| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter Portal 11g Release 1 (11.1.1.6.0) Part Number E12037-07 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter Portal 11g Release 1 (11.1.1.6.0) Part Number E12037-07 |
|
|
PDF · Mobi · ePub |
This chapter describes how to integrate Oracle WebCenter Portal with Oracle Identity Management. It contains the following sections:
Section 15.1, "Overview of Integration With Oracle Identity Management"
Section 15.7, "Configuring WebCenter Portal Applications for SSO"
Section 15.8, "Configuring WebCenter Portal and BPEL Authentication"
Section 15.9, "Backing Up the Identity Management Configuration"
You can integrate an Oracle Fusion Middleware enterprise deployment with Oracle Identity Manager 10g or 11g. The following sections describe how to first configure Credential and Policy stores, re-associate those credential and policy stores, and then integrate with either Oracle identity manager 10g or 11g.
Table 15-1 lists the high-level steps for integrating Oracle Identity Manager 10g with an Oracle WebCenter Portal enterprise deployment.
Table 15-2 lists the high-level steps for integrating Oracle Identity Manager 11g with an Oracle WebCenter enterprise deployment.
Note:
When integrating with Oracle Identity Management, use the transport mode currently in use by the Oracle Identity Management servers. For example, Open, Simple or Cert.
Table 15-1 Steps for Integrating with Oracle Identity Manager 10g
| Step | Description | More Information |
|---|---|---|
|
Configure the Credential Store |
Configure Oracle Internet Directory LDAP as a credential store for the Oracle WebCenter Portal Enterprise Deployment topology. |
|
|
Configure the Policy Store |
Configure Oracle Internet Directory LDAP as the policy store for the Oracle WebCenter Portal Enterprise Deployment topology. |
|
|
Use the OAM Configuration Tool |
Use the OAM Configuration Tool (oamcfg) to start a series of scripts and set up the required policies. |
|
|
Install and Configure WebGate |
Install WebGate on each of the WEBHOSTn machines in order to secure the web tier. |
|
|
Configure IP Validation for the Webgate |
Configure the IP validation for the Webgate using Access System Console. |
|
|
Set Up WebLogic Authenticators |
Set up the WebLogic authenticators by backing up the configuration files, setting up the OAM ID Asserter, and setting the order of providers. |
|
|
Configure WebCenter Portal Applications for SSO |
Configure SSO system properties, the administrator role for the Spaces application, and the discussions server for SSO. |
Section 15.7, "Configuring WebCenter Portal Applications for SSO" |
|
Configure WebCenter Portal and BPEL Server Authentication |
Configure WebCenter Portal and BPEL server. |
Section 15.8, "Configuring WebCenter Portal and BPEL Authentication" |
Table 15-2 Steps for Integrating with Oracle Identity Manager 11g
| Step | Description | More Information |
|---|---|---|
|
Configure the Credential Store |
Configure Oracle Internet Directory LDAP as a credential store for the Oracle WebCenter Portal Enterprise Deployment topology. |
|
|
Configure the Policy Store |
Configure Oracle Internet Directory LDAP as the policy store for the Oracle WebCenter Portal Enterprise Deployment topology. |
|
|
Install WebGate |
Install WebGate on each of the WEBHOST machines where an HTTP Server has already been installed. |
|
|
Register the WebGate Agent |
Register the Webgate agent using the RREG tool. |
|
|
Set Up WebLogic Authenticators |
Set up the WebLogic authenticators by backing up the configuration files, setting up the OAM ID Asserter, and Setting the order of providers. |
|
|
Configure WebCenter Portal Applications for SSO |
Configure SSO system properties, the administrator role for the Spaces application, and the discussions server for SSO. |
Section 15.7, "Configuring WebCenter Portal Applications for SSO" |
|
Configure WebCenter Portal and BPEL Authentication |
Configure WebCenter Portal and BPEL server. |
Section 15.8, "Configuring WebCenter Portal and BPEL Authentication" |
Oracle Fusion Middleware allows using different types of credential and policy stores in a WebLogic domain. Domains can use stores based on an XML file or on different types of LDAP providers. When a domain uses an LDAP store, all policy and credential data is kept and maintained in a centralized store. However, when using XML policy stores, the changes made on Managed Servers are not propagated to the Administration Server unless they use the same domain home. The Oracle WebCenter Portal Enterprise Deployment topology uses different domain homes for the Administration Server and the Managed Server, thus Oracle requires the use of an LDAP store as policy and credential store for integrity and consistency. By default Oracle WebLogic Server domains use an XML file for the policy store. The following sections describe the steps required to change the default store to Oracle Internet Directory LDAP for credentials or policies.
Note:
The backend repository for the policy store and the credential store must use the same kind of LDAP server. To preserve this coherence, note that reassociating one store implies reassociating the other one, that is, the re-association of both the credential and the policy stores is accomplished as a unit using Enterprise Manager Fusion Middleware Control or the WLST command reassociateSecurityStore. For more information, see Section 15.4, "Reassociating Credentials and Policies."
A credential store is a repository of security data (credentials). A credential can hold user name and password combinations, tickets, or public key certificates. Credentials are used during authentication, when principals are populated in subjects, and, further, during authorization, when determining what actions the subject can perform. In this section, steps are provided to configure Oracle Internet Directory LDAP as a credential store for the Oracle WebCenter Portal Enterprise Deployment topology. For more details on credential store configuration, refer to the "Configuring the Credential Store" chapter in the Oracle Containers for J2EE Security Guide.
The following section describe credential store configuration:
This section describes how to create the LDAP authenticator using the WebLogic Server Administration Console.
Prerequisites
Before you create the LDAP authenticator, back up the relevant configuration files:
ORACLE_BASE/admin/domain_name/aserver/domain_name/config/config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/jps-config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/system-jazn-data.xml
Back up the boot.properties file for the Administration Server in the following directory:
ORACLE_BASE/admin/domain_name/aserver/domain_name/servers/AdminServer/security
To configure the credential store to use LDAP:
Log in to the WebLogic Server Console.
Click the Security Realms link on the left navigational bar.
Click the myrealm default realm entry to configure it.
Open the Providers tab within the realm.
Observe that there is a DefaultAuthenticator provider configured for the realm.
Click Lock & Edit.
Click the New button to add a new provider.
Enter a name for the provider such as OIDAuthenticator or OVDAuthenticator depending on whether Oracle Internet Directory or Oracle Virtual Directory will be used.
Select the OracleInternetDirectoryAuthenticator or OracleVirtualDirectoryAuthenticator type from the list of authenticators depending on whether Oracle Internet Directory or Oracle Virtual Directory will be used and click OK.
In the Providers screen, click the newly created Authenticator.
Set the control flag to SUFFICIENT. This indicates that if a user can be authenticated successfully by this authenticator, then it should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT; in particular, check the DefaultAuthenticator and set that to SUFFICIENT.
Click Save to save this setting.
Open the Provider Specific tab to enter the details for the LDAP server.
Enter the details specific to your LDAP server, as shown in the following table:
| Parameter | Value | Value Description |
|---|---|---|
|
Host |
For example: |
The LDAP server's server ID. |
|
Port |
For example: |
The LDAP server's port number. |
|
Principal |
For example: |
The LDAP user DN used to connect to the LDAP server. |
|
Credential |
NA |
The password used to connect to the LDAP server |
|
SSL Enabled |
Checked |
Specifies whether SSL protocol is used when connecting to LDAP server. |
|
User Base DN |
For example: |
Specify the DN under which your Users start. |
|
Group Base DN |
For example: |
Specify the DN that points to your Groups node. |
|
Use Retrieved User Name as Principal |
Checked |
Must be turned on. |
Click Save when done.
Click Activate Changes to propagate the changes.
Reorder Authenticator
Reorder the OID/OVD Authenticator and Default Authenticator and ensure that the control flag for each authenticator is set in the following order:
To set the order of the Authenticators:
Log in to Weblogic Console, if not already logged in.
Click Lock & Edit.
Navigate to SecurityRealms, then the default realm name, and then Providers.
Reorder the OID/OVD Authenticator, and Default Authenticator by ensuring that the control flag for each authenticator is set as follows:
OID LDAP Authenticator (or OVD LDAP Authenticator): SUFFICIENT
Default Authenticator: SUFFICIENT
Click OK.
Click Activate Changes to propagate the changes.
Restart the Administration Server and all managed servers.
This section provides details for provisioning a new administrator user and group for managing the Oracle Fusion Middleware WebCenter Portal WebLogic Domain. This section describes the following tasks:
Section 15.2.2.1, "Provisioning Admin Users and Groups in an LDAP Directory"
Section 15.2.2.2, "Assigning the Admin Role to the Admin Group"
Section 15.2.2.3, "Updating the boot.properties File and Restarting the System"
As mentioned in the introduction to this section, users and groups from multiple WebLogic domains may be provisioned in a central LDAP user store. In such a case, there is a possibility that one WebLogic admin user may have access to all the domains within an enterprise. Oracle does not recommend this. To avoid one WebLogic admin user having access to all the domains, the users and groups provisioned must have a unique distinguished name within the directory tree. For the WebCenter Portal enterprise deployment WebLogic domain described in this guide, the admin user and group are provisioned with the DNs below:
Admin User DN:
cn=weblogic_wc,cn=Users,dc=us,dc=mycompany,dc=com
Admin Group DN:
cn=WC_Administrators,cn=Groups,dc=us,dc=mycompany,dc=com
To provision the admin user and admin group in Oracle Internet Directory:
Create an ldif file named admin_user.ldif with the contents shown below and then save the file:
dn: cn=weblogic_wc, cn=Users, dc=us, dc=mycompany, dc=com orclsamaccountname: weblogic_wc givenname: weblogic_wc sn: weblogic_wc userpassword: MyPassword1 mail: weblogic_wc objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 uid: weblogic_wc cn: weblogic_wc description: Admin User for the WebCenter Portal Domain
Run the ldapadd command located under the ORACLE_HOME/bin directory to provision the user in Oracle Internet Directory.
Note:
The Oracle home used here is the Oracle home for the Identity Management installation where Oracle Internet Directory resides. The ORACLE_HOME environment variable must be set for the ldapadd command to succeed.
For example (the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line):
OIDHOST1> ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D
cn="orcladmin" -w welcome1 -c -v -f admin_user.ldif
Create an ldif file named admin_group.ldif with the contents shown below and then save the file:
dn: cn=WC_Administrators, cn=Groups, dc=us, dc=mycompany, dc=com displayname: WC_Administrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_wc,cn=users,dc=us,dc=mycompany,dc=com cn: WC_Administrators description: Administrators Group for the SOA Domain
Run the ldapadd command located under the ORACLE_HOME/bin/ directory to provision the group in Oracle Internet Directory (the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line):
OIDHOST1> ORACLE_HOME/bin/ldapadd -h oid.mycompany.com -p 389 -D
cn="orcladmin" -w welcome1 -c -v -f admin_group.ldif
After adding the users and groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain.
To assign the Admin role to the Admin group:
Log into the WebLogic Server Administration Console.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page.
On the Global Roles page, click the Admin role to bring up the Edit Global Role page:
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, specify WC_Administrators in the Group Argument field and click Add.
Click Finish to return to the Edit Global Role page.
The Role Conditions table now shows the WC_Administrators Group as an entry.
Click Save to finish adding the Admin Role to the WC_Administrators Group.
Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_wc user.
Note:
Each SOA application has its own predefined roles and groups defined for administration and monitoring. By default, the "Administrator" group allows these operations. However, the "Administrator" group may be too broad. For example, you may not want Worklistapp Administrators to be WebLogic Server Domain Administrators where SOA is running. Therefore, you may wish to create a a more specific group, such as SOA Administrators. In order for the different applications to allow the SOA Administrator group to administer the different systems, you must add the required application-specific roles to the SOA Administrator group. For example, for Worklistapp administration, add the SOAAdmin role to the SOA Administrators group. Refer to each component's specific roles for the required roles in each case.
The boot.properties file for the Administration Server should be updated with the WebLogic admin user created in Oracle Internet Directory. Follow the steps below to update the boot.properties file:
On SOAHOST1, go the following directory:
cd ORACLE_BASE/admin/domainName/aserver/domainName/servers/ AdminServer/security
Rename the existing boot.properties file:
mv boot.properties boot.properties.backup
Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file:
username=weblogic_wc password=welcome1
Save the file.
Stop the Administration Server:
wls:/nm/domain_name>nmKill("AdminServer")
Restart the Administration Server using the procedure in Section 8.4.3, "Starting the Administration Server on SOAHOST1."
You must re-associate the credential and policy stores after configuring them. Re-associate the credential and policy stores using Enterprise Manager Fusion Middleware Control or the WLST command reassociateSecurityStore. See Section 15.4, "Reassociating Credentials and Policies" for detailed steps.
The domain policy store is the repository of system and application-specific policies. In a given domain, there is one store that stores all policies that all applications deployed in the domain may use. This section provides the steps to configure Oracle Internet Directory LDAP as the policy store for the Oracle Fusion Middleware WebCenter Portal Enterprise Deployment topology. This procedure consists of two parts:
For more information on policy store configuration, see "OPSS Authorization and the Policy Store" chapter in the Oracle Containers for J2EE Security Guide.
In order to ensure the proper access to an LDAP server directory (Oracle Internet Directory) used as a policy store, you must set a node in the server directory. These steps must be completed by an Oracle Internet Directory administrator.
To create the appropriate node in an Oracle Internet Directory Server:
Create an LDIF file (assumed to be jpstestnode.ldif in this example) specifying the following DN and CN entries:
dn: cn=jpsroot_wc cn: jpsroot_wc objectclass: top objectclass: OrclContainer
The distinguished name of the root node (illustrated by the string jpsroot_wc above) must be distinct from any other distinguished name. One root node can be shared by multiple WebLogic domains. It is not required that this node be created at the top level, as long as read and write access to the subtree is granted to the Oracle Internet Directory administrator.
Import this data into Oracle Internet Directory server using the command ldapadd, as illustrated in the following example (the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line):
OIDHOST1> ORACLE_HOME/bin/ldapadd -h ldap_host -p ldap_port -D cn=orcladmin -w password -c -v -f jpstestnode.ldif
Verify that the node has been successfully inserted using the command ldapsearch, as illustrated in the following example (the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line):
OIDHOST1> ORACLE_HOME/bin/ldapsearch -h ldap_host -p ldap_port -D cn=orcladmin -w password -b "cn=jpsroot_wc" objectclass="orclContainer"
When using Oracle internet Directory as the LDAP-Based Policy Store run the utility oidstats.sql in the INFRADBHOSTs to generate database statistics for optimal database performance:
ORACLE_HOME/bin/sqlplus
Enter ODS as a user name. You will be prompted for credentials for the ODS user. Inside sqlplus, enter the command to gather the statistics info:
SQLPLUS> @ORACLE_HOME/ldap/admin/oidstats.sql
The oidstats.sql utility must be run just once after the initial provisioning. For details about this utility, see the Oracle Identity Management User Reference.
Reassociate the policy store by migrating policy data from a file- or LDAP-based repository to an LDAP-based repository. Re-association changes the repository preserving the integrity of the data stored. For each policy in the source policy store, re-association searches the target LDAP directory and, if it finds a match, updates the matching policy as appropriate. If none are found, it migrates the policy as is.
At any time, after a domain policy store has been instantiated, a file, or LDAP-based policy store can be reassociated into an LDAP-based policy store storing the same data. To support it, the domain has to be configured, as appropriate, to use an LDAP policy store.
For detailed steps, see Section 15.4, "Reassociating Credentials and Policies".
Re-associate the policy and credential store with Oracle Internet Directory using the WLST reassociateSecurityStore command.
To re-associate the policy and credential stores:
From SOAHOST1, start the wlst shell:
cd ORACLE_COMMON_HOME/common/bin ./wlst.sh
Connect to the WebLogic Administration Server using the wlst connect command shown below:
Syntax:
connect("AdminUser","AdminUserPassword",t3://hostname:port)
For example:
connect("weblogic","welcome1","t3://ADMINVHN:7001")
Run the reassociateSecurityStore command as shown below:
Syntax:
reassociateSecurityStore(domain="domainName",admin="cn=orcladmin", password="orclPassword",ldapurl="ldap://LDAPHOST:LDAPPORT",servertype="OID", jpsroot="cn=jpsroot_wc")
For example:
wls:/WCPEDGDomain/serverConfig>reassociateSecurityStore(domain="wcpedg_domain", admin="cn=orcladmin",password="welcome1",ldapurl="ldap://oid.mycompany.com:389",servertype="OID",jpsroot="cn=jpsroot_wc")
The output for the command is shown below:
{servertype=OID,jpsroot=cn=jpsroot_wc_idm_idmhost1,admin=cn=orcladmin,
domain=IDMDomain,ldapurl=ldap://oid.mycompany.com:389,password=welcome1}
Location changed to domainRuntime tree. This is a read-only tree with
DomainMBean as the root.
For more help, use help(domainRuntime)
Starting Policy Store reassociation.
LDAP server and ServiceConfigurator setup done.
Schema is seeded into LDAP server
Data is migrated to LDAP server
Service in LDAP server after migration has been tested to be available
Update of jps configuration is done
Policy Store reassociation done.
Starting credential Store reassociation
LDAP server and ServiceConfigurator setup done.
Schema is seeded into LDAP server
Data is migrated to LDAP server
Service in LDAP server after migration has been tested to be available
Update of jps configuration is done
Credential Store reassociation done
Jps Configuration has been changed. Please restart the server.
Restart the Administration Server after the command completes successfully.
To restart the Administration Server, use the procedure in Section 8.4.3, "Starting the Administration Server on SOAHOST1".
Note:
For credential and policy changes to take effect, the servers in the domain must be restarted.
Cataloging Oracle Internet Directory Attributes
Index any Oracle Internet Directory attribute that is used in a search filter. The indexing is an optional procedure that enhances performance. If you have not yet indexed the attributes in this Oracle Internet Directory, use the catalog tool to index them.
For example, to index the orclerolescope attribute:
catalog connect="orcl" add=true attribute="orclrolescope" verbose="true"
You can also index multiple attribute names by listing them in a file and processing them as a batch as follows:
orclrolescope orclassignedroles orclApplicationCommonName orclAppFullName orclCSFAlias orclCSFKey orclCSFName orclCSFDBUrl orclCSFDBPort orclCSFCredentialType orclCSFExpiryTime modifytimestamp createtimestamp orcljpsassignee
For more information about indexing OID attributes, see Tasks and Examples for catalog in the Oracle Fusion Middleware Reference for Oracle Identity Management.
This section describes how to set up Oracle Access Manager 10g as the single sign-on solution for the Oracle WebCenter Portal Enterprise Deployment topology.
Note:
If you are integrating with Oracle Access Manager 11g, skip this section, follow steps in Section 15.6, "Oracle Access Manager 11g Integration," and then proceed to Section 15.7, "Configuring WebCenter Portal Applications for SSO," and continue on with the rest of this chapter.
This section contains the following subsections:
Oracle Access Manager (OAM) is the recommended single sign-on solution for Oracle Fusion Middleware 11g Release 1. For more information on installing and configuring an OAM installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This chapter explains the procedure for configuring the WebCenter Portal installation with an existing OAM installation and the underlying directory service. Oracle recommends using either Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD) or both of these directory services.
Note:
The WebCenter Portal Enterprise Deployment topology described in this book uses a Single Sign-On configuration where both the WebCenter Portal System and the Single Sign-On System are in the same network domain (mycompany.com) For a multi-domain configuration, please refer to the required configuration steps in "Configuring Single Sign-On," of the Oracle Access Manager Access Administration Guide.
The setup for Oracle Access Manager (OAM) assumes an existing OAM installation complete with Access Managers and a policy protecting the Policy Manager. For more information on installing and configuring an OAM installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This setup includes a directory service such as Oracle Internet Directory (OID) either as a stand-alone or as part of an Oracle Virtual Directory (OVD) configuration. This chapter will provide the necessary steps for configuring your WebCenter Portal installation with either OID or OVD.
In addition, the OAM installation should have its own Web server configured with WebGate. This section also provides the steps for using the OAM Web server as a delegated authentication server.
The OAM Configuration Tool (oamcfg) starts a series of scripts and setup the required policies. It requires various parameters as inputs. Specifically, it creates the following:
A Form Authentication scheme in OAM
Policies to enable authentication in WebLogic Server
An WebGate entry in OAM to enable Oracle HTTP Server WebGates (from your web tier) to protect your configured application
A Host Identifier, depending on the scenario chosen (a default host identifier would be used, if not provided)
Policies to protect and unprotect application specific URLs.
This section covers the following topics:
Section 15.5.3.1, "Prerequisites for Running the OAM Configuration Tool"
Section 15.5.3.4, "Creating an Exclusion Policy for Oracle SES and Portlets"
Section 15.5.3.5, "Verifying Successful Creation of the Policy Domain and AccessGate"
Section 15.5.3.9, "Configuring Delegated Form Authentication"
Review the following prerequisites before running the OAM Configuration Tool:
Password: Create a secure password. This will be used as the password for the WebGate installation created later.
LDAP Host: Have the host name of the Directory Server or Load Balancer address available in the case of a high availability or enterprise deployment configuration.
LDAP Port: Have the port of the Directory Server available.
LDAP USER DN: Have the DN of the LDAP admin user available. This is a value such as "cn=orcladmin."
LDAP password: Have the password of the LDAP admin user available.
oam_aa_host: Have the host name of an Oracle Access Manager available.
oam_aa_port: Have the port of the Oracle Access Manager available.
You can find the OAM Configuration Tool at the following location:
ORACLE_COMMON_HOME/modules/oracle.oamprovider_11.1.1
ORACLE_COMMON_HOME depends on the machine on which you are running the configuration tool. The tool can be run from any machine with the required installation files. The procedure described in this section runs the tool from SOAHOST1.
The OAM Configuration Tool should be run as follows (all on a single command line):
MW_HOME/jrockit_160_<version>/bin/java -jar oamcfgtool.jar mode=CREATE
app_domain="WebCenter_EDG"
protected_uris="$URI_LIST"
public_uris="$PUBLIC_URI_LIST"
app_agent_password=<Password_to_be_provisioned_for_App_Agent>
ldap_host=OID.MYCOMPANY.COM
ldap_port=389
ldap_userdn="cn=orcladmin"
ldap_userpassword=<Password_of_LDAP_Admin_User>
oam_aaa_host=OAMHOST1
oam_aaa_port=OAMPORT1
The $URI_LIST and $PUBLIC_URI_LIST variables in the above command depend on the topology:
WebCenter Portal, WebCenter Content, and Inbound Refinery in the domain:
$URI_LIST="
/webcenter/adfAuthentication,
/integration/worklistapp,
/workflow/sdpmessagingsca-ui-worklist/faces/adf.task-flow,
/workflow/WebCenterWorklistDetail/faces/adf.task-flow,
/workflow/sdpmessagingsca-ui-worklist,
/soa-infra,
/rss/rssservlet,
/owc_discussion/login!withRedirect.jspa,
/owc_discussions/login!default.jspa,
/owc_discussions/login.jspa,
/owc_discussions/admin,
/rest/api/resourceIndex,
/rest/api/spaces,
/rest/api/discussions,
/rest/api/tags,
/rest/api/taggeditems,
/rest/api/activities,
/rest/api/activitygraph,
/rest/api/feedback,
/rest/api/people,
/rest/api/messageBoards,
/rest/api/searchresults,
/activitygraph-engines,
/wcps/api,
/pagelets/admin,
/pagelets/authenticateWithApplicationServer,
/services-producer/adfAuthentication,
/rsscrawl,
/sesUserAuth,
/services-producer/portlets,
/wsrp-tools/portlets
/em,
/console,
/adfAuthentication,
/ibr/adfAuthentication"
$PUBLIC_URI_LIST="
/webcenter,
/owc_discussions,
/rss,
/rest/api/cmis,
/pagelets,
/services-producer,
/wsrp-tools,
/workflow,
/cs,
/ibr,
/idcnativews,
/"
WebCenter Portal, WebCenter Content, Inbound Refinery, and SOA in the domain:
$URI_LIST="
/webcenter/adfAuthentication,
/integration/worklistapp,
/workflow/sdpmessagingsca-ui-worklist/faces/adf.task-flow,
/workflow/WebCenterWorklistDetail/faces/adf.task-flow,
/workflow/sdpmessagingsca-ui-worklist,
/rss/rssservlet,
/owc_discussions/login!withRedirect.jspa,
/owc_discussions/login!default.jspa,
/owc_discussions/login.jspa,
/owc_discussions/admin,
/rest/api/resourceIndex,/rest/api/spaces,/rest/api/discussions,/rest/api/tags,/rest/api/taggeditems,/rest/api/activities,
/rest/api/activitygraph,/rest/api/feedback,/rest/api/people,/rest/api/messageBoards,/rest/api/searchresults,
/activitygraph-engines,
/wcps/api,
/pagelets/admin,
/pagelets/authenticateWithApplicationServer,
/services-producer/adfAuthentication
/rsscrawl,
/sesUserAuth,
/services-producer/portlets,
/wsrp-tools/portlets,
/em,/console,/DefaultToDoTaskFlow,
/sdpmessaging/userprefs-ui,
/adfAuthentication,
/ibr/adfAuthentication,
/soa-infra,/soa/composer,/soa-infra/deployer,/soa-infra/events/edn-db-log,/soa-infra/cluster/info,/inspection.wsil"
$PUBLIC_URI_LIST="
/webcenter,
/owc_discussions,
/rss,
/workflow,
/rest/api/cmis,
/pagelets,
/services-producer,
/wsrp-tools,
/cs,
/ibr,
/idcnativews,
/,
/soa-infra/services/…/*,/soa-infra/directWSDL,/soa-infra/directWSDL/…/*,/ucs/messaging/webservice,/ucs/messaging/webservice/…/*"
Note:
If SOA is added to the domain later or other additional URLs need to be protected, the OAM configuration tool should be executed again using the same app_domain and including all the URLs that would be protected (not just the new ones).
WebCenter Portal, SOA, and WebCenter Content each provide .conf file that lists their public and protected URI requirements. Instead of specifying public and protect URIs using the protected_uris= and public_uris= syntax as shown, you can reference each file in turn using the syntax uris_file=. For more information and instructions, see "Configuring the WebCenter Portal Policy Domain" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.
If your command ran successfully, you should see the following output:
Processed input parameters Initialized Global Configuration Successfully completed the Create operation Operation Summary: Policy Domain: WebCenter_EDG Host Identifier: WebCenter_EDG Access Gate ID: WebCenter_EDG_AG
To update the REST end points to use basic authentication:
Log in to the Oracle Access Manager console at http://OAM_HOST:OAM_ADMINSERVER_PORT/oamconsole.
Locate the policy domain that you created and verified in the previous steps and open the Policies tab.
You should see two policies already created Protected_JSessionId_Policy and Default Public Policy.
Create another policy called WebCenterRESTPolicy, using the values shown below:
Description: This policy protects REST protected URIs using BASIC authentication scheme required for functioning with the WebCenter Outlook plug-in or iPhone integration.
Resource Type: http
Operation(s): GET,POST
Resource: Select all resources starting with /rest except for /rest/cmis/repository.
/rest/api/resourceIndex /rest/api/spaces /rest/api/discussions /rest/api/tags /rest/api/taggeditems /rest/api/activities /rest/api/activitygraph /rest/api/feedback /rest/api/people /rest/api/messageBoards /rest/api/searchresults
Host Identifier: Same as the one used for the resources.
Click Save.
In the newly created policy, navigate to Authentication Rule and add a new rule using the authentication scheme OraDefaultBasicAuthNScheme.
Open the Policies tab and make sure that the polices are in the order shown below:
WebCenterRESTPolicy
Protected_JSessionId_Policy
Default Public Policy
To create an exclusion policy for Oracle SES (Secure Enterprise Search) and portlets:
Log in to the Oracle Access Manager console at:
http://OAM_HOST:OAM_ADMINSERVER_PORT/oamconsole
Check that OraDefaultExclusionAuthNScheme is available in your OAM 10g installation. If it does not exist, create the OraDefaultExclusionAuthNScheme as shown below:
Click Authentication Management.
Click Add.
Specify OraDefaultExclusionAuthNScheme in the Name field.
Enter To exclude resources from being protected by OAM in the Description field.
Enter 0 in the Level field.
Specify None in the Challenge Method field.
Add unprotected:true to the Challenge Parameter field.
Click Save.
Open the Plugins tab for this authentication scheme and click Modify.
Select credential_mapping from the drop down list.
Specify a value as:
obMappingBase="dc=us,dc=oracle,dc=com",obMappingFilter="(uid=OblixAnonymous)"
Make sure that this value matches the corresponding field for the OraDefaultAnonAuthNScheme.
Click Save.
Open the General tab again and click Modify.
Check Yes for Enabled.
Click Save.
Create a new policy called Exclusion Scheme:
Locate your policy domain.
You should see three policies WebCenterRESTPolicy, Protected_JSessionId_Policy and Default Public Policy.
Create a new policy called Exclusion Scheme, using the values shown below:
Description: This policy excludes SES and portlet end points.
Resource Type: http
Operation(s): GET,POST
Resource: Select the following resources:
/rsscrawl /sesUserAuth /services-producer/portlets /wsrp-tools/portlets
Host Identifier: Same as the one used for the resources.
Click Save.
In the newly created policy, navigate to Authentication Rule and add a new rule using the authentication scheme OraDefaultExclusionAuthNScheme.
Click Save.
Open the Policies tab and make sure that the polices are in the order shown below:
WebCenterRESTPolicy
Exclusion Scheme
Protected_JSessionId_Policy
Default Public Policy
There are two parts to the procedure for verifying creation of the policy domain and the AccessGate.
To verify the policy domain:
Log on to the Access System Console using the following URL:
http://OAMADMINHOST:port/access/oblix
Click Policy Manager.
Click the My Policy Domains link on the left panel.
A list of all policy domains appears. The domain you just created will be listed there. It will have the suffix _PD (for example, WebCenter_EDG_PD). In the third column URL prefixes, the URIs you specified during the creation of this domain appear.
Click the link to the policy domain you just created.
This link takes you to the General area of this domain.
Click the Resources tab.
The URIs you specified appear. You can also click other tabs to view other settings.
To verify the AccessGate configuration:
Click the Access System Console link on the top right hand side.
This acts like a toggle; after you click it, it becomes the Policy Manager link.
Click the Access System Configuration tab.
Click the AccessGate Configuration link on the left panel.
Enter WebCenter_EDG as the search criterion (or any other substring you may have used as the app_domain name in Section 15.5.3.2, "Running the OAM Configuration Tool"), and click Go.
Once the AccessGate for the domain you just created appears (this will have the suffix _AG (for example, WebCenter_EDG_AG), click it, and the details of the AccessGate which you just created appear.
The OAM Configuration Tool uses the value of the app_domain parameter (for example, WebCenter_EDG) to create a host identifier for the policy domain. This host identifier must be updated with all the host name variations for the host so that the configuration works correctly. Follow the steps below to update the host identifier created by the OAM Configuration Tool:
Log in to the Access System Console using the following URL:
http://OAMADMINHOST:port/access/oblix
where OAMADMINHOST refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.
When prompted for a username and password, log in as an administrator. Click OK.
On the Access System main page, click the Access System Console link.
On the Access System Console page, click the Access System Configuration tab.
On the Access System Configuration page, click Host Identifiers at the bottom left.
On the List all host identifiers page, click on the host identifier created by the OAM Configuration Tool. For example, select WebCenter_EDG.
On the Host Identifier Details page, click Modify.
Add the Preferred HTTP Host value used in the Access System Configuration. The following is a list of all the possible host name variations using SSO/WebGate:
webhost1.mydomain.com:7777
webhost2.mydomain.com:7777
wcphost1:9000
wcphost2:9000
wcphost1:9001
wcphost2:9001
wcphost1:9002
wcphost2:9002
wcphost1:9003
wcphost2:9003
admin.mycompany.com
adminvhn.mycompany.com:7001
soahost1vhn1:8001
soahost2vhn1:8001
soahost1vhn1:8010
soahost2vhn1:8010
adminvhn:7001
Select the check box next to Update Cache and then click Save.
A message box with the following message is displayed: "Updating the cache at this point will flush all the caches in the system. Are you sure?".
Click OK to finish saving the configuration changes.
Verify the changes on the Host Identifier Details page.
The OAM Configuration Tool populates the Preferred_HTTP_Host and hostname attributes for the WebGate profile that is created with the value of the app_domain parameter. Both these attributes must be updated with the proper values for the configuration to work correctly. Follow the steps below to update the WebGate profile created by the OAM CFG Tool.
Log in to the Access System Console using the following URL:
http://OAMADMINHOST:port/access/oblix
where OAMADMINHOST refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.
On the Access System main page, click the Access System Console link, then log in as an administrator.
On the Access System Console main page, click Access System Configuration, and then click the Access Gate Configuration link on the left pane to display the AccessGates Search page.
Enter the proper search criteria and click Go to display a list of AccessGates.
Select the AccessGate created by the OAM Configuration Tool. For example: WebCenter_EDG_AG).
On the AccessGate Details page, select Modify to display the Modify AccessGate page.
On the Modify AccessGate page, update:
Hostname: Update the hostname with the name of the computer where WebGate is running, for example: webhost1.mycompany.com.
Preferred HTTP Host: Update the Preferred_HTTP_Host with one of the hostname variations specified in the previous section, for example: admin.mycompany.com:80.
Primary HTTP Cookie Domain: Update the Primary HTTP Cookie Domain with the Domain suffix of the host identifier, for example: mycompany.com
Click Save. A message box with the "Are you sure you want to commit these changes?" message is displayed.
Click OK to finish updating the configuration.
Verify the values displayed on the Details for AccessGate page to confirm that the updates were successful.
To assign an Access Server to the WebGate:
Log in as Administrator to Oracle Access Manager using the following URL:
http://OAMADMINHOST:port/access/oblix
where OAMADMINHOST refers to the host where WebPass Oracle HTTP Server instance is running and port refers to the HTTP port of the Oracle HTTP Server instance.
Navigate to the Details for AccessGate page, if necessary. From the Access System Console, select Access System Configuration, then AccessGate Configuration, then the link for the WebGate (WebCenter_EDG_AG).
On the Details for AccessGate page, click List Access Servers.
A page appears showing the primary or secondary Access Servers currently configured for this WebGate.
Click Add.
On the Add a New Access Server page, select an Access Server from the Select Server list, specify Primary Server, and increase the Number of Connections for the WebGate. For example, increment the number of connections from 1 to 2.
Note:
The Number of Connections must be equal or greater than the total number of Access Servers. Each time you add an Access Server you must increment the number of connections by 1.
Click the Add button to complete the association.
A page appears, showing the association of the Access Server with the WebGate. Click the link to display a summary and print this page for later use.
Repeat steps 3 through 6 to associate all the Access Servers you have defined to the WebGate.
To configure the form authentication to redirect to the WebGate that was installed with the OAM installation:
Open the Access System Console.
In the Access System Configuration screen, select Authentication Management from the left-hand bar.
Select OraDefaultFormAuthNScheme.
Click Modify.
In the Challenge Redirect field, enter the host and port of the Oracle HTTP Server for the IDM installation; for example: http://sso.mycompany.com:7777.
A WebGate should already be installed in the IDM installation. Refer to, "Installing and Configuring WebGate" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for details.
Install WebGate on each of the WEBHOSTn machines in order to secure the web tier:
Launch the WebGate installer (see Section 2.4, "Identifying the Software Components to Install" for information on where to obtain it) using the following command:
./Oracle_Access_Manager10_1_4_3_0_linux_OHS11g_WebGate –gui
The Welcome screen displays. Click Next.
In the Customer Information screen (Figure 15-1), enter the user name and user group that the web server is running as. Click Next to continue.
In the installation target screen (Figure 15-2), specify the directory where WebGate should be installed. Click Next to continue.
In the installation summary screen, click Next.
Download the required GCC runtime libraries for WebGate as instructed in the WebGate configuration screen (Figure 15-3), and use Browse to point to their location on the local computer. Click Next to continue.
The installer now creates the required artifacts. After that is completed, click Next to continue.
In the transport security mode screen (Figure 15-4), select "Open Mode: No Encryption" and click Next to continue.
Figure 15-4 Transport Security Mode Screen
In the WebGate configuration screen, provide the details of the Access Server that will be used. You must provide the following information:
WebGate ID, as provided when the OAM configuration tool was executed
Password for WebGate
Access Server ID, as reported by the OAM Access Server configuration
Access Server host name, as reported by the OAM Access Server configuration
Access Server port number, as reported by the OAM Access Server configuration
Note:
The Access Server ID, host name, and port are all required.
You can obtain these details from your Oracle Access Manager administrator. Click Next to continue.
Figure 15-5 Access Server Configuration Screen
In the Configure Web Server screen, click Yes to automatically update the web server. Click Next to continue.
In the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf file. This file is located in the following directory:
ORACLE_BASE/admin/OHS_Instance/config/OHS/OHS_ComponentName
For example:
ORACLE_BASE/admin/ohs_instance2/config/OHS/ohs2/httpd.conf
Click Next to continue.
In the next Configure Web Server page, a message informs you that the Web server configuration has been modified for WebGate. Click Yes to confirm.
Stop and start your Web server for the configuration updates to take effect. Click Next to continue.
In the next Configure Web Server screen, the following message is displayed: "If the web server is set up in SSL mode, then the httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up". Click Next to continue.
In the next Configure Web Server screen, a message with the location of the document that has information on the rest of the product setup and Web server configuration is displayed. Choose No and click Next to continue.
The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web server. Click Next to continue.
The Oracle COREid Readme screen appears. Review the information on the screen and click Next to continue.
A message appears (along with the details of the installation) informing you that the installation was successful.
IP Validation determines if a client's IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on. IP Validation can cause issues in systems using load balancer devices configured to perform IP termination, or when the authenticating webgate is front-ended by a different load balancer from the one front-ending the enterprise deployment.
To configure your load balancer so that it is not validated in these cases:
Navigate to the Access System Console using the following URL:
http://OAMADMINHOST:port/access/oblix
Where the OAMADMINHOST refers to the host where the WebPass Oracle HTTP Server instance is running, and port refers to the HTTP port of the Oracle HTTP Server instance.
On the Access System main page, click the Access System Console link, and then log in as an administrator.
On the Access System Console main page, click Access System Configuration, and then click the Access Gate Configuration link on the left pane to display the AccessGates Search page.
Enter the proper search criteria and click Go to display a list of AccessGates.
Select the AccessGate created by the Oracle Access Manager configuration tool.
Click Modify at the bottom of the page.
In the IPValidationException field, enter the address of the load balancer used to front-end the deployment.
Click Save at the bottom of the page.
This section describes how to set up WebLogic Authenticators.
Prerequisite
If you have not already created the LDAP authenticator, do it before continuing with this section. To set up the LDAP authenticator, follow the steps in Section 15.2.1, "Creating the LDAP Authenticator."
This section includes the following topics:
To be safe, first back up the relevant configuration files (stored under WebCenter Portal's Administration Server directory):
ORACLE_BASE/admin/domain_name/aserver/domain_name/config/config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/jps-config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/system-jazn-data.xml
Also back up the boot.properties file for the Administration Server.
Set up the OAM ID Asserter using the WebLogic Server Administration Console.
To set up the OAM ID Asserter:
Log in as an administrator to WebLogic Server Administration Console.
Navigate to the following location:
SecurityRealms\Default_Realm_Name\Providers
Click New and Select OAM Identity Asserter from the dropdown menu.
Name the asserter (for example, OAM ID Asserter) and click Save.
Click the newly added asserter to see the configuration screen for OAM Identity Asserter.
Set the control flag to REQUIRED and click Save.
Check that OAM_REMOTE_USER and ObSSOCookie is set for Chosen Types.
Save the settings.
To set the order of the providers:
Log in as an administrator to Oracle WebLogic Server Administration Console.
Click Lock & Edit.
Navigate to SecurityRealms, then the default realm name, and then Providers.
Reorder the OAM Identity Asserter, OID/OVD Authenticator, and Default Authenticator by ensuring that the control flag for each authenticator is set as follows:
OAM Identity Asserter: REQUIRED
OID LDAP Authenticator (or OVD LDAP Authenticator): SUFFICIENT
Default Authenticator: SUFFICIENT
Click OK.
Click Activate Changes to propagate the changes.
Restart the Administration Server and all managed servers.
To configure OAM 10g for virtual hosts, bypass single sign-on for applications that only support BASIC authorization or do not require single sign-on.
For more information, see "Configuring SSO with Virtual Hosts" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal and "Associating a WebGate with Particular Virtual Hosts, Directories, or Files" in Oracle Access Manager Access Administration Guide for 10g.
Locate and comment out the following configuration in httpd.conf:
#<LocationMatch "/*"> #AuthType Oblix #require valid-user #</LocationMatch>
This entry causes the WebGate to intercept all requests and process them.
Edit the virtual host configuration section as follows:
NameVirtualHost *:7777 <VirtualHost *:7777> ServerName https://wcp.mycompany.com:443 <LocationMatch "/*"> AuthType Oblix require valid-user </LocationMatch> </VirtualHost> <VirtualHost *:7777> ServerName admin.mycompany.com:80 <LocationMatch "/*"> AuthType Oblix require valid-user </LocationMatch> </VirtualHost> <VirtualHost *:7777> ServerName wcpinternal.mycompany.com:80 <LocationMatch "/*"> AuthType Oblix require valid-user </LocationMatch> </VirtualHost> #Virtual host for SharePoint access <VirtualHost *:7777> ServerName wcp-spaces.mycompany.com ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit #SharePoint entry point <Location /> WebLogicCluster WCPHOST1:9000,WCPHOST2:9000 SetHandler weblogic-handler WLProxySSL ON WLProxySSLPassThrough ON </Location> # Spaces Application <Location /webcenter> Deny from all </Location> <Location /webcenterhelp> Deny from all </Location> <Location /rss> Deny from all </Location> <Location /rest> Deny from all </Location> </VirtualHost>
Restart Oracle HTTP Server.
This section describes how to set up Oracle Access Manager 11g as the single sign-on solution for the Oracle WebCenter Portal Enterprise Deployment topology.
This section contains the following sections:
Oracle Access Manager (OAM) is the recommended single sign-on solution for Oracle Fusion Middleware 11g Release 1. For more information on installing and configuring an OAM installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This section explains the procedure for configuring the WebCenter Portal installation with an existing OAM 11ginstallation and the underlying directory service. Oracle recommends using either Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), or both of these directory services.
Note:
The WebCenter Portal topology described in this guide uses a Single Sign-On configuration where both the WebCenter Portal System and the Single Sign-On System are in the same network domain (mycompany.com). For a multi-domain configuration, please refer to the required configuration steps in "Configuring Single Sign-On," of the Oracle Access Manager Access Administration Guide.
Oracle Access Manager (OAM) is the recommended single sign-on solution for Oracle Fusion Middleware 11g Release 1. For more information on installing and configuring an OAM installation, see Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management. This section explains the procedure for configuring the WebCenter Portal installation with an existing OAM 11g installation and the underlying directory service. Oracle recommends using either Oracle Internet Directory (OID), Oracle Virtual Directory (OVD), or both of these directory services.
Note:
The WebCenter Portal topology described in this guide uses a Single Sign-On configuration where both the WebCenter Portal System and the Single Sign-On System are in the same network domain (mycompany.com). For a multi-domain configuration, refer to the required configuration steps in "Configuring Single Sign-On," of the Oracle Access Manager Access Administration Guide.
This section describes how to install WebGate on each of the WEBHOST machines where an HTTP Server has already been installed.
Before installing WebGate, download and install third-party GCC libraries on your machine. You can download the appropriate GCC library from the following third-party Web site:
http://gcc.gnu.org/
For Linux 32-bit the required libraries are libgcc_s.so.1 and libstdc++.so.5 version 3.3.2. Table 15-3 lists the versions of GCC third-party libraries for Linux and Solaris.
This section describes the procedures for installing WebGate.
The Installer program for Oracle HTTP Server 11g Webgate for Oracle Access Manager is included in the webgate.zip file.
To install WebGate:
Extract the contents of the webgate.zip file to a directory.
By default, this directory is named webgate.
Move to the Disk1 directory under the webgate directory.
Set the MW_HOME environment variable to the Middleware Home for the web tier:
export MW_HOME=ORACLE_BASE/product/fmw/web
Start the installer using the following command:
$ ./runInstaller -jreLoc MW_HOME/jdk
Note:
When you install Oracle HTTP Server, the jdk directory is created under the WebTier_Home directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer.
After the installer starts, the Welcome screen appears.
In the Welcome screen, click Next.
In the Prerequisite Checks screen, click Next.
In the Specify Installation Location screen, specify the Oracle Middleware Home and Oracle Home locations.
ORACLE_BASE/product/fmw
Oracle_OAMWebGate1 (leave the default name)
Note:
The Middleware Home contains an Oracle Home for Oracle web tier. The default name is Oracle_OAMWebGate1 for this Oracle home directory, which will be created under the Middleware Home.
Click Next.
In the Specify GCC Library screen, specify the directory that contains the GCC libraries, and click Next.
In the Installation Summary screen, verify the information on this screen and click Install to begin the installation.
In the Installation Progress screen, you may be prompted to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.
Click Next to continue.
In the Installation Complete screen, click Finish to exit the installer.
Complete the following procedure after installing Oracle HTTP Server 11g Webgate for Oracle Access Manager:
Move to the following directory under your Oracle Home for Webgate:
$ cd Webgate_Oracle_Home/webgate/ohs/tools/deployWebGate
Webgate_Oracle_Home is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate, as in the following example:
MW_HOME/Oracle_OAMWebGate1
On the command line, run the following command to copy the required bits of agent from the Webgate_Oracle_Home directory to the Webgate Instance location:
$ ./deployWebGateInstance.sh -w ORACLE_BASE/admin/webN/config/OHS/ohsN -oh Webgate_Oracle_Home
The ORACLE_BASE/admin/webN/config/OHS/ohsN directory is the Instance Home of an Oracle HTTP Server (where N is a sequential number for your installation; for example, 1 for WEBHOST1 or 2 for WEBHOST2).
Note:
an Instance Home for Oracle HTTP Server is created after you configure Oracle HTTP Server.
Run the following command to ensure that the LD_LIBRARY_PATH variable contains Oracle_Home_for_Oracle_HTTP_Server/lib:
$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:ORACLE_BASE/product/fmw/webN/lib
Note:
Oracle_Home_for_Oracle_HTTP_Server is MW_HOME (web tier):
ORACLE_BASE/product/fmw/webN
Where N is a sequential number for your installation; for example, 1 for WEBHOST1, 2 for WEBHOST2, and so on.
From your present working directory, move up one directory level:
$ cd Webgate_Oracle_Home/webgate/ohs/tools/setup/InstallTools
On the command line, run the following command to copy the apache_webgate.template from the Webgate_Oracle_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:
$ ./EditHttpConf -w ORACLE_BASE/admin/webN/config/OHS/ohsN [-oh Webgate_Oracle_Home] [-o output_file]
Note:
The -oh WebGate_Oracle_Home and -o output_file parameters are optional.
Where WebGate_Oracle_Home is the directory where you have installed Oracle HTTP Server Webgate for Oracle Access Manager and created as the Oracle Home for Webgate, as in the following example:
MW_HOME/Oracle_OAMWebGate1
The ORACLE_BASE/admin/webN/config/OHS/ohsN directory is the instance home of Oracle HTTP Server, where N is a sequential number for your installation; for example, 1 for WEBHOST1 or 2 for WEBHOST2.
The output_file is the name of the temporary output file used by the tool, as in the following example:
Edithttpconf.log
This section describes the procedures for registering the WebGate Agent.
The RREG tool is part of the OAM 11g installation. If it is not already available, extract it using the following procedure:
After installing and configuring Oracle Access Manager, navigate to the following location:
IDM_Home/oam/server/rreg/client
On the command line, untar the RREG.tar.gz file using gunzip, as in the following example:
gunzip RREG.tar.gz tar -xvf RREG.tar
You can find the tool that is used to register the agent in the following location:
RREG_Home/bin/oamreg.sh
RREG_Home is the directory to which you extracted the contents of RREG.tar.gz/rreg.
Set the following environment variables in the oamreg.sh or oamreg.bat script:
OAM_REG_HOME - Set this variable to the absolute path to the directory where you extracted the contents of RREG.tar/rreg.
JDK_HOME - Set this variable to the absolute path to the directory where Java/JDK is installed on your machine.
In the RREG_Home/input directory there are template files named OAM11gRequest.xml. Copy and edit this file to create the policies for the WebCenter Portal installation.
Open the template OAM11gRequest.xml file available in RREG_Home/input.
Copy policies required for the WebCenter Portal enterprise deployment provided in Example 15-1.
Replace the following values:
$$webtierhost$$, $$oamadminserverport$$, and $$oamhost$$ with the hostnames in your installation
ipvalidationExceptions value with the IP address of the Load Balancer
Note:
- This Guide describes the validation field entry in request files for Oracle Access Manager 11g (11.1.1.2) and later. The validation exception list is defined differently in earlier versions of Oracle Access Manager 11g. For earlier versions, instead of using the <ValList> entry as shown in the preceding text, use this syntax after the </publicResourcesList> entry:
<userDefinedParameters>
<userDefinedParam>
<name>ipValidationExceptions</name>
<value>10.1.1.1</value>
</userDefinedParam>
</userDefinedParameters>
For more information about adding IP validation exceptions, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Save the changes.
Add execute permissions for the oamreg.sh script:
chmod u+x /RREG_Home/bin/oamreg.sh
Example 15-1 OAM11gRequest.xml for WebCenter Portal Enterprise Deployment
After editing OAM11gRequest.xml, the file should contain the following:
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
NAME: OAM11GRequest_short.xml - Template for OAM 11G Agent Registration request file
(Shorter version - Only mandatory values - Default values will be used for all other fields)
DESCRIPTION: Modify with specific values and pass file as input to the tool.
-->
<OAM11GRegRequest>
<serverAddress>http://$$oamhost$$:$$oamadminserverport$$</serverAddress>
<hostIdentifier>$$webtierhost$$_webcenter</hostIdentifier>
<agentName>$$webtierhost$$_webcenter</agentName>
<applicationDomain>$$webtierhost$$_webcenter</applicationDomain>
<ipValidation>1</ipValidation>
<ValList ListName="ipValidationExceptions">
<ValListMember Value="10.1.1.1"/>
<logOutUrls>
<url>/oamsso/logout.html</url>
</logOutUrls>
<protectedResourcesList>
<resource>/webcenter/adfAuthentication</resource>
<resource>/integration/worklistapp</resource>
<resource>/integration/worklistapp/.../*</resource>
<resource>/workflow/sdpmessagingsca-ui-worklist/faces/adf.task-flow</resource>
<resource>/workflow/WebCenterWorklistDetail/faces/adf.task-flow</resource>
<resource>/workflow/sdpmessagingsca-ui-worklist</resource>
<resource>/workflow/sdpmessagingsca-ui-worklist/.../*</resource>
<resource>/sdpmessaging/userprefs-ui</resource>
<resource>/sdpmessaging/userprefs-ui/.../*</resource>
<resource>/rss/rssservlet</resource>
<resource>/owc_discussions/login!withRedirect.jspa</resource>
<resource>/owc_discussions/login!default.jspa</resource>
<resource>/owc_discussions/login.jspa</resource>
<resource>/owc_discussions/admin</resource>
<resource>/owc_discussions/admin/.../*</resource>
<resource>/rest/api/resourceIndex</resource>
<resource>/rest/api/spaces</resource>
<resource>/rest/api/spaces/.../*</resource>
<resource>/rest/api/discussions</resource>
<resource>/rest/api/discussions/.../*</resource>
<resource>/rest/api/tags</resource>
<resource>/rest/api/tags/.../*</resource>
<resource>/rest/api/taggeditems</resource>
<resource>/rest/api/taggeditems/.../*</resource>
<resource>/rest/api/activities</resource>
<resource>/rest/api/activities/.../*</resource>
<resource>/rest/api/activitygraph</resource>
<resource>/rest/api/activitygraph/.../*</resource>
<resource>/rest/api/feedback</resource>
<resource>/rest/api/feedback/.../*</resource>
<resource>/rest/api/people</resource>
<resource>/rest/api/people/.../*</resource>
<resource>/rest/api/messageBoards</resource>
<resource>/rest/api/messageBoards/.../*</resource>
<resource>/rest/api/searchresults</resource>
<resource>/rest/api/searchresults/.../*</resource>
<resource>/activitygraph-engines</resource>
<resource>/activitygraph-engines/.../*</resource>
<resource>/wcps/api</resource>
<resource>/wcps/api/.../*</resource>
<resource>/adfAuthentication</resource>
<resource>/pagelets/admin</resource>
<resource>/pagelets/admin/.../*</resource>
<resource>/pagelets/authenticateWithApplicationServer</resource>
<resource>/services-producer/adfAuthentication</resource>
<resource>/em</resource>
<resource>/em/…/*</resource>
<resource>/console</resource>
<resource>/console/…/*</resource>
<resource>/soa/composer</resource>
<resource>/soa/composer/…/*</resource>
<resource>/soa-infra</resource>
<resource>/soa-infra/deployer</resource>
<resource>/soa-infra/deployer/…/*</resource>
<resource>/soa-infra/events/edn-db-log</resource>
<resource>/soa-infra/events/edn-db-log/…/*</resource>
<resource>/soa-infra/cluster/info</resource>
<resource>/soa-infra/cluster/info/…/*</resource>
<resource>/inspection.wsil</resource>
<resource>/cs/idcplg</resource>
<resource>/cs/idcplg/…/*</resource>
<resource>/cs/groups</resource>
<resource>/cs/groups/…/*</resource>
<resource>/ibr/adfAuthentication</resource>
<resource>/ibr/adfAuthentication/…/*</resource>
</protectedResourcesList>
<publicResourcesList>
<resource>/webcenter</resource>
<resource>/webcenter/…/*</resource>
<resource>/owc_discussions</resource>
<resource>/owc_discussions/…/*</resource>
<resource>/rss</resource>
<resource>/rss/…/*</resource>
<resource>/workflow</resource>
<resource>/workflow/…/*</resource>
<resource>/rest/api/cmis/…/*</resource>
<resource>/pagelets</resource>
<resource>/services-producer</resource>
<resource>/wsrp-tools</resource>
<resource>/cs</resource>
<resource>/cs/…/*</resource>
<resource>/ibr</resource>
<resource>/ibr/…/*</resource>
<resource>/soa-infra/services/…/*</resource>
<resource>/soa-infra/directWSDL</resource>
<resource>/integration/services</resource>
<resource>/integration/services/…/*</resource>
<resource>/ucs/messaging/webservice</resource>
<resource>/ucs/messaging/webservice/…/*</resource>
<resource>/wsm-pm</resource>
<resource>/wsm-pm/.../*</resource>
</publicResourcesList>
<excludedResourcesList>
<resource>/rsscrawl*</resource>
<resource>/rsscrawl/.../*</resource>
<resource>/sesUserAuth*</resource>
<resource>/sesUserAuth/.../*</resource>
<resource>/services-producer/portlets*</resource>
<resource>/services-producer/portlets/.../*</resource>
<resource>/wsrp-tools/portlets*</resource>
<resource>/wsrp-tools/portlets/.../*</resource>
</excludedResourcesList>
</OAM11GRegRequest>
Note:
WebCenter Portal, SOA, and WebCenter Content each provide .conf file that lists their public and protected URI requirements. Instead of specifying public and protect URIs using the protected_uris= and public_uris= syntax as shown, you can reference each file in turn using the syntax uris_file=. For more information and instructions, see "Configuring the WebCenter Portal Policy Domain" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.
Run the oamreg tool using the following command:
$ ./RREG_Home/bin/oamreg.sh inband input/WebCenterOAM11GRequest.xml
When prompted for the agent credentials, enter your OAM administrator credentials.
The run should look as follows:
------------------------------------------------ Welcome to OAM Remote Registration Tool! Parameters passed to the registration tool are: Mode: inband Filename: MW_HOME/Oracle_IDM1/oam/server/rreg/input/WebCenterOAM11gRequest.xml Enter your agent username:weblogic Username: weblogic Enter agent password: Do you want to enter a Webgate password?(y/n): y Enter webgate password: Enter webgate password again: Password accepted. Proceeding to register.. Aug 16, 2010 1:22:30 AM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword INFO: Passwords matched and accepted. Do you want to import an URIs file?(y/n): n ---------------------------------------- Request summary: OAM11G Agent Name:WEBHOST1_webcenter URL String:WEBHOST1_webcenter Registering in Mode:inband Your registration request is being been sent to the Admin server at: http://oamserver.mycompany.com:7001 ---------------------------------------- Inband registration process completed successfully! Output artifacts are created in the output folder.
The following two files are generated in RREG_Home/output/$$webtierhost$$_webcenter:
ObAccessClient.xml
cwallet.sso
To copy both these files to the WebGate instance location on WEBHOST1 and WEBHOST2:
Copy ObAccessClient.xml and cwallet.sso to the WebGate instance directory on WEBHOST1 and WEBHOST2.
For example:
scp ObAccessClient.xml oracle@WEBHOSTN:ORACLE_BASE/admin/webN/config/OHS/ohsN/webgate/config/
Where N is a sequential number for your installation; for example, 1 for WEBHOST1, 2 for WEBHOST2, and so on.
Restart Oracle HTTP Server.
REST needs to follow the BASIC authentication scheme so that external clients, such as the Outlook plug-in and iPhone application, can connect to WebCenter REST and be protected with SSO.
To configure the REST end points to use basic authentication:
Log in to the Oracle Access Manager console at http://OAM_HOST:OAM_ADMINSERVER_PORT/oamconsole.
Locate the policy domain that you created and verified in the previous steps and open the Policies tab.
Go to Application Domains> $$webtierhost$$_webcenter > Authentication Policies.
Create a new policy called WebCenter REST Auth Policy and choose Authentication Scheme as BASIC Scheme.
Go to Application Domains> $$webtierhost$$_webcenter > Resources.
Search for all the REST resources. Type /rest* in the Resource URL field and then click Search.
Edit each REST resource, except for /rest/api/cmis entries, and change Authentication Policy from Protected Resource Policy to WebCenter REST Auth Policy.
You should see the following entries:
/rest/api/resourceIndex /rest/api/resourceIndex/.../* /rest/api/spaces /rest/api/spaces/.../* /rest/api/discussions /rest/api/discussions/.../* /rest/api/tags /rest/api/tags/.../* /rest/api/taggeditems /rest/api/taggeditems/.../* /rest/api/activities /rest/api/activities/.../* /rest/api/activitygraph /rest/api/activitygraph/.../* /rest/api/feedback /rest/api/feedback/.../* /rest/api/people /rest/api/people/.../* /rest/api/messageBoards /rest/api/messageBoards/.../* /rest/api/searchresults /rest/api/searchresults/.../*
Set up the WebLogic authenticators by backing up the configuration files, setting up the OAM ID Asserter, and setting the order of providers.
Prerequisite
Before you set up the WebLogic authenticators, you should have already set up the LDAP authenticator by following the steps in Section 15.2.1, "Creating the LDAP Authenticator." If you have not already created the LDAP authenticator, do it before continuing with this section.
This section includes the following topics:
To be safe, first back up the relevant configuration files stored under WebCenter Portal's Administration Server directory:
ORACLE_BASE/admin/domain_name/aserver/domain_name/config/config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fmwconfig/jps-config.xml ORACLE_BASE/admin/domain_name/aserver/domain_name/config/fwmconfig/system-jazn-data.xml
In addition, back up the boot.properties file for the Administration Server.
To set up the OAM ID Asserter:
Log in as an administrator to Oracle WebLogic Console.
Click Lock & Edit.
Navigate to SecurityRealms, Default Realm Name, and then Providers.
Click New and select OAM Identity Asserter from the dropdown menu.
Name the asserter (for example, OAM ID Asserter) and click Save.
Click the newly added asserter to see the configuration screen for OAM Identity Asserter.
Set the control flag to REQUIRED.
Select both the ObSSOCookie and OAM_REMOTE_USER options under Chosen types.
Save the settings.
Click Apply Changes.
Finally, connect to the WebLogic domain using WLST and add an OAM SSO provider by running the following command:
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="oamsso/logout.html")
Set the order of providers using the WebLogic Administration Console.
To set the order of the providers:
Log in as an administrator to Oracle WebLogic Console.
Click Lock & Edit.
Navigate to SecurityRealms, then the default realm name, and then Providers.
Reorder the OAM Identity Asserter, OID/OVD Authenticator, and Default Authenticator by ensuring that the control flag for each authenticator is set as follows:
OAM Identity Asserter: REQUIRED
OID LDAP Authenticator (or OVD LDAP Authenticator): SUFFICIENT
Default Authenticator: SUFFICIENT
Click OK.
Click Activate Changes to propagate the changes.
Restart the Administration Server and all managed servers.
To configure OAM 11g for virtual hosts we need to bypass single sign-on for applications that only support BASIC authorization or do not require single sign-on.
To configure virtual hosts for OAM 11g:
Locate and comment out the following configuration in webgate.conf:
#<LocationMatch "/*">
#AuthType Oblix
#require valid-user
#</LocationMatch>
This entry causes the WebGate to intercept all requests and process them.
If the "Default Login page alias" entry appears in webgate.conf, comment this out too:
#*******Default Login page alias***
#Alias /oamsso "${ORACLE_HOME}/oamsso"
#<LocationMatch "/oamsso/*">
#Satisfy any
#</LocationMatch>
#**********************************
Edit the virtual host configuration section as follows:
NameVirtualHost *:7777
<VirtualHost *:7777>
ServerName https://wcp.mycompany.com:443
<LocationMatch "/*">
AuthType Oblix
require valid-user
</LocationMatch>
</VirtualHost>
<VirtualHost *:7777>
ServerName admin.mycompany.com:80
<LocationMatch "/*">
AuthType Oblix
require valid-user
</LocationMatch>
</VirtualHost>
<VirtualHost *:7777>
ServerName wcpinternal.mycompany.com:80
<LocationMatch "/*">
AuthType Oblix
require valid-user
</LocationMatch>
</VirtualHost>
#Virtual host for SharePoint access
<VirtualHost *:7777>
ServerName wcp-spaces.mycompany.com
ServerAdmin you@your.address
RewriteEngine On
RewriteOptions inherit
#SharePoint entry point
<Location />
WebLogicCluster WCPHOST1:9000,WCPHOST2:9000
SetHandler weblogic-handler
WLProxySSL ON
WLProxySSLPassThrough ON
</Location>
# Spaces Application
<Location /webcenter>
Deny from all
</Location>
<Location /webcenterhelp>
Deny from all
</Location>
<Location /rss>
Deny from all
</Location>
<Location /rest>
Deny from all
</Location>
</VirtualHost>
Restart Oracle HTTP Server.
This section covers the following topics:
Section 15.7.1, "Configuring System Properties for WebCenter Portal: Spaces"
Section 15.7.2, "Configuring the WebCenter Portal: Spaces Administrator Role"
Section 15.7.3, "Setting Up Discussions Server to Use OAM as SSO Provider"
Configure the Spaces application for SSO by adding a setting to EXTRA_JAVA_PROPERTIES.
The oracle.webcenter.spaces.osso system property tells WebCenter Portal and ADF that the application is configured in SSO mode and some special handling is required. The following system property is required:
Table 15-4 System Property
| Property | Value | Comment |
|---|---|---|
|
oracle.webcenter.spaces.osso |
true |
This flag tells WebCenter Portal that SSO is being used, so no login form should be displayed on the default landing page. Instead, it displays a login link that the user can click to invoke the SSO authentication. |
To set this property for the Spaces application on WCPHOST1 and WCPHOST2, edit the setDomainEnv.sh script located in your managedserver_domain_home/bin directory. Add the property to the EXTRA_JAVA_PROPERTIES variable, as follows:
EXTRA_JAVA_PROPERTIES="-Doracle.webcenter.spaces.osso=true ${EXTRA_JAVA_PROPERTIES}" export EXTRA_JAVA_PROPERTIES
After Oracle Internet Directory or Oracle Virtual Directory is configured as the primary authenticator in the Spaces application, the default user "weblogic" should not be used as the Spaces administrator. Create a user in Oracle Internet Directory and make that user the Spaces administrator, either using WLST or Enterprise Manager:
Section 15.7.2.1, "Granting the Spaces Administrator Role Using WLST"
Section 15.7.2.2, "Granting the Spaces Administrator Role Using Fusion Middleware Control"
To grant the Spaces Administrator role using WLST:
Navigate to your WebCenter Portal Oracle home directory and invoke the WLST script:
(UNIX) MW_HOME/wc/common/bin/wlst.sh
(Windows) MW_HOME\wc\common\bin\wlst.cmd
Connect to the Administration Server for the target domain with the following command:
wls:/offline>connect("user_name","password", "host_name:port_number")
Where:
user_name is the name of the user account with which to access the Administration Server (for example, weblogic)
password is the password with which to access the Administration Server
host_id is the host ID of the Administration Server
port is the port number of the Administration Server (for example, 7001).
Create a user in the LDAP Store named WCAdmin.
This user will be assigned the Spaces Administrator role.
Grant the Spaces administrator application role to the user in LDAP using the grantAppRole command.
For example:
grantAppRole(appStripe="webcenter", appRoleName="s8bba98ff_4cbb_40b8_beee_296c916a23ed#-#Administrator", principalClass="weblogic.security.principal.WLSUserImpl", principalName="WCAdmin")
where WCAdmin is the name of the administrator account.
Note:
Before grantAppRole is called, WCAdmin must exist in LDAP. For user creation details, see Section 15.2.2.1, "Provisioning Admin Users and Groups in an LDAP Directory."
To test the new account, log in to the Spaces application using the new account name.
The Administration link should appear, and you should be able to perform all administrator operations.
This section describes how to grant the Spaces administrator role to a user account other than the default weblogic account.
To grant the Spaces Administrator role using Fusion Middleware Control:
Log into Fusion Middleware Control and navigate to the home page for Spaces.
From the WebCenter Portal menu, select Security, and then Application Roles.
The Application Roles page displays.
Search for the Spaces Administrator role:
Select the Select Application Stripe to Search check box.
Choose webcenter (the name of the Spaces application).
In the Role Name field, enter s8bba98ff_4cbb_40b8_beee_296c916a23ed#-#Administrator, and then click the Search (arrow) icon.
Click the administrator role name (s8bba98ff_4cbb_40b8_beee_296c916a23ed#-#Administrator) in the Role Name column.
The Edit Application Role page displays.
Click Add User.
The Add User pop-up displays.
Use the Search function to search for the user to assign the Administrator role to.
Use the arrow keys to move the user from the Available Users column to the Selected Users column, and click OK.
On the Edit Application Role page, click OK.
Restart the WC_Spaces managed server.
When you log in to the Spaces application, the Administration link should appear and you should be able to perform all administrator operations.
This section contains the following topics:
Section 15.7.3.1, "Granting Administrator Permissions on the Discussions Server"
Section 15.7.3.2, "Configuring System Properties for Discussions Server"
When associating the domain with an identity store that does not contain the group "Administrators", you must assign some other valid user or group the administrator role for the discussions server.
The WLST command addDiscussionsServerAdmin lets you grant system administrator permissions on the Discussions server to a user or a group. For command syntax and examples, see the section, "addDiscussionsServerAdmin" in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
For example,
Connect to the Administration Server:
For example:
cd MW_HOME/wc/common/bin/
./wlst.sh
connect("weblogic","weblogic", "ADMINHOST:7001")
Grant administration permissions to a user or a group:
addDiscussionsServerAdmin(appName='owc_discussions', name='weblogic_wc', type='USER', server='wc_collaboration1')
or:
addDiscussionsServerAdmin(appName='owc_discussions', name='discussions-admin-group', type='GROUP', server='wc_collaboration1')
Where weblogic_wc and discussions-admin-group are example user/groups that you want to assign the administrator role for the discussions server.
For command syntax and examples, see the section, "addDiscussionsServerAdmin" in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
To configure Oracle WebCenter Discussions Server for OAM single sign-on:
Log in to the Oracle WebCenter Discussions Server Admin Console at:
http://wcpinternal.mycompany.com/owc_discussions/admin
Open the System Properties page and edit, (if it already exists), or add the owc_discussions.sso.mode property, setting its value to true.
Edit or add the jiveURL property to point to the base URL of the web tier for the SSO server. For example:
jiveURL = idmhost.example.com:8890/owc_discussions
This section covers the following topics:
Ensure that the SOA domain is using the same authenticators as the WebCenter Portal domain and has been configured for OAM Authentication.
When associating the domain with a identity store that does not contain the default user weblogic, you must assign some other valid user to the application role BPMWorkflowAdmin.
To grant BPMWorkflowAdmin to a valid user:
Create a user in LDAP Store, in this example WCAdmin, who will be assigned the role.
Assign the BPMWorkflowAdmin role using WLST. This can be done using wlst from the SOA Oracle home:
For example:
cd ORACLE_HOME/common/bin/
wlst.sh
connect("weblogic","weblogic", "ADMINHOST:7001")
revokeAppRole(appStripe="soa-infra", appRoleName="BPMWorkflowAdmin",
principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="SOAAdmin")
grantAppRole(appStripe="soa-infra", appRoleName="BPMWorkflowAdmin",
principalClass="weblogic.security.principal.WLSUserImpl", principalName="WCAdmin")
For the Worklist service to work properly when Oracle Access Manager is enabled, it is mandatory that SOA callback URLs are configured correctly. For information about callback URLs, see Section 9.7.3, "Setting the Frontend HTTP Host and Port."
For SOA applications, the following callback URLs must be set to http://wcpinternal.mycompany.com:
Callback Server URL
Server URL
To modify these URLs using Fusion Middleware Control:
Select Farm_wcpedg_domain, SOA, soa-infra (wls_soa1), SOA, Infrastructure, SOA Administration, and then Common Properties.
Enter http://wcpinternal.mycompany.com.
Restart the SOA severs.
After you have verified that the extended domain is working, back up the domain configuration. This is a quick backup for the express purpose of immediate restore in case of failures in future procedures. Back up the configuration to the local disk. This backup can be discarded once you have completed the enterprise deployment. Once you have completed the enterprise deployment, you can initiate the regular deployment-specific backup and recovery process.
For information about backing up the environment, see "Backing Up Your Environment" in the Oracle Fusion Middleware Administrator's Guide. For information about recovering your information, see "Recovering Your Environment" in the Oracle Fusion Middleware Administrator's Guide.
To back up the configuration a this point:
Back up the web tier:
Shut down the instance using opmnctl.
ORACLE_BASE/admin/instance_name/bin/opmnctl stopall
Back up the Middleware Home on the web tier using the following command (as root):
tar -cvpf BACKUP_LOCATION/web.tar MW_HOME
Back up the Instance Home on the web tier using the following command (as root):
tar -cvpf BACKUP_LOCATION/web_instance.tar ORACLE_INSTANCE
Start the instance using opmnctl:
ORACLE_BASE/admin/instance_name/bin/opmnctl startall
Back up the database. This is a full database backup (either hot or cold) using Oracle Recovery Manager (recommended) or OS tools such as tar for cold backups if possible.
Back up the Administration Server domain directory to save your domain configuration. The configuration files are located in the following directory:
ORACLE_BASE/ admin/domain_name
To back up the Administration Server run the following command on SOHOST1:
tar -cvpf edgdomainback.tar ORACLE_BASE/admin/domain_name
|
 Copyright © 2009, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|