4 Creating Groups and Users in LDAP Server

Oracle Directory Services Manager (ODSM) provides a graphical administrative interface for Oracle Internet Directory. You can invoke ODSM directly from its own URL or from the Oracle Enterprise Manager Fusion Middleware Control pages for Oracle Internet Directory.

Use ODSM to create groups and users in LDAP Server by performing the following steps:

1. Open ODSM and create a new connection, as in the following example:

   
   

2. Open the Data Browser tab.

3. Create the required users and the following groups:

   RTDUserGroup
   RTDAdminGroup
   RTDBatchAdminGroup
   RTDChoiceEditorGroup
   RTDDCEditorGroup
   RTDDCUserGroup
   RTDStudioDeployerGroup
   RTDStudioDownloaderGroup
   CLMAdministrator
   CLMAuthor
   CLMConsumer
   

   
   

4. Add the required users as members to the appropriate groups.

   Note:

   The rtdadmin user belonging to the RTDAdminGroup must be created.

1.6.7.5 Installing and Configuring Oracle Access Manager (OAM) Client Software

Note:

Production deployment topology considerations generally result in different machines to host OAM server, Web Tier, and SSO-enabled applications. To avoid confusion, the topics described in this section assume different Middleware home paths.

Such a setup has the advantages of no PATH/ORACLE_INSTANCE conflict for services, a clean separation of web applications by JVMs, and the ability to move the Decision Manager setup to a different host.

This section contains the following topics:

• Section 1.6.7.5.1, "Creating the Domain for Oracle RTD and Decision Manager"

• Section 1.6.7.5.2, "Configuring the Oracle HTTP Server Instance"

• Section 1.6.7.5.3, "Creating the OAM Policy and the Webgate 11g Agent"

• Section 1.6.7.5.4, "Deploying the Webgate 11g Agent and Activating the Settings"

1.6.7.5.1 Creating the Domain for Oracle RTD and Decision Manager

To create the domain for Oracle RTD and Decision Manager, perform the following step:

1. Run the WebLogic domain creation wizard (from <MWHOMEWT>\Oracle_WT1\common\bin\config.cmd and create the domain that is going to host Oracle RTD and Decision Manager, for example, DM_domain.

   At this point only Enterprise Manager is to be installed (which will include JRF).

   After this install, start up the AdminServer.

1.6.7.5.2 Configuring the Oracle HTTP Server Instance

To configure the Oracle HTTP Server instance, perform the following steps:

1. Run the Web Tier instance configuration wizard (from <MWHOMEWT>\Oracle_WT1\bin\config.bat.

2. For the components to configure, select the following:

   • Oracle HTTP Server

   • Associate Selected Components with WebLogic Domain

     
     

     Note:

     You may also select Oracle Web Cache, to set up static resources and speed up web applications.

3. For the WebLogic domain, specify the credentials for the DM_domain administrator.

4. For the component details, specify the Instance Name as desired (for example ohs_sso), and the OHS Component Name as the standard ohs1.

   
   

5. For port configuration, select "auto port configuration".

6. Continue to click "Next" until the installation is complete.

1.6.7.5.3 Creating the OAM Policy and the Webgate 11g Agent

Configuring the Webgate component consists of creating the OAM Policy and the Webgate 11g agent, then deploying and activating its configuration.

To create the OAM policy and the Webgate 11g Agent, perform the following steps:

1. Open the OAM console (for example, http://dadvmc0504.us.oracle.com:7501/oamconsole), and log in as the admin user.

2. Click New OAM 11g Webgate and enter the Name, Base URL, and Host Identifier.

   The example shows:

   • Name=DMRTD_dadvmc

   • Base URL=http://dadvmc0504.us.oracle.com

   • Host Identifier= dadvmc0504.us.oracle.com

   
   

3. Edit the Host Identifier, which is set after you enter the Name.

4. For Security, select Open.

5. Specify the following Protected Resources:

   • /dm

   • /dm/

   • /dm/faces/home.jspx

   • /ui

   • /ui/

6. Specify the following Public Resources:

   • /dm/…/*.jpg

   • /dm/…/*.png

   • /dm/…/*.gif

   • /dm/…/*.css

   • /dm/…/*.js

   • /dm/adfAuthentication

   • /dm/afr/blank.html

   • /ui/…/*.jpg

   • /ui/…/*.png

   • /ui/…/*.gif

   • /ui/…/*.css

   • /ui/…/*.js

   • /ui/…/*.htc

   • /index.html

7. Click Apply.

   This displays a screen similar to the following:

   
   

8. Close the Confirmation message

9. Edit Preferred Host, adding the port (for example, dadvmc.us.oracle.com:7777).

10. Enter the Logout URLs /oamsso/logout.html,/ui/do/logout.

11. Click Apply.

    This will add port 7777 into list of recognized webhosts. Without this, :7777 will not be served by Oracle Access Manager.

12. Close the Edit Webgate page.

13. Open Host Identifiers, and double-click your new host.

    Note:

    For showing the new host under Host Identifiers, click the Refresh button.

14. Check that the new port 7777 is visible (for example, dadvmc.us.oracle.com:7777). If not, add a new line.

15. After editing the policy, restart the OAM server (this is necessary to make the policy work).

1.6.7.5.4 Deploying the Webgate 11g Agent and Activating the Settings

Note:

This section describes the steps for deploying the Webgate 11g Agent for Windows. To see how to configure the Webgate 11g Agent on Linux, see the Section "Post-Installation Steps" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

To deploy the Webgate 11g agent and activate the settings, perform the following steps:

1. Stop the OHS server if it is running.

2. Deploy the provisioned agent configuration into the actual location:

   set MWHOME= C:\OFM\MWHOMEWT
   cd %MWHOME%/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate
   deployWebGateInstance.bat -w %MWHOME%\Oracle_WT1\instances\ohs_sso\config\OHS\ohs1 -oh %MWHOME%\ORACLE_OAMWebGate1
   

   This should return results similar to the following:

   Copying files
   C:\OFM\MWHOMEWT\Oracle_OAMWebGate1\webgate\ohs\config\oblog_config_wg.xml
   1 File(s) copied
   C:\OFM\MWHOMEWT\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cacert.pem
   1 File(s) copied
   C:\OFM\MWHOMEWT\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cakey.pem
   1 File(s) copied
   

3. Continue by entering the following:

   cd %MWHOME%\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf
           set PATH=%MWHOME%\Oracle_WT1\bin; %MWHOME%\Oracle_WT1\lib; %PATH%
           EditHttpConf -w %MWHOME%\Oracle_WT1\instances\ohs_sso\config\OHS\ohs1 -oh %MWHOME%\Oracle_OAMWebGate1 -o Edithttpconf.log
   

   This should return results similar to the following:

   The web server configuration file was successfully updated
   %MWHOME%\Oracle_WT1\instances\ohs_sso\config\OHS\ohs1/httpd.conf 
   has been backed up as %MWHOME%\Oracle_WT1\instances\ohs_sso\config\OHS\ohs1/httpd.conf.ORIG
   

4. Edit the WebLogicHost and WebLogic port parameters in the file %MWHOME%\Oracle_WT1\instances\ohs_sso\config\OHS\ohs1\mod_wl_ohs.conf, as in the following example:

   <IfModule weblogic_module>
         WebLogicHost dadvmc0504.us.oracle.com
         WebLogicPort 7401
         Debug ERR
         WLLogFile <specify MWHOME>\Oracle_WT1\instances\ohs_ sso\diagnostics\logs\OHS\ohs1\weblogic.log
   </IfModule>
    
   <Location /dm>
         SetHandler weblogic-handler
   </Location>
    
   <Location /ui>
         SetHandler weblogic-handler
   </Location>
   

   Note:

   1. Ensure that the WebLogic server listens on the IPv4 stack. If the default network stack is IPv6, then you must edit the file <MWHOMEWT>\user_projects\domains\DM_domain\bin\setDomainEnv.cmd as follows:

      Add

      set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.net.preferIPv4Stack=true

      before

      if "%PRODUCTION_MODE%"=="true" (

      This ensures that the WebLogic server listens on the IPv4 stack only and enables Oracle RTD to function correctly.

   2. If your operating system has IPv6 as the default network stack, specify a numeric IP address, such as WebLogicHost 127.0.0.1, for OHS to open. Do not specify localhost or host name, otherwise the IPv6 stack will be attempted, and Webgate does not work correctly with IPv6.

5. Copy

   %MWHOME%/Oracle_WT1/instances/ohs_sso/config/OHS/ohs1/ webgate/config/oblog_config_wg.xml

   into

   %MWHOME%/Oracle_OAMWebGate1/webgate/ohs/config/oblog_config.xml

6. Start OHS, as follows:

   cd %MWHOME%/Oracle_WT1/instances/ohs_sso/bin
   opmnctl status
   

   After the message appears that opmn is not running, continue by entering:

   opmnctl start
   opmnctl status
   

   The status details appear, as in the following example:

   Processes in Instance: ohs_sso
   ---------------------------------+--------------------+---------+---------
   ias-component                    | process-type       |     pid | status
   ---------------------------------+--------------------+---------+---------
   ohs1                             | OHS                |   28262 | Alive
   

1.6.7.6 Configuring Domain for Oracle RTD and Decision Manager

This section contains the following topics:

• Section 1.6.7.6.1, "Configuring a New Authenticator for Oracle WebLogic Server"

• Section 1.6.7.6.2, "Configuring OAM as New Identity Asserter for Oracle WebLogic Server"

• Section 1.6.7.6.3, "Enabling SSO Authentication Using Fusion Middleware Control"

• Section 1.6.7.6.4, "Deploying the Applications"

1.6.7.6.1 Configuring a New Authenticator for Oracle WebLogic Server

After installing Oracle RTD Decision Management, the Oracle WebLogic Server embedded LDAP server is the default authentication source (identity store). To use a new identity store (for example, OID), as the main authentication source, you must configure the Oracle WebLogic Server domain (where Oracle RTD and Oracle RTD Decision Management have been installed).

For more information about configuring authentication providers in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

To configure a new authenticator in Oracle WebLogic Server:

1. Log in to Oracle WebLogic Server Administration Console and click Lock & Edit in the Change Center.

2. Select Security Realms from the left pane and click myrealm.

   The default Security Realm is named myrealm.

3. Display the Providers tab, then display the Authentication sub-tab.

4. Click New to launch the Create a New Authentication Provider page.

   Complete the fields as follows:

   • Name: OID Provider, or a name of your choosing.

   • Type: OracleInternetDirectoryAuthenticator

   • Click OK to save the changes and display the authentication providers list updated with the new authentication provider.

5. Click the newly added authenticator in the authentication providers table.

6. Navigate to Settings, then select the Configuration\Common tab:

   • Select SUFFICIENT from the Control Flag list.

   • Click Save.

7. Display the Provider Specific tab and specify the following settings using appropriate values for your environment:

   Section Name	Field Name	Description
   Connection	Host	The LDAP host name. For example, <localhost>.
   Connection	Port	The LDAP host listening port number. For example, 6050.
   Connection	Principal	The distinguished name (DN) of the user that connects to the LDAP server. For example, cn=orcladmin.
   Connection	Credential	The password for the LDAP administrative user entered as the Principal.
   Users	User Base DN	The base distinguished name (DN) of the LDAP server tree that contains users. For example, use the same value as in Oracle Access Manager.
   Users	All Users Filter	The LDAP search filter. For example, (&(uid=*) (objectclass=person)). The asterix (*) filters for all users. Click More Info... for details.
   Users	User From Name Filter	The LDAP search filter. Click More Info... for details.
   Users	User Name Attribute	The attribute that you want to use to authenticate (for example, cn, uid, or mail). Set as the default attribute for user name in the directory server. For example, uid. Note: The value that you specify here must match the User Name Attribute that you are using in the authentication provider, as described in as described in "Configuring the User Name Attribute in the Identity Store" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.
   Groups	Group Base DN	The base distinguished name (DN) of the LDAP server tree that contains groups (same as User Base DN).
   General	GUID attribute	The attribute used to define object GUIDs in LDAP. orclguid Note: You should not normally change this default value, however, if you do, you must also specify the changed value in Fusion Middleware Control, as described in "Configuring the GUID Attribute in the Identity Store" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

   
   

   For more information about configuring authentication providers in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

8. Click Save.

9. Perform the following steps to set up the default authenticator for use with the Identity Asserter:

   1. At the main Settings for myrealm page, display the Providers tab, then display the Authentication sub-tab, then select DefaultAuthenticator to display its configuration page.

   2. Display the Configuration\Common tab and select 'SUFFICIENT' from the Control Flag list.

      For more information, see "Setting the JAAS Control Flag Option" in Oracle Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition.

   3. Click Save.

10. Perform the following steps to reorder Providers:

    1. Display the Providers tab.

    2. Click Reorder to display the Reorder Authentication Providers page

    3. Select a provider name and use the arrow buttons to order the list of providers as follows:

       • OID Authenticator (SUFFICIENT)

       • OAM Identity Asserter (REQUIRED)

       • Default Authenticator (SUFFICIENT)

    4. Click OK to save your changes.

11. In the Change Center, click Activate Changes.

12. Restart Oracle WebLogic Server.

1.6.7.6.2 Configuring OAM as New Identity Asserter for Oracle WebLogic Server

The Oracle WebLogic Server domain in which Oracle RTD and Oracle RTD Decision Management have been installed must be configured to use an Oracle Access Manager asserter.

For more information about creating a new asserter in Oracle WebLogic Server, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.

To configure Oracle Access Manager as the new asserter for Oracle WebLogic Server:

1. Log in to Oracle WebLogic Server Administration Console.

2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm. Select Providers.

3. Click New. Complete the fields as follows:

   • Name: OAM Provider, or a name of your choosing.

   • Type: OAMIdentityAsserter.

4. Click OK.

5. Click Save.

6. In the Providers tab, perform the following steps to reorder Providers:

   1. Click Reorder

   2. In the Reorder Authentication Providers page, select a provider name, and use the arrows beside the list to order the providers as follows:

      • OID Authenticator (SUFFICIENT)

      • OAM Identity Asserter (REQUIRED)

      • Default Authenticator (SUFFICIENT)

   3. Click OK to save your changes.

7. In the Change Center, click Activate Changes.

8. Restart Oracle WebLogic Server.

   You can verify that Oracle Internet Directory is the new identity store (default authenticator) by logging back into Oracle WebLogic Server and verifying the users and groups stored in the LDAP server appear in the console.

9. Use Fusion Middleware Control to enable SSO authentication.

   For more information, see Section 1.6.7.6.3, "Enabling SSO Authentication Using Fusion Middleware Control".

1.6.7.6.3 Enabling SSO Authentication Using Fusion Middleware Control

After Oracle RTD Decision Management has been configured to use the SSO solution configured for use by Oracle Fusion Middleware, you must enable SSO authentication for Oracle RTD Decision Management in Fusion Middleware Control from the Security tab.

To enable Oracle RTD Decision Management to use SSO authentication:

1. Log in to Fusion Middleware Control.

2. Go to the Security page and display the SSO tab.

   Click the Help button on the page to access the page-level help for its elements.

3. Click Lock and Edit Configuration.

4. Select Enable SSO.

   When selected, this checkbox enables SSO to be the method of authentication into Oracle RTD Decision Management. The appropriate form of SSO is determined by the configuration settings made for the chosen SSO provider.

5. Select the configured SSO provider from the list.

   The SSO provider list becomes active when you select the Enable SSO checkbox.

6. If required, enter logon and logoff URLs for the configured SSO provider.

   The logoff URL (specified by the SSO provider) must be outside the domain and port that the SSO provider protects, because the system does not log users out.

7. Click Apply, then Activate Changes.

8. Restart the Oracle RTD Decision Management components using Fusion Middleware Control.

1.6.7.6.4 Deploying the Applications

Perform the following steps:

1. Start the DM_domain.

2. Prepare OracleRTD.ear and clm.ear, as follows:

   • Unpack each .ear file into a separate directory.

   • Edit web.xml, replacing <auth-method>FORM</auth-method> with <auth-method>CLIENT-CERT</auth-method>

   • Re-pack the .ear files with the changed web.xml file.

3. As for standard Oracle RTD and Oracle RTD Decision Management installations (for details, see previous sections of this manual and Oracle Real-Time Decisions Installation and Administration Guide), create the data sources, and install the .ear files.

   Note:

   You must create your users in LDAP and assign them to appropriate groups. For details, see Section 1.6.7.4, "Creating Groups and Users in LDAP Server."

4. As a final step, verify that the Decision Manager URL login redirects as configured, and that you can log in to the Decision Manager correctly.

   For example, depending on your ports, opening

   http://<web_tier_host>:7777/dm/

   in a browser should redirect into a URL similar to

   http://<oam_server_host>:14100/oam/server/obrareq.cgi?encquery%..

   Then, log in to the Decision Manager with a correct user (for example, clmuser) to complete the verification.

1.6.7.7 Troubleshooting

You may encounter one or more of the issues in this section.

1. If OS has IPv6 protocol used by default, not IPv4, then webgate log files will have numerous error messages

For example,

AUTHENTICATION ERROR 0x00001823 ..\src\obuser_session.cpp:1939 "Location in an ObUserSession constructor is not a valid host."

In order to stop this spam from collecting, edit the file

C:\OFM\MWHOMEWT\Oracle_WT1\instances\ohs_sso\config\OPMN\opmn\opmn.xml

to specify

<notification-server interface="ipv4">

2. Apache access log file has a new record for OPMN ping query for every 20 seconds

Edit the file:

C:\OFM\MWHOMEWT\Oracle_WT1\instances\ohs_sso\config\OPMN\opmn\opmn.xml

Insert the following <ping interval...> line into the <process-type...> section, as in the following example

<process-type id="OHS" module-id="OHS1">
    <module-data>
      <category id="start-parameters">
        <data id="start-mode" value="ssl-enabled"/>
      </category>
    </module-data>
    <ping interval="180"/>
    <process-set id="OHS" numprocs="1"/>
  </process-type>
</ias-component></ias-instance>

3. URL /dm results in error 404

Into the file C:\OFM\MWHOMEWT\Oracle_WT1\instances\ohs_sso\config\OHS\ohs1\httpd.conf, insert the following lines:

RewriteEngine on
RewriteRule ^/dm$ /dm/ [R]
RewriteRule ^/dm\?(.*)$ /dm/?$1 [R]

Restart the OHS server.

If you now open

http://<web_tier_host>:7777/dm

this will get redirected to

http://<web_tier_host>:7777/dm/

1.6.8 Using SSO with Oracle RTD Decision Management Applications on WebSphere

This section describes how to set up single sign-on (SSO) solution with Oracle RTD Decision Management on WebSphere.

This section contains the following topics:

• Section 1.6.8.1, "Configuring DMCOOKIE"

• Section 1.6.8.2, "Configuring UICOOKIE"

• Section 1.6.8.3, "Configuring SOAPCOOKIE"

• Section 1.6.8.4, "Enabling LTPA"

1.6.8.1 Configuring DMCOOKIE

To configure DMCOOKIE, perform the following steps:

1. Login to the console.

2. In the tree on the left, expand Applications, and then choose Application types, then WebSphere enterprise applications.

3. Click OracleRTD.

4. Under Modules, click Manage Modules.

5. Click Oracle RTD Decisions Manager.

6. Under Additional Properties, click Session Management.

7. Under Session tracking mechanism, ensure that Enable cookies is checked and click Enable cookies.

8. Set Cookie name to DMCOOKIE.

9. Set Cookie path to /dm.

10. Click OK, then click Save.

1.6.8.2 Configuring UICOOKIE

To configure UICOOKIE, perform the following steps:

1. Login to the console.

2. In the tree on the left, expand Applications, and then choose Application types, then WebSphere enterprise applications.

3. Click OracleRTD.

4. Under Modules, click Manage Modules.

5. Click Oracle RTD decision center.

6. Under Additional Properties, click Session Management.

7. Under Session tracking mechanism, ensure that Enable cookies is checked and click Enable cookies.

8. Set Cookie name to UICOOKIE.

9. Set Cookie path to /ui.

10. Click OK, then click Save.

1.6.8.3 Configuring SOAPCOOKIE

To configure SOAPCOOKIE, perform the following steps:

1. Login to the console.

2. In the tree on the left, expand Applications, and then choose Application types, then WebSphere enterprise applications.

3. Click OracleRTD.

4. Under Modules, click Manage Modules.

5. Click Oracle RTD soap.

6. Under Additional Properties, click Session Management.

7. Under Session tracking mechanism, ensure that Enable cookies is checked and click Enable cookies.

8. Set Cookie name to SOAPCOOKIE.

9. Set Cookie path to /soap.

10. Click OK, then click Save.

    Note:

    After you have configured all the cookies and without LTPA is enabled, the Oracle RTD Decision Center login screen appears after you log into the Decision Manager web application.

1.6.8.4 Enabling LTPA

To enable LTPA, perform the following steps:

1. Login to the console.

2. In the tree on the left, expand Security, and then choose Global security.

3. Under Authentication, ensure that LTPA is selected, and click LTPA.

4. Expand Web and SIP security and click Single sign-on (SSO).

5. Select Enabled.

6. Click OK, then click Save.

7. Restart WebSphere.