This chapter explains how to configure Oracle WebCenter Content applications in an Oracle WebLogic Server domain.
This chapter includes the following sections:
Section 3.1, "Preparing to Configure Oracle WebCenter Content Applications"
Section 3.5, "Increasing the Java VM Heap Size for Managed Servers"
Section 3.7, "Installing Libraries and Setting Environment Variables for Outside In Technology"
Section 3.8, "Configuring SSL for Oracle WebCenter Content Applications"
Section 3.9, "Reassociating the Identity Store with an External LDAP Authentication Provider"
Section 3.12, "Integrating Oracle Web Tier with WebCenter Content"
Section 3.14, "Setting Up Oracle Web Services Manager Security"
After you have successfully run the Oracle Fusion Middleware 11g Oracle WebCenter Content Installer and created application schemas, you can deploy and configure the following Oracle WebCenter Content products as applications:
Oracle WebCenter Content (which includes Oracle WebCenter Content Server)
Oracle WebCenter Content: Inbound Refinery
Oracle WebCenter Content: Imaging (which includes the Imaging Viewer Cache and AXF for BPEL)
Oracle WebCenter Content: AXF for BPM
Oracle WebCenter Capture
Oracle Information Rights Management
Oracle WebCenter Content: Records
To configure any of these applications, you need to create or extend an Oracle WebLogic Server domain, which includes a Managed Server for each deployed application and one Administration Server. Each of these servers is an Oracle WebLogic Server instance.
Notes:
For information about application schemas, see Section 2.2, "Creating Oracle WebCenter Content Schemas with the Repository Creation Utility."
Each of these applications needs to run in its own Managed Server or its own cluster of Managed Servers. You cannot deploy WebCenter Content, Inbound Refinery, Imaging, Oracle IRM, or Records to a Managed Server or cluster that already has another one of these applications deployed. Oracle WebCenter Content applications should not be deployed to the Administration Server.
Only one Managed Server for each of the Oracle WebCenter Content applications, such as WebCenter Content, can be configured in the same Oracle Weblogic Server domain. If you want to put multiple WebCenter Content Managed Servers on the same machine, you need to configure each Managed Server in a separate domain.
If you are using a DB2 database, before you start the Configuration Wizard for the first time to configure an Oracle Fusion Middleware product, you need to set the DB_DRIVER_CLASSPATH
environment variable to include the full paths to db2jcc4.jar
and db2jcc_license_cu.jar
. If you do not do this, all DB2 connection tests will fail.
You can create a domain to include one or more of these applications (one Managed Server each). Or you can create a domain to include a Managed Server for at least one application and then extend the domain with Managed Servers for one or more other applications.
Notes:
WebCenter Content cannot be deployed to the same domain as Oracle Identity Manager and Oracle Identity Management.
Oracle WebCenter Content 11g does not support running WebCenter Content, Inbound Refinery, Records, or Oracle IRM as a service on a Windows operating system.
For Imaging to take advantage of Business Process Management (BPM) and Oracle BPEL Process Manager within an existing domain, the domain must be extended with Oracle BPM Suite. If you want to use Oracle BPEL Process Manager and not BPM, you can extend the domain with Oracle SOA Suite. For information about connecting to BPM or Oracle BPEL Process Manager as a workflow server, see Section 6.1.4, "Connecting to a Workflow Server."
Note:
The Imaging product deployment provides for up to 10 GB of disk space to be used to stage simultaneous document uploads through the user interface. This limit exists to provide an upper limit to thwart malicious server attacks.
If you have not successfully run the installer on your system, first see Chapter 2, "Installing Oracle WebCenter Content."
To create a domain for one or more Oracle WebCenter Content applications, follow the instructions in Section 3.2, "Creating an Oracle WebLogic Server Domain."
To extend an existing domain for one or more Oracle WebCenter Content applications, follow the instructions in Section 3.3, "Extending an Existing Domain."
Note:
You cannot extend a domain that has an Oracle Enterprise Content Management Suite or Oracle WebCenter Content application from an earlier release to include an Oracle WebCenter Content 11.1.1.8.0 application.
During the configuration, if you need additional help with any of the screens, either click the name of the screen in the instructions to see its description in Appendix B, "Configuration Screens for Oracle WebCenter Content," or click Help on the screen in the installer to access the online help.
After you create or extend a domain, you can configure Oracle Enterprise Manager Fusion Middleware Control for administration of Oracle WebCenter Content applications. Fusion Middleware Control is deployed to the Administration Server when a domain is created. You can use Fusion Middleware Control for additional configuration tasks.
For information about configuring Fusion Middleware Control for Oracle WebCenter Content on an IBM WebSphere Application Server, see ”Using Oracle Enterprise Manager Fusion Middleware Control” in the Oracle Fusion Middleware Third-Party Application Server Guide.
You can create an Oracle WebLogic Server domain for Oracle WebCenter Content with Fusion Middleware Configuration Wizard. When you create a domain for Oracle WebCenter Content, you configure one or more of its applications.
Note:
If you plan to use Oracle SOA Suite with Imaging, such as for AXF for BPM or AXF for BPEL, you need to install and configure Oracle SOA Suite first. For information about installing and configuring Oracle SOA Suite, see the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
If you create the domain with Oracle SOA Suite, you can extend the domain with Oracle WebCenter Content, as described in Section 3.3, "Extending an Existing Domain."
The configuration wizard is in the following directory. WCC_ORACLE_HOME
represents the WebCenter Content Oracle home directory, where Oracle WebCenter Content is installed. The WebCenter Content Oracle home was specified in the Oracle Home Directory field on the Specify Installation Location screen of the installer (default Oracle_ECM1
).
UNIX path: WCC_ORACLE_HOME
/common/bin
Windows path: WCC_ORACLE_HOME
\common\bin
To create a log file of your configuration session, start Fusion Middleware Configuration Wizard with the -log
option:
UNIX script:
WCC_ORACLE_HOME/common/bin/config.sh -log=
log_file_name
Your log file will be created in the location from which you start the configuration wizard.
Windows script:
WCC_ORACLE_HOME\common\bin\config.cmd -log=
log_file_name
Your log file will be created in your inventory_location
\logs\installActions\logs
directory. The default inventory_location
value follows:
%PROGRAMFILES%\Oracle\Inventory
Table 3-1 describes the steps for creating a domain and provides some links to screen descriptions in Appendix B, "Configuration Screens for Oracle WebCenter Content."
Table 3-1 Procedure for Creating a New Domain
Screen | When This Screen Appears |
Description and Action to Take |
---|---|---|
None |
Start Fusion Middleware Configuration Wizard:
|
|
Always |
Select Create a new WebLogic Domain. Click Next to continue. |
|
Always |
Select Generate a domain configured automatically to support the following products, and then select one or more of these product templates:
|
|
For WebCenter Content: Select Oracle Universal Content Management - Content Server. |
||
For Imaging: When you select Oracle WebCenter Content: Imaging, you also need to select Oracle Universal Content Management - Content Server. |
||
For Imaging Viewer Cache When you select Oracle WebCenter Content: Imaging, Oracle WebCenter Content: Imaging Viewer Cache is automatically selected. |
||
For AXF for BPEL: Imaging includes AXF for BPEL. Select Oracle WebCenter Content: Imaging and Oracle Universal Content Management - Content Server. |
||
For AXF for BPM: If you are going to use AXF for BPM with Imaging, you need to select the following product templates (some of these are automatically selected):
|
||
For AXF for BPM or AXF for BPEL with Oracle SOA Suite on a different domain or machine: If you are going to use AXF for BPM or AXF for BPEL with Imaging, and Oracle SOA Suite is deployed to a different domain or installed on a different machine, you will need to run
|
||
For Capture: Select the following product templates (some of these are automatically selected):
|
||
For Site Studio for External Applications: If you want a remote deployment of a Site Studio for External Applications website, you can select Oracle Universal Content Management - SSXA Server (for Oracle WebCenter Content - SSXA Server) to create an Oracle WebLogic Server domain with a Managed Server that has the files required to run the website. |
||
For Oracle WSM Policy Manager: To create a domain that includes Oracle Web Services Manager (Oracle WSM) Policy Manager, select Oracle WSM Policy Manager. |
||
For Oracle Enterprise Manager and Oracle JRF When you select any Oracle WebCenter Content application on the Select Domain Source screen, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle WebCenter Content application will also be deselected. |
||
Click Next to continue. |
||
Always |
Enter the name of the domain you want to create in the Domain name field. The default location for the domain follows (
You can specify a different location in the Domain location field. Note: Record the domain name and location from this screen because you will need them later to start the Administration Server. You can specify the location of the Oracle WebCenter Content application in the Application location field. The default location is Click Next to continue. |
|
Always |
The User name field has the default administrator user name, In the User password field, enter the password for the administrator user. Note: Record the administrator user name and password from this screen because you will need them later to start the Managed Servers and to access the domain through the Oracle WebLogic Server Administration Console or Fusion Middleware Control. Click Next to continue. |
|
Always |
Under WebLogic Domain Startup Mode, Development Mode is the default mode. For a production system, select Production Mode. Under JDK Selection, you can leave Available JDKs and the default JDK selected, or you can change them. The default JDK for development mode is Sun SDK 1.6.0_version, and the default JDK for production mode is JRockit SDK 1.6.0_version, except on a 64-bit system, where the default JDK is the one you installed. To specify a different JDK, select Other JDK, and enter its location. Click Next to continue. |
|
Always |
Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), by selecting a schema checkbox and then completing the following fields:
Click Next to continue. |
|
Always |
The configuration wizard automatically tests the connection to the JDBC component schema. If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection. After the test succeeds, click Next to continue. |
|
Always |
Optionally, select any or all of these options for configuring the Administration Server and Managed Servers:
Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it. If you are configuring a Capture cluster with Managed Servers in both Linux and Windows environments, select all except the last option. For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services. Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition. Click Next to continue to the configuration screens for the selected option or, if you did not select any options, to the Configuration Summary screen. |
|
If you selected Administration Server on the Select Optional Configuration screen |
The default listen port number for the Administration Server is If you want to change the configuration of SSL for the Administration Server, you can select SSL enabled. The SSL port is set to 7002 by default in the SSL Listen Port field. If SSL enabled is selected, you can change the SSL listen port value. For more information about SSL configuration, see Section 3.8, "Configuring SSL for Oracle WebCenter Content Applications." Click Next to continue. |
|
If you selected Oracle WebCenter Content: Imaging on the Select Domain Source screen |
Accept the default (UDD), and click Next. Click OK in the override warning. |
|
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen |
Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value. For increased security, you can specify a nondefault port number. Table 3-2 lists the default port values for the Managed Servers that run Oracle WebCenter Content applications. If you want to change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value. For a mixed Capture cluster, configure two Managed Servers, one for a Linux environment and one for a Windows environment, with different Listen address values and the same Listen port value. For example: Name Listen address Listen port capture_lnx_server1 host-ip-address 16400 capture_win_server2 host-ip-address 16400 For Oracle IRM, SSL is enabled by default, with port number Click Next to continue. |
|
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen. |
Optionally, configure one or more clusters. For example, for a Capture cluster of two Managed Servers, one in a linux environment and the other in a Windows environment, create a cluster named Notes:
Click Next to continue. |
|
If you configured any clusters on the Configure Clusters screen |
Assign two or more of the Managed Servers in the domain to each cluster. For example, for a mixed Capture cluster, assign the Managed Servers Click Next to continue. |
|
Create HTTP Proxy Applications |
If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster |
Create a proxy application for each Managed Server that you did not assign to a cluster in the domain. Click Next to continue. |
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen |
Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine. Click Next to continue. |
|
If you added any machines on the Configure Machines screen |
Assign at least one server to each machine. Click Next to continue. |
|
If you selected Deployments and Services on the Select Optional Configuration screen |
Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers. Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses When deploying Oracle IRM to a cluster, make sure that the Oracle IRM application is deployed to all nodes. Click Next to continue. |
|
If you selected Deployments and Services on the Select Optional Configuration screen |
Optionally, modify how your services are targeted to servers or clusters. Click Next to continue. |
|
If you selected RDBMS Security Store on the Select Optional Configuration screen |
Optionally, make changes to your RDBMS security store. Click Next to continue. |
|
Always |
Review your configuration and make any corrections or updates by following the instructions on the screen. You can click Previous on each screen to go back to a screen where you want to change the configuration. When the configuration is satisfactory, click Create to create the domain. |
|
Always |
On a Windows operating system, you can select Start Admin Server to start the Administration Server as soon as the configuration is done. When the domain is created successfully, click Done. |
Table 3-2 lists the default port values for the Managed Servers that run Oracle WebCenter Content applications.
Table 3-2 Default Ports for Managed Servers
Managed Server | Default Listen Port | Default SSL Port | Port Range |
---|---|---|---|
Imaging |
|
|
|
Oracle IRM |
|
|
|
WebCenter Content |
|
|
|
Inbound Refinery |
|
|
|
Records |
|
|
|
Capture |
|
|
|
The following operations should have completed successfully:
Creation of an Oracle WebLogic Server domain, with an Administration Server
Creation of a Managed Server for each application that you selected on the Select Domain Source screen
Deployment of each application to its Managed Server
An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 10.2, "Starting Managed Servers."
You can extend an existing Oracle WebLogic Server domain to configure one or more Oracle WebCenter Content applications. Fusion Middleware Configuration Wizard is in the following directory:
UNIX path: WCC_ORACLE_HOME
/common/bin
Windows path: WCC_ORACLE_HOME
\common\bin
Notes:
WebCenter Content cannot be deployed to the same domain as Oracle Identity Manager and Oracle Identity Management.
You cannot extend a domain that has an Oracle Enterprise Content Management Suite or Oracle WebCenter Content application from an earlier release to include an Oracle WebCenter Content 11.1.1.8.0 application.
You can also extend a domain to include other applications in the same domain. For example, you could extend an Oracle WebCenter Content domain to include an Oracle IRM Managed Server. Or you could extend an Imaging domain to include Oracle SOA Suite.
Note:
Before you extend a domain to include Oracle SOA Suite on an AIX platform, you need to confirm that the soa-ibm-addon.jar
file is in the SOA_ORACLE_HOME
/soa/modules
directory. Make sure that the file is there, and add the following entry to the SOA_ORACLE_HOME
/bin/ant-sca-compile.xml
file at line 65:
<include name="soa-ibm-addon.jar"/>
Table 3-3 describes the steps for extending a domain and provides some links to screen descriptions in Appendix B, "Configuration Screens for Oracle WebCenter Content."
Table 3-3 Procedure for Extending an Existing Domain
Screen | When This Screen Appears |
Description and Action to Take |
---|---|---|
None. |
Always |
Start Fusion Middleware Configuration Wizard:
|
Always |
Select Extend an existing WebLogic Domain. Click Next to continue. |
|
Always |
Select a directory for adding your applications or services, or both. Click Next to continue. |
|
Always |
Select Extend my domain automatically to support the following added products, and then select one or more of these product templates:
|
|
For WebCenter Content: Select Oracle Universal Content Management - Content Server. |
||
For Imaging: When you select Oracle WebCenter Content: Imaging, you also need to select Oracle Universal Content Management - Content Server if WebCenter Content is not already configured in the domain. |
||
For Imaging Viewer Cache When you select Oracle WebCenter Content: Imaging, Oracle WebCenter Content: Imaging Viewer Cache is automatically selected. |
||
For AXF for BPEL: Imaging includes AXF for BPEL. Select Oracle WebCenter Content: Imaging and Oracle Universal Content Management - Content Server. |
||
For AXF for BPM: If you are going to use AXF for BPM with Imaging, you need to select the following product templates (some of these are automatically selected):
|
||
For AXF for BPM or AXF for BPEL with Oracle SOA Suite on a different domain or machine: If you are going to use AXF for BPM or AXF for BPEL with Imaging, and Oracle SOA Suite is deployed to a different domain or installed on a different machine, you will need to run
|
||
For Capture: Select the following product templates (some of these are automatically selected):
|
||
For Site Studio for External Applications: If you want a remote deployment of a Site Studio for External Applications website, you can select Oracle Universal Content Management - SSXA Server (for Oracle WebCenter Content - SSXA Server) to extend an Oracle WebLogic Server domain with a Managed Server that has the files required to run the website. |
||
For Oracle WSM Policy Manager: To extend a domain with Oracle Web Services Manager (Oracle WSM) Policy Manager, select Oracle WSM Policy Manager. |
||
Oracle Enterprise Manager and Oracle JRF When you select any Oracle WebCenter Content application, Oracle Enterprise Manager and Oracle JRF are automatically selected. If you deselect any of these items that are automatically selected, the Oracle WebCenter Content application will also be deselected. |
||
Click Next to continue. |
||
Always |
Configure each component schema, including the Oracle WSM MDS schema if it was created with Repository Creation Utility (RCU), in the following fields:
Click Next to continue. |
|
Always |
The configuration wizard automatically tests the connection to the JDBC component schema. If the test fails, click Previous to correct the component schema information, and then click Next to retest the connection. After the test succeeds, click Next to continue. |
|
Always |
Optionally, select any or all of these options for configuring Managed Servers:
Select one or more of these options if you want to change any default settings. For example, select Administration Server to configure SSL for it or change its port number, or select Managed Servers, Clusters and Machines to change the name or port for a Managed Server, add it to a cluster, or configure a machine for it. Note: To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition. For Oracle IRM, you should select Administration Server, Managed Servers, Clusters and Machines, and Deployments and Services. If you are extending a domain that already includes WebCenter Content with Imaging and plan to use WebCenter Content 11g as the Imaging repository, select Managed Servers, Clusters and Machines so you can configure a separate machine for running the Imaging Managed Server. Click Next to continue to the configuration screens for the selected option, or if you did not select any options, to the Configuration Summary screen. |
|
If you selected Oracle WebCenter Content: Imaging on the Select Extension Source screen |
Accept the default (UDD), and click Next. Click OK in the override warning. |
|
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen |
Each Managed Server needs a unique listen port number. For each Managed Server, you can use the default Listen port value or, for increased security, specify a nondefault port number. Table 3-2 lists the default port values for the Managed Servers that run Oracle WebCenter Content applications. To change the SSL configuration for a Managed Server, you can select SSL enabled and set or change the SSL listen port value. For Oracle IRM, SSL is enabled by default, with port number Click Next to continue. |
|
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen |
Optionally, change the cluster configuration. Notes:
Click Next to continue. |
|
If you configured any clusters on the Configure Clusters screen |
Assign two or more of the Managed Servers in the domain to each cluster. Click Next to continue. |
|
If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster |
Create a proxy application for each Managed Server in the domain that you did not assign to a cluster. Click Next to continue. |
|
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen |
Optionally, configure machines to host Managed Servers, and assign a Managed Server to each machine. If you are extending a domain that already includes WebCenter Content with Imaging and plan to use WebCenter Content 11g as the Imaging repository, configure a separate machine and assign the Imaging Managed Server to it. Click Next to continue. |
|
If you added any machines on the Configure Machines screen |
Assign at least one server to each machine. Click Next to continue. |
|
If you selected Managed Servers, Clusters and Machines on the Select Optional Configuration screen |
Optionally, assign each application to the Administration Server, a Managed Server, or a cluster of Managed Servers. Oracle IRM should be deployed on a cluster or on a Managed Server that is not a member of any cluster because Oracle IRM uses Make sure that the Oracle IRM application is not deployed to one of the servers in a cluster. Click Next to continue. |
|
If you selected Deployments and Services on the Select Optional Configuration |
Optionally, modify how your services are targeted to servers or clusters. Click Next to continue. |
|
Always. |
When the configuration is satisfactory, click Extend to extend the domain. |
|
Always |
On a Windows operating system, you can select Start Admin Server to start the Administration Server as soon as the configuration is done. When the domain is successfully extended, click Done. |
The following operations should have completed successfully:
Extension of an existing Oracle WebLogic Server domain to include the application or applications that you selected on the Extend Domain Source screen
Creation of a Managed Server for each application that you selected
Deployment of each application to its Managed Server
An application is not active until its Managed Server is started. Before you start a Managed Server, see the rest of the configuration information in this chapter and in the configuration chapter for your application. For more information, see Section 10.2, "Starting Managed Servers."
If your Oracle WebLogic Server domain connects to a database through an SSL port, you need to back up your data source and SSL parameters and remove the SSL configuration from the data source before running Fusion Middleware Configuration Wizard to extend the domain. After you have successfully extended the domain, you can restore the SSL configuration to your data source.
To extend a domain in an SSL environment with Fusion Middleware Configuration Wizard:
In the Oracle WebLogic Server Administration Console, select your data source, and save a backup of all SSL parameters.
Back up the URL, javax.net.ssl.trustStorePassword
, javax.net.ssl.trustStore
, javax.net.ssl.trustStoreType
, and any other SSL parameters that have been configured for the data source.
Temporarily replace the SSL configuration for the data source with a non-SSL configuration.
Use a non-SSL URL and remove all SSL properties. You should end with something like this configuration:
URL:
: jdbc:oracle:thin:@myhost.example.com:1521:db11107
Properties:
user=MAR20SSL_OCS
oracle.net.CONNECT_TIMEOUT=10000
sendStreamAsBlob=true
Using Fusion Middleware Configuration Wizard, extend the domain, as described in Table 3-3.
After successfully extending the domain, restore the SSL configuration to your data source. You should end with something like this configuration:
URL:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=myhost.example.com)(PORT=2490)))(CONNECT_DATA=(SERVICE_NAME=db11107.example.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=myhost.example.com,OU=QA,O=ECM,L=RedwoodShores,ST=California,C=US")))
Properties:
javax.net.ssl.trustStorePassword=
DemoTrustKeyStorePassPhrase
user=MAR20SSL_OCS
javax.net.ssl.trustStore=/mw_home/wlserver_10.3/server/lib/DemoTrust.jks
oracle.net.CONNECT_TIMEOUT=10000
javax.net.ssl.trustStoreType=JKS
javax.net.ssl.trustStoreType=JKS
sendStreamAsBlob=true
If during step 3 you updated your domain with a new product that creates its own data source, you may need to add SSL configuration to it as well.
You need to increase the size of the heap allocated for the Java Virtual Machine (VM) on which each Managed Server runs to at least 1 GB (1024 MB). If you do not increase the Java VM heap size, then Oracle support and development will not accept any escalation of runtime issues, especially out-of-memory issues.
For a Managed Server using the Sun JDK on a Windows operating system, you need to set the size of the heap allocated for the Java VM to 512 MB rather than 1 GB so that programs configured to use all available space will not fail at initialization. Address space must be reserved for permanent objects, and the MaxPermSize
setting for each Managed Server reduces the space available for the rest of the heap.
There are two common ways to adjust the runtime memory parameters for a Managed Server:
Setting Server Startup Parameters for Managed Servers with the Administration Console
This method is required if the Managed Server process will be run from Node Manager. For more information about running Managed Servers from Node Manager, see Section 10.4, "Using Node Manager with Oracle WebCenter Content."
Setting the USER_MEM_ARGS Environment Variable for a Managed Server
This method is required if the Managed Server process will be run directly from the command line. For more information about running Managed Servers from the command line, see Section 10.2, "Starting Managed Servers."
You can set server startup parameters with the Oracle WebLogic Server Administration Console. This is the preferred approach for setting startup parameters because it ensures that the parameters are correctly pushed to each server, and it avoids problems that might occur during manual editing of server startup scripts. To increase the Java VM heap size, you set the value of the -Xmx
parameter.
To set server startup parameters for Managed Servers with the Administration Console:
Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, "Starting the Administration Server."
Log in to the Oracle WebLogic Server Administration Console at this URL:
http://adminServerHost:adminServerPort/console
For adminServerHost
, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort
, specify the listen port number for the Administration Server. The default number is 7001
. For example:
http://myhost.example.com:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Click Environment under Domain Structure, on the left.
Click Servers on the Summary of Environment page.
Set the memory parameters for each Managed Server:
Click the name of a Managed Server in the Servers table.
On the Configuration tab, in the second row of tabs, click Server Start.
In the Arguments box, paste a string that specifies the memory parameters.
Table 3-4 shows parameters to specify for Sun JDK and Oracle JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.
Table 3-4 Java VM Memory Parameters
Java VM | Operating System | Parameters |
---|---|---|
Sun JDK |
UNIX |
|
Sun JDK |
Windows |
|
Oracle JRockit |
UNIX |
|
Oracle JRockit |
Windows |
|
Footnote 1 See information in preceding text about the heap size on a Windows system.
Save the configuration changes.
Restart any running Managed Servers, as described in Section 10.3, "Restarting a Managed Server."
You can set server startup parameter for a Managed Server by setting the USER_MEM_ARGS environment variable in its startup script or command file. To increase the Java VM heap size, you set the value of the -Xmx
parameter.
To set the USER_MEM_ARGS Environment Variable for a Managed Server:
UNIX shell script (.sh
) entry
export USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
UNIX C shell script (.csh
) entry
setenv USER_MEM_ARGS "-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
Windows command file (.cmd
) entry
set USER_MEM_ARGS="-Xms256m -Xmx1024m -XX:CompileThreshold=8000 -XX:PermSize=128m -XX:MaxPermSize=512m"
Note:
Table 3-4 shows parameters to specify for Sun JDK and Oracle JRockit Java VMs on UNIX and Windows operating systems. Other Java VMs may have different values.
On a UNIX operating system, you need to make sure TrueType fonts are set up for Imaging, Inbound Refinery, and WebCenter Content Dynamic Converter. If you are using a language other than English, you also need to set up fonts for national language support.
For Imaging and WebCenter Content Dynamic Converter to work best on a UNIX operating system, you can set up TrueType fonts on the machine where Imaging, Inbound Refinery, or the Dynamic Converter is running. If these fonts are not available on your system, you need to install them. Inbound Refinery and Content Server default to the TrueType fonts in the JRE, at JAVA_HOME
/lib/fonts
. For information about configuring the path to the font directory for Imaging once the fonts are installed, see Section 6.1.5, "Configuring the GDFontPath MBean for a UNIX System."
Some standard font locations on different UNIX platforms follow:
Solaris SPARC: /usr/openwin/lib/X11/fonts/TrueType
Solaris X64: /usr/openwin/lib/X11/fonts/TrueType
AIX: /usr/lpp/X11/lib/X11/fonts/TrueType
HP-UX Itanium: /usr/lib/X11/fonts/TrueType
HP-UX PARISC64: /usr/lib/X11/fonts/TrueType
Linux: /usr/lib/X11/fonts/TrueType
To set the path to the font directory in Inbound Refinery:
Log in to Inbound Refinery.
Select Conversion Settings, then Third-Party Application Settings, and then General OutsideIn Filter Options.
Click Options.
Enter the path to the TrueType fonts in the Path to fonts field.
For example:
/usr/share/x11/fonts/FTP
Click Update.
For languages other than English, the following installation steps need to be done on a UNIX operating system before you start a Managed Server:
Copy MW_HOME
/oracle_common/jdk/jre/lib/fonts
to the /jre/lib/fonts
directory in the Sun JDK installation directory for the Middleware home.
Copy MW_HOME
/oracle_common/jdk/jre/lib/fonts
to the /jre/lib/fonts
directory in the Oracle JRockit JDK directory for the Middleware home.
WebCenter Content, Inbound Refinery, Imaging, and the Imaging Advanced Viewer for clients use Oracle Outside In Technology, which requires certain libraries that are not part of Oracle WebCenter Content. Before a WebCenter Content, Inbound Refinery, or Imaging Managed Server is started, you need to install the libraries for your platform. For a UNIX platform, you also need to set an environment variable to reference the libraries in the library path for the user who will start the Managed Server.
Note:
The Outside In Technology binaries are 32 bit, so your system needs to be capable of running 32-bit binaries and have compatible libraries installed.
Before you start a WebCenter Content, Inbound Refinery, or Imaging Managed Server, the libraries required for your platform need to be available on your system.
Many of the required libraries are normally installed on the machine, including the C, math, X11, dynamic loader, and pthreads libraries, among others.
Solaris SPARC 32-bit or 64-bit
/usr/platform/SUNW,Ultra-60/lib/libc_psr.so.1 libICE.so.6 libSM.so.6 libX11.so.4 libXext.so.0 libXm.so.4 libXt.so.4 libc.so.1 libdl.so.1 libgen.so.1 libm.so.1 libmp.so.2 libnsl.so.1 libpthread.so.1 libsocket.so.1 libthread.so.1
HPUX ia64
libCsup.so.1 libICE.so.1 libSM.so.1 libX11.so.1 libXext.so.1 libXm.so.1 libXp.so.1 libXt.so.1 libc.so.1 libdl.so.1 libm.so.1 libpthread.so.1 libstd_v2.so.1 libuca.so.1 libunwind.so.1
AIX 32-bit
/usr/lib/libC.a(ansi_32.o) /usr/lib/libC.a(shr.o) /usr/lib/libC.a(shr2.o) /usr/lib/libC.a(shr3.o) /usr/lib/libICE.a(shr.o) /usr/lib/libIM.a(shr.o) /usr/lib/libSM.a(shr.o) /usr/lib/libX11.a(shr4.o) /usr/lib/libXext.a(shr.o) /usr/lib/libXi.a(shr.o) /usr/lib/libXm.a(shr_32.o) /usr/lib/libXt.a(shr4.o) /usr/lib/libc.a(shr.o) /usr/lib/libcrypt.a(shr.o) /usr/lib/libgaimisc.a(shr.o) /usr/lib/libgair4.a(shr.o) /usr/lib/libi18n.a(shr.o) /usr/lib/libiconv.a(shr4.o) /usr/lib/libodm.a(shr.o) /usr/lib/libpthreads.a(shr.o) /usr/lib/libpthreads.a(shr_comm.o) /usr/lib/libpthreads.a(shr_xpg5.o) /usr/lib/libpthreads_compat.a(shr.o)
HPUX PA/RISC 32-bit
/lib/libCsup.2 /lib/libCsup_v2.2 /lib/libX11.3 /lib/libXm.4 /lib/libXt.3 /lib/libc.2 /lib/libcl.2 /lib/libm.2 /lib/libstd.2 /lib/libstd_v2.2 /lib/libstream.2 /usr/lib/libCsup.2 /usr/lib/libCsup_v2.2 /usr/lib/libX11.3 /usr/lib/libXm.4 /usr/lib/libXt.3 /usr/lib/libc.2 /usr/lib/libcl.2 /usr/lib/libdld.2 /usr/lib/libisamstub.1 /usr/lib/libm.2 /usr/lib/libstd.2 /usr/lib/libstd_v2.2 /usr/lib/libstream.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libICE.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libSM.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libX11.3 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXext.3 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXp.2 /view/x_r6hp700_1111/vobs/swdev/pvt/r6hp700_1111/X11R6/lib/libXt.3
SUSE Linux
For an SUSE Linux operating system, the file /usr/lib/libstdc++.so.5
is required. You can find this file in the compat-libstdc++
or libstdc++33
package.
Linux variants
For Linux variants, the file /lib/libz.so.1
is required.
Before Inbound Refinery or the WebCenter Content Dynamic Converter uses Outside In Technology for document and image conversions, the following environment variables must be set for the WebCenter Content Managed Server on the specified UNIX platforms:
Environment variables for library paths for Imaging
Add the following line to the Inbound Refinery intradoc.cfg
file at
DomainHome/ucm/ibr/bin
:
ContentAccessExtraLibDir=/usr/local/packages/gcc-3.4.2/lib
Then restart Inbound Refinery, as described in Section 10.3, "Restarting a Managed Server."
AIX:
LIBPATH=DomainHome/oracle/imaging/imaging-server
HP-UX Itanium:
LD_LIBRARY_PATH=DomainHome/oracle/imaging/imaging-server:"$LD_LIBRARY_PATH"
DISPLAY environment variable
On a UNIX operating system running XWindows, when redirecting the display to a system with suitable graphic capabilities, export DISPLAY to a valid X Server before starting the Imaging or Inbound Refinery Managed Server or the WebCenter Content Dynamic Converter.
Outside In Technology requires the Visual C++ libraries included in the Visual C++ Redistributable Package for a Windows operating system. Three versions of this package (x86, x64, and IA64) are available from the Microsoft Download Center at
http://www.microsoft.com/downloads
Search for and download the version of the package that corresponds to the version of your Windows operating system:
vcredist_x86.exe
vcredist_x64.exe
vcredist_IA64.exe
The required version of each of these downloads is the Microsoft Visual C++ 2005 SP1 Redistributable Package. The redistributable module that Outside In Technology requires is msvcr80.dll
.
Inbound Refinery configuration on a Windows x64 operating system requires Visual Studio 2005 runtime support, which is vcredist_x64.exe
for KB973544. Also, when Inbound Refinery is installed on a Windows x64 operating system, both the 32-bit and 64-bit C++ libraries are required because Oracle WebCenter Content ships 32-bit Outside In Technology, even for Windows x64. Content Server also requires the 32-bit libraries because it uses 32-bit Outside In Technology.
The WinNativeConverter has some vb.Net code, so it also requires Microsoft .NET Framework 3.5 Service Pack 1.
You can configure Single Sign-On SSL for Oracle WebCenter Content applications running in a production or development environment.
Note:
If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS
section of the wlst.sh
file or set them in the CONFIG_JVM_ARGS
environment variable:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName
KeyStoreName
is the name of the keystore in use (DemoTrust
for the built-in demonstration certificate). The wlst.sh
file is in the bin
subdirectory of the common
directory in the WebCenter Content Oracle home directory.
Oracle IRM requires SSL to be enabled on the front-end application, whether it is Oracle HTTP Server (OHS) or a Managed Server running Oracle IRM as an application deployed to Oracle WebLogic Server. Communication between Oracle IRM Desktop and the Oracle IRM server application must be over SSL because sensitive information such as passwords are communicated.
Other uses of SSL, such as between OHS and Managed Servers, the Administration Server, and the LDAP authentication provider are optional.
For information about configuring SSL for a production environment, see ”SSL Configuration in Oracle Fusion Middleware” in the Oracle Fusion Middleware Administrator's Guide.
For a development environment, you can also configure one-way SSL with a server-specific certificate. One-way SSL means that only the server certificate passes from the server to the client but not the other way around. After you configure one-way SSL for a development environment on the server, you have to configure every client to accept the server certificate.
For a development environment, you might want to configure SSL, but it is not required. The application will work correctly without SSL configuration, but if you are using basic authentication or form-based authentication, credentials will be transferred from the client to the server unencrypted.
You can configure one-way SSL with a server certificate for the Managed Server so that the client application can be configured to trust the certificate.
In the following procedure, the keystore
commands relate only to SSL and not to Oracle IRM encryption keys.
To configure one-way SSL for a development environment:
Run the setWLSEnv
script to set the environment:
UNIX script:
MW_HOME
/wlserver_10.3/server/bin/setWLSEnv.sh
Windows script:
MW_HOME\wlserver_10.3\server\bin\setWLSEnv.cmd
For the Java and Oracle WebLogic Server tools to work, you should have the weblogic.jar
file in the MW_HOME
/wlserver_10.3/server/lib
or MW_HOME
\wlserver_10.3\server\lib
directory.
Use the CertGen
utility to create a server-specific, private key and certificate, as follows (in a single command line):
java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer -keyfile MyOwnSelfKey.key -keyfilepass mykeypass -cn "hostname" -keyusagecritical false -keyusage digitalSignature,keyEncipherment,keyCertSign
The last two lines are not needed for pure certificate use, but are needed if the certificate is also to be used for Java applications using Oracle Web Services over SSL.
For mykeypass
, substitute a password for the key, and for hostname
, substitute the name of the machine that hosts the Managed Server to which the application is deployed. You should use the same name while accessing Oracle Web Services. For example, to generate the server certificate for a machine named myhost.us.example.com
, the command would be as follows (in a single command line):
java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer -keyfile MyOwnSelfKey.key -keyfilepass mykeypass -cn "myhost.us.example.com" -keyusagecritical false -keyusage digitalSignature,keyEncipherment,keyCertSign
This command will generate a server certificate for the machine myhost.us.example.com
.
The parameter -cn "
machine-name
"
must be set to the fully qualified domain name of the Managed Server to which the application is deployed. Oracle IRM will use this name to connect to the machine. Verify that the certificate has been issued to the machine name you specified.
CertGen
creates a unique and secret Private Key and a Self-Signed Root Certificate.
Run the ImportPrivateKey
utility to package the Private Key and Self-Signed Root Certificate into a keystore, as follows (in a single command line):
java utils.ImportPrivateKey -keystore MyOwnIdentityStore.jks -storepass identitypass -keypass keypassword -alias trustself -certfile MyOwnSelfCA.cer.pem -keyfile MyOwnSelfKey.key.pem -keyfilepass mykeypass
Substitute an identity store password for identitypass
, a key password for keypassword
, and a key-file password for mykeypass
.
Run the keytool
utility to package the key and certificate into a separate keystore named Trust Keystore.
In the following keytool
commands (each a single command line), JAVA_HOME
represents the location of the JDK. For information about the JAVA_HOME environment variable, see Section 2.3, "Installing an Application Server and Oracle Fusion Middleware."
UNIX operating system
JAVA_HOME/bin/keytool -import -trustcacerts -alias trustself
-keystore TrustMyOwnSelf.jks
-file MyOwnSelfCA.cer.der -keyalg RSA
Windows operating system
JAVA_HOME\bin\keytool -import -trustcacerts -alias trustself
-keystore TrustMyOwnSelf.jks
-file MyOwnSelfCA.cer.der -keyalg RSA
Click Next
On a Windows operating system, follow the instructions on the wizard screens.
Set Up a Custom Identity Keystore and Trust Store:
Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, "Starting the Administration Server."
Log in to the Oracle WebLogic Server Administration Console, at this URL:
http://adminServerHost:adminServerPort/console
For adminServerHost
, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort
, specify the listen port number for the Administration Server. The default number is 7001
. For example:
http://myHost.example.com:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Select Environment under your domain from Domain Structure.
Select Servers from Environment.
From Summary of Servers, select the server for which to enable SSL.
Click the Keystores tab on the Settings for servername page.
In the Keystores field, select Custom Identity and Custom Trust.
If the server is in production mode, you need to click the Lock & Edit button before you can make changes.
Enter values in the following fields on the Keystores tab:
Custom Identity Keystore
Custom Identity Keystore Type
Custom Identity Keystore Passphrase
Confirm Custom Identity Keystore Passphrase
Custom Trust Keystore
Custom Trust Keystore Type
Custom Trust Keystore Passphrase
Confirm Custom Trust Keystore Passphrase
Save the changes.
Click the SSL tab.
In the Identity and Trust Locations field, select Keystores.
Enter values in the other fields on the SSL tab:
Private key alias
Private key passphrase
Confirm Private key passphrase
Save the changes.
If the server is running in development mode, then the changes need to be activated.
After you create a server certificate to configure one-way SSL, you must install it on every machine running the client application. Then you can import the certificate into the client application so that it will trust the certificate and not show prompts when it connects to the Managed Server.
To configure clients to accept the server certificate:
On the client machine, double-click the certificate file to open the Certificate window, and then click Install Certificate to start the Certificate Import Wizard.
For a Windows operating system, the certificate file needs to be copied to the client machine that accesses this server through a browser.
For a UNIX operating system that is accessing a website over SSL rather than using the client application on the machine, follow the procedure required for your operating system to trust the certificate.
In the Certificate Import Wizard, explicitly select a certificate store for Trusted Root Certification Authorities. The root certificate must be trusted on all client computers that will access the server.
On a Windows operating system, install the certificate under Trusted Root Certification Authorities in Internet Explorer.
In a production system, Oracle WebCenter Content applications need to use an external Lightweight Directory Application Protocol (LDAP) authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. You need to reassociate the identity store for your application with one of the following external LDAP authentication providers before you complete the configuration of a Managed Server, before you connect a Managed Server to a repository, and before the first user logs in to the application:
For an Imaging application, the user who logs in first to an Imaging Managed Server is provisioned with full security throughout the server. It is easier to reassociate the identity store for Imaging with an external LDAP authentication provider before the first user logs in, completes the configuration of the Imaging Managed Server, and connects it to the Oracle WebCenter Content repository.
For an AXF for BPM application, before you can access the AXF Solution Administration page, you need to set up an axfadmin
group in the external LDAP authentication provider and assign the AXF users you want to the group.
For an Oracle IRM application, the Oracle IRM domain gets created the first time a user logs in to the Oracle IRM Management Console. An Oracle IRM domain is different from an Oracle WebLogic Server domain. The first user who logs in to the console is made the domain administrator for the Oracle IRM domain. Before you migrate user data for Oracle IRM, the users need to be in the target LDAP identity store. If you do not reassociate the identity store with an external LDAP authentication provider before the first user logs in to the Oracle IRM console, the general process for reassociating Oracle IRM users and migrating data follows:
Back up existing data with the setIRMExportFolder
script.
Reassociate the identity store with an external LDAP directory.
Verify that all users and groups exist in target LDAP identity store.
Migrate data with the setIRMImportFolder
script.
You can reassociate the identity store for an Oracle WebLogic Server domain with Oracle Internet Directory and migrate users from the embedded LDAP directory to Oracle Internet Directory. The following procedure describes how to reassociate the identity store with Oracle Internet Directory.
You can use a similar procedure to reassociate the identity store with other LDAP authentication providers. Each provider has a specific authenticator type, and only that type should be configured. Table 3-5 lists the available authenticator types.
Table 3-5 LDAP Authenticator Types
LDAP Authentication Provider | Authenticator Type |
---|---|
Microsoft AD |
ActiveDirectoryAuthenticator |
SunOne LDAP |
IPlanetAuthenticator |
Directory Server Enterprise Edition (DSEE) |
IPlanetAuthenticator |
Oracle Internet Directory |
OracleInternetDirectoryAuthenticator |
Oracle Virtual Directory |
OracleVirtualDirectoryAuthenticator |
Oracle Unified Directory |
IPlanetAuthenticator |
EDIRECTORY |
NovellAuthenticator |
OpenLDAP |
OpenLDAPAuthenticator |
EmbeddedLDAP |
DefaultAuthenticator |
To reassociate the identity store with Oracle Internet Directory:
Ensure that there is no user in Oracle Internet Directory with the same name as the administrator of the Oracle WebLogic Server domain, which is weblogic
by default.
Set both embedded and external LDAP providers to SUFFICIENT
.
For Oracle IRM, log in to the management console as a user from Oracle Internet Directory, to be the Oracle IRM domain administrator.
Do not log in to the management console with the user name of the Oracle WebLogic Server domain administrator. The Oracle recommendation is to not use the weblogic
user account as the Oracle IRM administrator user account. If you use a different account for the Oracle IRM domain administrator, you can use the Oracle WebLogic Server domain administrator, weblogic
by default, to start and stop Oracle WebLogic Server as well as to alter server settings. If you have a problem with Oracle Internet Directory, you will not need to fix it before you can do maintenance on Oracle WebLogic Server.
For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the WebLogic Scripting Tool (WLST) setIRMExportFolder
command before identity store reassociation.
Use this command to set an export folder for exporting the user and group details referenced by Oracle IRM, which uses the export folder path to decide where to write out the user and group details. The Oracle IRM Managed Server must have write access to the folder path. The export folder must exist before you run the setIRMExportFolder
command.
The following example sets /scratch/irm-data
as the export folder:
cd WCC_ORACLE_HOME/common/bin ./wlst.sh > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort') > setIRMExportFolder('/scratch/irm-data')
In the example, adminServerHost
is the host name and adminServerPort
is the port number for the Administration Server of the Oracle WebLogic Server domain.
Note:
If SSL is enabled, before you use WLST to connect to the Administration Server, you must either append the following parameters to the JVM_ARGS
section of the wlst.sh
file or set them in the CONFIG_JVM_ARGS
environment variable:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-Dweblogic.security.TrustKeyStore=KeyStoreName
KeyStoreName
is the name of the keystore in use (DemoTrust
for the built-in demonstration certificate). The wlst.sh
file is in the bin
subdirectory of the common
directory in the WebCenter Content Oracle home directory.
After the Oracle IRM Managed Server picks up this configuration change, normally right away, it will write out a series of XML documents in the export folder. This process is complete when a folder named accounts
appears under the export folder. The accounts
folder will contain one or more folders named batch
XXX
, with each batch folder containing a set of XML documents that include the user and group details. For example:
/scratch /irm-data /accounts /batch1 user1.xml user2.xml group1.xml
The batch folders are used to ensure that the operating system limit of the maximum number of files in a folder is not exceeded.
After this process is complete, reset the export folder:
setIRMExportFolder('')
This reset ensures that Oracle IRM does not perform any further data exporting when the Managed Server restarts.
Configure the Oracle Internet Directory authentication provider:
Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, "Starting the Administration Server."
Log in to the Oracle WebLogic Server Administration Console as the domain administrator user, at this URL:
http://adminServerHost:adminServerPort/console
For adminServerHost
, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort
, specify the listen port number for the Administration Server. The default number is 7001
. For example:
http://myHost.example.com:7001/console
To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.
Under Domain Structure on the left, select Security Realms.
In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.
Click the Providers tab, and then click New under the Authentication Providers table on the Authentication tab.
In the Create a new Authentication Provider dialog box, enter a provider name in the Name field, change the type to OracleInternetDirectoryAuthenticator
, and then click OK.
For a list of authenticator types for different LDAP Authentication Providers, see Table 3-5.
In the Authentication Providers table, click Reorder, move the provider you just created to the top of the list, and then click OK.
Click DefaultAuthenticator, change the Control Flag value to OPTIONAL
, and then click Save.
Click Providers in the breadcrumb trail along the top of the page to navigate back to the Providers tab.
Click the name of the authentication provider you just created to navigate to the Configuration tab for the provider.
The Configuration tab has two tabs, Common and Provider Specific. On the Common tab, change the Control Flag value to SUFFICIENT
, and then click Save.
SUFFICIENT
means that if a user can be authenticated against Oracle Internet Directory, no further authentication is processed.
REQUIRED
means that the authentication provider must succeed even if another provider already authenticated the user. If the embedded LDAP has been set to OPTIONAL
and Oracle Internet Directory has been set to REQUIRED
, the embedded LDAP user is no longer valid.
Click the Provider Specific tab.
Set Provider Specific values in the following fields, and leave default values in the other fields:
Host: The host name or IP address of the LDAP server.
Port: The Oracle Internet Directory Port, 389
by default.
Principal: The Distinguished Name (DN) of the LDAP user that Oracle WebLogic Server should use to connect to the LDAP server; for example:
cn=orcladmin
Credential: The credential used to connect to the LDAP server (usually a password).
Confirm Credential: The same value as for the Credential field.
User Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains users; for example:
cn=users,dc=example,dc=com
In Oracle Internet Directory, this is the value of the User Search Base attribute, which you can look up in the OIDDAS administration dialog.
Note:
Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.
Use Retrieved User Name as Principal: Specifies whether or not the user name retrieved from the LDAP server should be used as the Principal value.
Select this attribute for Oracle IRM.
Group Base DN: The base distinguished name (DN) of the tree in the LDAP directory that contains groups; for example:
cn=groups,dc=example,dc=com
In Oracle Internet Directory, this is the value of the Group Search Base attribute, which you can look up in the OIDDAS administration dialog.
Note:
Use an exact DN rather than a top-level DN. Using a top-level DN would provide access to all the default users and groups under the DN, giving access to more users than required by the application.
Propagate Cause For Login Exception: Propagates exceptions thrown by Oracle Internet Directory, like password expired exceptions, to Oracle WebLogic Server so they show in the console and the logs.
For Oracle IRM, select this attribute in the General area of the tab.
Click Save.
Restart the Administration Server, as described in Section 10.3, "Restarting a Managed Server."
Note:
Authentication providers in an Oracle WebLogic Server domain are chained. This means that user authentication needs to run successfully through all authentication providers. With the Control Flag value set to OPTIONAL
for the default provider, it is allowed to fail without a server startup or user authentication failure.
After the server is up again, log in to the Administration Console again, and click Security Realms under Domain Structure.
In the Realms table on the Summary of Security Realms page, click myrealm in the Name column to open the Settings for myrealm page.
Click the Users and Groups tab to see a list of users contained in the configured authentication providers, on the Users subtab, and then click the Groups subtab to see a list of groups.
You should see user names from the Oracle Internet Directory configuration, which implicitly verifies that the configuration is working.
Check that you have switched the security provider successfully, with either or both of these basic tests:
After the creation of the new security provider is complete, verify that all the users in that security provider are listed in that same user-group presentation as the list from Step 3.
If your Managed Servers are already running and configured, access the Managed Server URL, and log in as any of the Oracle Internet Directory users.
For information about accessing a Managed Server, see Section 10.2, "Starting Managed Servers."
For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the setIRMImportFolder
WLST command after identity store reassociation. Use this command to set the import folder to point to the export folder that was set before identity store reassociation.
Note:
You should take a backup of the export folder before performing the import process because the import process deletes the contents of the folder during successful processing of the user and group details.
This operation should be performed with only one Managed Server running a deployed Oracle IRM application, to ensure that only one Managed Server performs the user and group processing. After the import process is complete, all Managed Servers running the Oracle IRM application can be started.
The following example sets /scratch/irm-data
as the import folder:
cd WCC_ORACLE_HOME/common/bin ./wlst.sh > connect('weblogic', 'password', 't3://adminServerHost:adminServerPort') > setIRMImportFolder('/scratch/irm-data')
After the Oracle IRM Managed Server picks up this configuration change, it will read the contents of the folder and update the global user ID (GUID) values in the Oracle IRM system to reflect the values in the new identity store. When a user or group has been processed, the import process deletes the corresponding XML file. After the import process is complete, the import folder will be empty:
/scratch /irm-data
If an error occurs during the processing of a user or group, the import process writes the error to a file that matches the user or group name. For example, if the user details in user1.xml
cause an error during processing, the import process writes the error details to the file user1.xml.fail
:
/scratch /irm-data /accounts /batch1 user1.xml user1.xml.fail
If you can fix the error, then rerun the setIRMImportFolder
WLST command to rerun the import process. For example, if user or group processing fails because the user or group does not exist in the new identity store, adding the user or group to Oracle Internet Directory will fix the error, and you can rerun the import process:
> connect('weblogic', 'password', 'adminServerHost:adminServerPort') > setIRMImportFolder('/scratch/irm-data')
After this process is complete, reset the import folder:
setIRMImportFolder('')
This reset ensures that Oracle IRM does not perform any further data importing when the Managed Server restarts.
Note:
When reassociating an LDAP identity store, the Oracle IRM process for exporting user and group information has an issue if user and group names are identical. If a user and group have identical names, the export process will lose either the user or the group details during the export step. This is because the user or group name is used as the file name, so one file overwrites the other. A postreassociation workaround is to check user and group right assignments, and to manually reassign any that are missing.
After the reassociation of the identity store, users in Oracle Internet Directory have the same rights that their namesakes had in the Oracle WebLogic Server embedded LDAP server before the migration of user data. For example, if a user existed in the embedded LDAP server before the migration with the user name weblogic
and an Oracle IRM role of Domain Administrator, then, after migration, the user in Oracle Internet Directory with the user name weblogic
would have the Oracle IRM role of Domain Administrator.
If you have already configured your Imaging Managed Server and you change the LDAP provider, the global user IDs (GUIDs) in the Imaging security tables will be invalid. Imaging caches the GUIDs from an external LDAP provider in its local security tables and uses these IDs for authentication. You can refresh the GUID values in the Imaging security tables with WLST commands or with Fusion Middleware Control.
Only users and groups that exist in both LDAP providers will have GUIDs refreshed. Imaging permissions assigned to users and groups from the previous LDAP will be refreshed to the users and groups that match in the new LDAP. If users and/or groups do not match any users and/or groups in the new LDAP provider, refreshIPMSecurity
will ignore them.
Note:
During the refresh, users or groups for whom matching identifying information is not found are ignored. As security changes are made, invalid users or groups are removed from the Imaging database.
If you want to refresh GUID values from a command line, you can use the Oracle WebLogic Scripting Tool (WLST).
To refresh GUID values in Imaging security tables with WLST:
Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, "Starting the Administration Server."
Log in to the Oracle WebLogic Server Administration Server.
Navigate to the Oracle WebCenter Content home directory: MW_HOME
/
WCC_ORACLE_HOME
.
Invoke WLST:
cd common/bin ./wlst.sh
At the WLST command prompt, enter these commands:
wls:/offline> connect() Please enter your username :weblogic Please enter your password : XXXXXXXXXXXXX Please enter your server URL [t3://localhost:7001] :t3://host_name:16000 Connecting to t3://host_name:16000 with userid weblogic ... Successfully connected to Managed Server 'IPM_server1' that belongs to domain 'domainName'. Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead. wls:/domainName/serverConfig> listIPMConfig() <This is just to check that the connection is to the right Imaging server> wls:/domainName/serverConfig> refreshIPMSecurity() <This is the command that will refresh the GUIDs in the Security tables.> wls:/domainName/serverConfig> exit()
Log in to Imaging to verify user and group security.
If you want to refresh GUID values through an MBean, you can use the System MBean Browser in Fusion Middleware Control.
To refresh GUID values in Imaging security tables with Fusion Middleware Control:
Log in to Fusion Middleware Control.
In the navigation tree on the left, expand WebLogic Domain, then the Oracle WebCenter Content domain folder, then IPM_Cluster, and then the name of the Imaging server, such as IPM_server1.
On the right, click the WebLogic Server drop-down menu, and choose System MBean Browser.
In the System MBean Browser navigation tree, expand Application Defined MBeans, then oracle.imaging, then Server: IPM_server1, and then cmd, and click cmd.
Click refreshIPMSecurity on the right.
Press the Invoke button.
Log in to Imaging to verify user and group security.
When configuring an LDAP authentication provider, you can avoid significant performance issues by configuring the DNs at the highest level possible. This is true for both the User Base DN
and Group Base DN
configuration options.
The Group Base DN
value is especially important because getting the groups associated with users can cause many queries to be executed against the LDAP server. This can cause significant performance issues depending on the number of directly assigned groups as well as the groups assigned indirectly as subgroups of other groups. You can easily default these settings to the root DN, but the root DN is not optimal because using a top-level DN provides access to all the groups under the DN, giving access to more groups than required by the application.
For example, you can configure Group Base DN
values at different levels to get to the ecmAdmin
group in this LDAP tree:
dc=com dc=oracle dc=us cn=Groups cn=ECM cn=ecmAdmin
Avoid using the following levels because too much of the tree would need to be queried to get the groups assigned to users:
dc=oracle,dc=com dc=us,dc=oracle,dc=com cn=groups,dc=us,dc=oracle,dc=com
In this case only the groups directly associated the Oracle WebCenter Content applications need to be searched:
cn=ECM,cn=groups,dc=us,dc=oracle,dc=com
You could add other groups at the Oracle WebCenter Content level so that the LDAP tree would maybe look more like this:
dc=com dc=oracle dc=us cn=Groups cn=ECM cn=ecmAdmin cn=ecmGuest cn=ecmManager cn=ecmSupervisor cn=ecmUser
You can add users to Oracle Internet Directory with Oracle Directory Services Manager, which is part of Oracle Identity Management. To add an entry to the directory with Oracle Directory Services Manager, you must have write access to the parent entry, and you must know the Distinguished Name (DN) to use for the new entry.
Note:
When you add or modify an entry, the Oracle directory server does not verify the syntax of the attribute values in the entry.
For information about adding a group entry, see ”Managing Dynamic and Static Groups” in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
For more information about entries, see ”Managing Directory Entries” in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.
To add users to Oracle Internet Directory:
Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server.
From the task selection bar, select Data Browser.
On the toolbar, select the Create a new entry icon. Alternatively, right-click any entry and choose Create.
The Create New Entry wizard starts.
Specify the object classes for the new entry.
To select object class entries, click the Add icon and use the Add Object Class dialog box. Optionally, use the search box to filter the list of object classes. To add the object class, select it, and then click OK. (All the superclasses from this object class through top
are also added.)
Note:
You must assign user entries to the inetOrgPerson
object class for the entries to appear in the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services.
In the Parent of the entry field, you can specify the full DN of the parent entry for the entry you are creating.
You can also click Browse to locate and select the DN of the parent for the entry you want to add. If you leave the Parent of the entry field blank, the entry is created under the root entry.
Click Next.
Choose an attribute that will be the Relative Distinguished Name (RDN) value for this entry and enter a value for that attribute.
You must enter values for attributes that are required for the object class you are using, even if none of them is the RDN value. For example, for object class inetorgperson
, attributes cn
(common name) and sn
(surname or last name) are required, even if neither of them is the RDN value.
Click Next.
The wizard displays the next page. (Alternatively, you can click Back to return to the previous page.)
Click Finish.
To manage optional attributes, navigate to the entry you have just created in the Data Tree.
If the entry is a person, click the Person tab and use it to manage basic user attributes.
Click Apply to save your changes or Revert to discard them.
If the entry is a group, see ”Managing Dynamic and Static Groups” in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for instructions.
If this is a person entry, you can upload a photograph.
To upload a photograph, click Browse, navigate to the photograph, then click Open.
To update the photograph, click Update and follow the same procedure.
To delete the photograph, click the Delete icon.
Click Apply to save your changes or Revert to discard them.
You can configure one of these single sign-on (SSO) solutions for an Oracle WebCenter Content product:
Oracle Access Manager 11g SSO
Oracle Access Manager 10g SSO
Oracle Single Sign-On (OSSO)
Windows Native Authentication (WNA)
Table 3-6 shows which SSO solutions you can use with which Oracle WebCenter Content applications. The sections that follow provide references to information about using SSO with these applications.
Table 3-6 Single Sign-On Solutions for Oracle WebCenter Content Applications
Application | Oracle Access Manager 11g |
Oracle Access Manager 10g |
OSSO | WNA |
---|---|---|---|---|
WebCenter Content, with Content Server |
Supported |
Supported |
Supported |
Supported |
Imaging |
Supported |
Supported |
Supported |
Supported |
Oracle IRM Web Interface |
Supported |
Not supported |
Supported |
Supported |
Oracle IRM Desktop |
Not supported |
Supported (limited) |
Not supported |
Supported |
Records |
Supported |
Supported |
Supported |
Supported |
For an overview of Oracle WebLogic Server authentication providers, see ”Configuring Authentication Providers” in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Oracle Access Manager enables users to seamlessly gain access to web applications and other IT resources across your enterprise. Oracle IRM supports Basic authentication with Oracle Access Manager, which contains an authorization engine that grants or denies access to particular resources based on properties of the user requesting access as well as on the environment from which the request was made.
For information about configuring Oracle Access Manager single sign-on (SSO) for Oracle IRM, see Section 9.4, "Integrating Rights with Oracle Access Manager 11g."
For information about configuring Oracle Access Manager SSO for Imaging, see Oracle Fusion Middleware Administering Oracle WebCenter Content: Imaging.
Note:
When you use Oracle Access Manager (OAM) WebGate 11g SSO with Imaging, set the following WebGate 11g Agent user-defined parameter:
filterOAMAuthnCookie=false
Without this parameter setting, using the Imaging viewer in advanced mode would result in an error. For more information about setting the Agent user-defined parameters, see the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
For information about configuring it for WebCenter Content, Inbound Refinery, or Records, see ”Configuring WebCenter Content for Single Sign-On” in Oracle Fusion Middleware Administering Oracle WebCenter Content.
For more information, see ”Deploying the Oracle Access Manager Solutions” in the Oracle Fusion Middleware Application Security Guide.
Table 3-7 shows where to get more information about configuring Oracle Access Manager 11g for Oracle WebCenter Content applications.
Table 3-7 Oracle Access Manager 11g Configuration for Oracle WebCenter Content Applications
Application | Configuration Information |
---|---|
WebCenter Content, with Content Server |
”Configuring Oracle Access Manager 11g with Oracle WebCenter Content” in Oracle Fusion Middleware Administering Oracle WebCenter Content |
Imaging |
”Integrating Oracle Access Manager 11g with Imaging” in Oracle Fusion Middleware Administering Oracle WebCenter Content: Imaging |
Oracle IRM Web Interface |
Section 9.4, "Integrating Rights with Oracle Access Manager 11g" |
Oracle IRM Desktop |
Not supported |
Records |
”Configuring Oracle Access Manager 11g with Oracle WebCenter Content” in Oracle Fusion Middleware Administering Oracle WebCenter Content |
Table 3-8 shows where to get more information about configuring Oracle Access Manager 10g for Oracle WebCenter Content applications.
Table 3-8 Oracle Access Manager 10g Configuration for Oracle WebCenter Content Applications
Application | Configuration Information |
---|---|
WebCenter Content, with Content Server |
”Configuring Oracle Access Manager 10g with Oracle WebCenter Content” in Oracle Fusion Middleware Administering Oracle WebCenter Content |
Imaging |
”Integrating Oracle Access Manager 10g with Imaging” in Oracle Fusion Middleware Administering Oracle WebCenter Content: Imaging |
Capture |
Not supported |
Oracle IRM Web Interface |
Not supported |
Section 9.4, "Integrating Rights with Oracle Access Manager 11g" |
|
Records |
”Configuring Oracle Access Manager 10g with Oracle WebCenter Content” in Oracle Fusion Middleware Administering Oracle WebCenter Content |
For an overview of Oracle Single Sign-On (OSSO), see ”Introduction to Single Sign-On in Oracle Fusion Middleware” in the Oracle Fusion Middleware Application Security Guide.
Table 3-9 shows where to get more information about configuring OSSO for Oracle WebCenter Content applications.
Table 3-9 OSSO Configuration for Oracle WebCenter Content Applications
Application | Configuration Information |
---|---|
WebCenter Content, with Content Server |
”Configuring Oracle Single Sign-On for WebCenter Content” in Oracle Fusion Middleware Administering Oracle WebCenter Content |
Imaging |
”Configuring Oracle Single Sign-On for Imaging” in Oracle Fusion Middleware Administering Oracle WebCenter Content: Imaging |
Capture |
Not supported |
Oracle IRM Web Interface |
”Configuring Single Sign-On using OracleAS SSO 10g” in the Oracle Fusion Middleware Application Security Guide |
Oracle IRM Desktop |
Not supported |
Records |
”Configuring Single Sign-On using OracleAS SSO 10g” in the Oracle Fusion Middleware Application Security Guide |
For information about configuring Windows Native Authentication (WNA), see ”Configuring Single Sign-On with Microsoft Clients” in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Table 3-10 shows where to get more information about configuring WNA for Oracle WebCenter Content applications.
Table 3-10 WNA Configuration for Oracle WebCenter Content Applications
Application | Configuration Information |
---|---|
WebCenter Content, with Content Server |
”Configuring WebCenter Content and Single Sign-On for WNA” in Oracle Fusion Middleware Administering Oracle WebCenter Content |
Imaging |
”Configuring Imaging and Single Sign-On for Windows Native Authentication” in Oracle Fusion Middleware Administering Oracle WebCenter Content: Imaging |
Oracle IRM Web Interface |
”Configuring Single Sign-On with Microsoft Clients” in Oracle Fusion Middleware Securing Oracle WebLogic Server |
Oracle IRM Desktop |
”Configuring Single Sign-On with Microsoft Clients” in Oracle Fusion Middleware Securing Oracle WebLogic Server |
Records |
”Configuring Single Sign-On with Microsoft Clients” in Oracle Fusion Middleware Securing Oracle WebLogic Server |
Oracle recommends using Oracle Web Tier (Oracle HTTP Server) for Content Server integration with Site Studio, single sign-on (SSO), and clusters. You can install and configure Oracle Web Tier (OHS) 11g as an alternative to the Oracle Weblogic Server HTTP listener.
For information about installing and Oracle Web Tier (OHS), see ”Installing and Configuring the Oracle HTTP Server” in Oracle Fusion Middleware Administering Oracle WebCenter Portal.
For production environments that require increased application performance, throughput, or high availability, you can configure two or more Managed Servers to operate as a cluster. A cluster is a collection of multiple Oracle WebLogic Server instances running simultaneously and working together to provide increased scalability and reliability. In a cluster, most resources and services are deployed identically to each Managed Server (as opposed to a single Managed Server), enabling failover and load balancing.
A single domain can contain multiple Oracle WebLogic Server clusters, as well as multiple Managed Servers that are not configured as clusters. The key difference between clustered and nonclustered Managed Servers is support for failover and load balancing. These features are available only in a cluster of Managed Servers.
Note:
To use clusters, you need a license for Oracle WebLogic Server Enterprise Edition.
For an overview of clusters, see ”Understanding WebLogic Server Clustering” in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.
If you select Managed Servers, Clusters, and Machines on the Select Optional Configuration screen, you will see the screens that Table 3-11 describes.
Table 3-11 Managed Servers, Clusters, and Machines Advanced Settings Screens
Screen | Description and Action Required |
---|---|
Add new Managed Servers, or edit and delete existing Managed Servers. Click Next to continue. |
|
Create clusters if you are installing in a high availability environment. For more information, see the Oracle Fusion Middleware High Availability Guide. Click Next to continue. |
|
If you configured any clusters on the Configure Clusters screen Click Next to continue. |
|
If you configured any clusters on the Configure Clusters screen and assigned some, but not all, of the Managed Servers in the domain to a cluster Click Next to continue. |
|
Configure the machines that will host the Managed Servers in a cluster. Click Next to continue. |
|
Assign each Managed Server to a machine. Click Next to continue. |
|
Assign your Managed Servers to clusters or servers in your domain. Click Next to continue. |
|
Use this screen to target your services (such as JMS and JDBC) to servers or clusters so that your applications can use the services. Click Next to continue. |
You can add a Managed Server to a cluster later, with the Oracle WebLogic Server Administration Console or Fusion Middleware Control. For more information, see ”Scaling Your Environment” in the Oracle Fusion Middleware Administrator's Guide.
To set up Oracle Web Services Manager (Oracle WSM) security policies for Oracle WebCenter Content, you need to do these tasks:
Installing Oracle WebLogic Server and Oracle WebCenter Content
Creating an Oracle WSM MDS Schema with the Repository Creation Utility
Securing Web Services with a Keystore and Oracle WSM Policies
Install Oracle WebLogic Server with the Typical option, which also installs Oracle Coherence and the Sun and Oracle JRockit JDKs. For information about how to install Oracle WebLogic Server, see Section 2.3, "Installing an Application Server and Oracle Fusion Middleware."
The installation of Oracle WebLogic Server creates an Oracle Fusion Middleware home, where you can install Oracle WebCenter Content, which creates a WebCenter Content Oracle home. Oracle WSM can be installed from Oracle WebCenter Content. The Middleware home includes an Oracle Common home, where the Oracle WSM files are installed. For information about how to install Oracle WebCenter Content, with the files necessary for deploying Oracle WebCenter Content, applications, see Section 2.4, "Using the Installer for Oracle WebCenter Content."
Make the following selection on the RCU Select Components screen to create the MDS schema, which you need for setting up Oracle WSM security:
Metadata Services under AS Common Schemas
The selection is for creating an Oracle WSM Policy Manager schema. This schema will provide a back-end repository for WebCenter Content, with Content Server and the Oracle WSM Policy Manager. If an MDS schema already exists in your database, you can reuse the schema.
For more information about creating the Oracle WSM MDS schemas with RCU, see Section 2.2, "Creating Oracle WebCenter Content Schemas with the Repository Creation Utility."
To configure one or more Oracle WebCenter Content applications and Oracle WSM Policy Manager, you need to create or extend an Oracle WebLogic Server domain. For information about creating a domain to include Oracle WSM Policy Manager, see Section 3.2, "Creating an Oracle WebLogic Server Domain." For information about extending a domain with Oracle WSM Policy Manager, see Section 3.3, "Extending an Existing Domain."
During postinstallation configuration of a Managed Server, you can configure the Server Socket Port and Incoming Socket Connection Address Security Filter values for Oracle WSM.
Make sure that the following settings exist along with other default settings:
Server socket port: 4444
This value is stored in the configuration file for the Managed Server as IntradocServerPort=4444
.
Incoming Socket Connection Address Security Filter: *.*.*|0:0:0:0:0:0:0:1
This value is stored in the configuration file for the Managed Server as SocketHostAddressSecurityFilter=*.*.*.*|0:0:0:0:0:0:0:1
.
Before any changes to these settings take effect, you need to restart the Managed Server, as described in Section 10.3, "Restarting a Managed Server."
For more information about the postinstallation configuration of a Managed Server, see one or more of these sections:
To secure web services, you can set up a keystore and apply Oracle WSM policies to the web services.
The keytool
command will generate a keystore, which requires a password to open. Inside the keystore, a key will be stored, and access to the key requires an additional password.
The suggested location for the keystore is in a directory under the domain home:
UNIX path:
MW_HOME
/user_projects/domains/
DomainHome
/config/fmwconfig
Windows path:
MW_HOME
\user_projects\domains\
DomainHome
\config\fmwconfig
Placing the keystore in this location ensures that the keystore file is backed up when the domain and corresponding credential store files are backed up.
Creating the keystore and key alias orakey
:
JAVA_HOME/bin/keytool -genkeypair -alias orakey -keypass password -keyalg RSA \ -dname "CN=orakey, O=oracle C=us" \ -keystore default-keystore.jks -storepass password
Copy default-keystore.jks
to the domain's fmwconfig
directory:
cp default-keystore.jks DomainHome/config/fmwconfig
Save the credentials in a credential store (using WLST commands):
MW_HOME/WCC_ORACLE_HOME/common/bin/wlst.sh connect() createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore", password="password") createCred(map="oracle.wsm.security", key="sign-csf-key", user="orakey", password="password") createCred(map="oracle.wsm.security", key="enc-csf-key", user="orakey", password="password")
This step creates a file, cwallet.sso
, under DomainHome
/config/fmwconfig
.
Both default-keystore.jks
and cwallet.sso
are needed for the client to access the server.
For more information about setting up a keystore, see Section 9.1.2, "Configuring a Keystore for Oracle IRM."
You can use Oracle Enterprise Manager 11g
Fusion Middleware Control to apply Oracle WSM policies to web services. For more information, see "Attaching Policies to Web Services" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.