Billing Care Postinstallation Tasks

Postinstallation Tasks

After installing a Billing Care test or production installation, do the following on each domain host where Billing Care is deployed:

If your BRM installation uses Oracle Analytics Publisher to view invoices, encrypt and add the Oracle Analytics Publisher credentials for accessing Oracle Analytics Publisher in the Infranet.properties file on each domain host where Billing Care is deployed. See "Encrypting and Adding Oracle Analytics Publisher Connection Information in the Wallet".
Adjust your BRM connection pool settings and enable logging in the Infranet.properties file for your Billing Care environment. You can customize the Billing Care connection pool settings by adding additional entries in the Billing Care Infranet.properties configuration file. See "Configuring Additional Settings in the Infranet.properties File".

Note:

During installation, the Billing Care installer copies the Billing Care Infranet.properties configuration file to the domain administrative user's home directory on each domain server where Billing Care is deployed. You can update the Infranet.properties file in this location.

You can also copy the Infranet.properties file in the domain administrative user's home directory to the domain_home directory if required. In this case, the Infranet.properties file in the domain_home directory takes precedence over the Infranet.properties file in the domain administrative user's home directory.

For production installations, also do the following:

Import the Billing Care OPSS Administration Server policy configuration. The Billing Care SDK includes a default policy configuration file that must be imported into your OPSS Administration Server.
If you are using OUD, configure the Billing Care OPSS JRF-enabled domain to connect to the LDAP directory used by Oracle Identity Management (IDM) to store Billing Care users. See "Configuring OPSS JRF-Enabled Domain LDAP Server Connection".
If you are using Security Assertion Markup Language (SAML) for single sign-on (SSO), configure SAML. See "Configuring SAML 2.0 for SSO Using a Service Provider".

About Encryption

Encrypting your BRM and Oracle Analytics Publisher passwords and using SSL increases the security of your Billing Care deployment. See "Billing Care Security" in BRM Security Guide for more information about securing your Billing Care environment.

Encrypting and Adding Oracle Analytics Publisher Connection Information in the Wallet

You must configure the connection details for your Oracle Analytics Publisher server in each domain server hosting a Billing Care deployment, if Oracle Analytics Publisher is used in your environment.

Note:

Billing Care application supports multiple BRM servers. When a user login to Billing Care application, the application uses the Billing Care wallet and the Infranet.properties file from the available BRM servers.

To encrypt your Oracle Analytics Publisher password and store connection credentials in the Billing Care wallet:

Log in to your domain server using a secure shell or console terminal session.
Use the WebLogic Server encrypt Java utility to encrypt your Oracle Analytics Publisher user's password.

See "encrypt" in Command Reference for Oracle WebLogic Server for information about encrypting passwords.

Store the following information listed in Table 6-1 in the Billing Care wallet.

See "Storing Configuration Entries in the Billing Care Wallet" in BRM Security Guide for more information.

Table 6-1 Oracle Analytics Publisher Connection Information

Field	Description
BIP_USERID	Oracle Analytics Publisher user with web access
BIP_PASSWORD	Encrypted Oracle Analytics Publisher user's password
BIP_URL	URL address to access the Oracle Analytics Publisher instance

For production installations, if not already done, enable SSL for the OPSS JRF-enabled domain where Billing Care is deployed.
Restart the domain where Billing Care is deployed.

Configuring Additional Settings in the Infranet.properties File

Billing Care uses the default connection pool settings for your BRM instance. You can customize Billing Care connection pool settings by adding additional entries in the Billing Care Infranet.properties configuration file. You can also enable logging by adding optional entries or changing the BRM connection details in the Billing Care Infranet.properties file.

Note:

You can update the BRM connection details in the Billing Care Infranet.properties file or in the Billing Care wallet. However, it is recommended to update sensitive information (such as BRM user password) only by using the Billing Care wallet.

See "About Connection Pooling" in BRM System Administrator's Guide for more information about changing the default connection pool.

See "Optional Entries in the Infranet.properties File" in BRM Developer's Guide for more information about enabling logging for Billing Care connections to BRM.

Importing the Billing Care Security Policies to OPSS

The Billing Care SDK includes the system-jazn-data.xml file, which contains default policies, resource types, resources, and actions. You must import this file into your OPSS Administration Server to set up the initial Billing Care OPSS configuration.

The system-jazn-data.xml file is located in the Middleware_home/BillingCare_SDK/reference/AuthorizationDataModel directory created during the Billing Care SDK installation, where Middleware_home is the WebLogic Middleware home directory containing the OPSS JRF-enabled domain on which Billing Care is deployed.

To migrate the system-jazn-data.xml file into your OPSS Administration Server:

Open a secure shell or terminal session on the server where you installed the Billing Care SDK.
Go to the Middleware_home/BillingCare_SDK/reference/AuthorizationDataModel directory.

Open the jps-config.xml file and modify the following parameters:

sourceContext. Specify the location of the system-jazn-data.xml file, which contains the policies to be migrated to the database. The system-jazn-data.xml file is in the same location as the jps-config.xml file.

<serviceInstance name="src.xml" provider="policystore.xml.provider" location="location of the system-jazn-data.xml file">
   <description>File-Based Policy Store Service Instance</description>
</serviceInstance>

destinationContext. Enter the credentials for the Oracle Platform Security Services (OPSS) database schema.

Note:

Add the property name entries (shown in bold) if you enabled one-way or two-way SSL authentication for connections with the OPSS database schema.

<serviceInstance name="policystore.db.destination" provider="policystore.provider">
   <description>DB Based Policy Store Service Instance</description>
   <property name="policystore.type" value="DB_ORACLE"/>
   <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
   <property name="security.principal" value="OPSS_SchemaName"/>
   <property name="security.credential" value="OPSS_SchemaPassword"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=opssroot"/>
   <property name="oracle.security.jps.farm.name" value="cn=opssSecurityStore"/>

   <!--Add this property if SSL is NOT enabled for connections with the OPSS database schema-->
   <property name="jdbc.url" value="jdbc:oracle:thin:@dbhost:dbport:SID"/>

   <!--Add the following properties for both one-way and two-way SSL authentication-->
   <property name="javax.net.ssl.trustStore" value="walletFileNameAndPath"/>
   <property name="javax.net.ssl.trustStoreType" value="SSO_or_PKCS12"/>
   <property name="javax.net.ssl.trustStorePassword" value="passwordForPKCS12_Only"/>
   <property name="security.providers.3" value="oracle.security.pki.OraclePKIProvider"/>
   <property name="jdbc.url" value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=dbhost)(PORT=dbport))(CONNECT_DATA=(SERVICE_NAME=SID)))"/>

   <!--Also add the following properties for two-way SSL authentication-->
   <property name="javax.net.ssl.keyStore" value="walletFileNameAndPath"/>
   <property name="javax.net.ssl.keyStoreType" value="SSO_or_PKCS12"/>
   <property name="javax.net.ssl.keyStorePassword" value="passwordForPKCS12_Only"/>
</serviceInstance>

jpsContext. Specify the source context and the destination context.

<jpsContext name="sourceContext">
   <serviceInstanceRef ref="src.xml"/>
</jpsContext>
<jpsContext name="destinationContext">
   <serviceInstanceRef ref="policystore.db.destination"/>
</jpsContext>

Save the file.
Run the migrateSecurityStore utility to migrate the Billing Care policy into your OPSS Administration Server.
Restart the OPSS JRF-enabled domain.

See Oracle Fusion Middleware Administrator's Guide for detailed information on how to import the Billing Care system-jazn-data.xml file into your OPSS Administration Server.

Configuring OPSS JRF-Enabled Domain LDAP Server Connection

If you are using OUD or third-party LDAP directory server products, each OPSS JRF-enabled domain must be configured with connection details to OUD, as the LDAP identity store, in the jps-config.xml file so that Billing Care can retrieve users from the directory.

Note:

Additional LDAP servers, including Oracle Internet Directory and third-party LDAP directory server products, can be configured for use with Billing Care using the process described below. See "Configuring the Identity Store Service" in Oracle Fusion Middleware Application Security Guide for more information on using other LDAP servers.

To configure Billing Care's connection to OUD, on each OPSS JRF-enabled domain server where Billing Care is deployed:

Open a secure shell or terminal session on the server where the OPSS JRF-enabled domain is located.
Go to the Domain_home/config/fmwconfig/jps-config.xml directory.
In the <servicesInstances> section of the jps-config.xml file, add the following identify store service entry containing your OUD server connection information.
```
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
   <description>LDAP Identity Store Service Instance</description>
   <property name="idstore.type" value="IPLANET"/>
   <property name="subscriber.name" value="subscriber.name"/>            
   <property name="cleartext.ldap.credentials" value="ldap_credentials"/>
   <property name="ldap.url" value="ldap:ldap_url:port"/>
</serviceInstance>
```
where:
- idstore.ldap is the name of your LDAP authenticator.
- subscriber.name includes the LDAP domain components for Billing Care users. For example:
```
dc=billingcare, dc=com
```
- ldap_credentials is an authentication string in clear text containing the required principal and password for accessing the LDAP server. For example:
```
cn=Directory Manager,cn=Root DNs,cn=config:password
```
  where password is a valid credential for the common name user accessing the LDAP server.
- ldap_url:port is the LDAP server URL and port number.
In the <jpsContext name="default"> section of the jps_config.xml file, add the following entry to reference the identity store instance configured in the previous step:
```
<serviceInstanceRef ref="idstore.ldap"/>
```
where idstore.ldap is the serviceInstance name you configured in step 3 above.
Save the file.

Enabling Logging

Billing Care writes log messages using the Java Logging API. See Oracle Fusion Middleware Configuring Log Files and Filtering Log Messages for Oracle WebLogic Server for more information about enabling Billing Care logging.

Configuring SAML 2.0 for SSO Using a Service Provider

You can use SAML 2.0 for enabling SSO in Billing Care. SSO allows you to log in to applications using a single user name and password combination.

You can configure SAML authentication in a Billing Care domain using an Oracle Access Management service provider or an Oracle Identity Cloud Service (IDCS) service provider.

To configure SAML for SSO:

Create a SAML2 assertion provider. See "Creating a SAML2 Assertion Provider".
Create a SAML2 authenticator. See "Creating a SAML2 Authenticator".
Configure the SAML2 general information. See "Configuring SAML2 General Information".
Configure your SAML2 service provider. See "Configuring the SAML2 Service Provider".
Create a SAML2 application in IDCS or Oracle Access Management.
Update your deployment plan to define the cookie name and path. See "Updating the Deployment Plan of Billing Care".
(IDCS only) In your Billing Care Infranet.properties file, set the SSO_SIGNOUT_URL parameter:
```
SSO_SIGNOUT_URL=https://hostname:port/sso/v1/user/logout
```
where hostname:port is the hostname and port for the IDCS logout URL.

Creating a SAML2 Assertion Provider

To create a SAML2 assertion provider:

Log in to WebLogic Server Administration Console.
In the Domain Structure section, click the Security Realms link.

The Summary of Security Realms page appears.
Click the myrealm link.

The Settings for myrealm page appears.
Click the Providers tab, the Authentication subtab, and then New.

The Create a New Authentication Provider page appears.
In the Name field, enter samlBCAsserter.
From the Type list, select SAML2IdentityAsserter.
Click OK.
Restart WebLogic Server.
In the Authentication subtab, click the samlBCAsserter link.

The Settings for samlBCAsserter page appears.
Click the Management tab.
Click New and then click New Web Single Sign-On Identity Provider Partner.

The Create a SAML 2.0 Web Single Sign-On Identity Provider Partner page appears.
In the Name field, enter WebSSO-IdP-Partner.
In the Path field, enter the path to the XML file that contains the identity provider's metadata, such as metadata.xml.
Click OK.
In the Settings for samlBOCAsserter page, click the Management tab and then click the WebSSO-IdP-Partner-0 link.
In the General tab, select the Enabled, Virtual User, and Process Attributes check boxes.
In the Redirect URIs field, enter /bc/*.
Click Save.

Creating a SAML2 Authenticator

To create a SAML2 authenticator:

Log in to WebLogic Server Administration Console.
In the Domain Structure section, click the Security Realms link.

The Summary of Security Realms page appears.
Click the myrealm link.

The Settings for myrealm page appears.
Click the Providers tab, the Authentication subtab, and then New.

The Create a New Authentication Provider page appears.
In the Name field, enter samlBCAuthenticator.
From the Type list, select SAMLAuthenticator.
Click OK.
In the Authentication Providers table, click the samlBCAuthenticator link and change the Control Flag to SUFFICIENT.
Click Save.
In the Authentication Providers table, click the DefaultAuthenticator link, and change the Control Flag to SUFFICIENT.
Click Save.
In the Authentication Providers table, click Reorder.

The Reorder Authentication Providers page appears.
Reorder the providers in the following order:
- samlBCAuthenticator
- samlBCAsserter
- DefaultAuthenticator
- DefaultIdentityAsserter
Click OK.

Configuring SAML2 General Information

To configure SAML 2.0 general information:

In the Domain Structure section, expand Environment and then click Servers.

The Summary of Servers page appears.
In the Servers table, click the AdminServer link.

The Settings for AdminServer page appears.
Select the Configuration tab, the Federation Services subtab, and then the SAML 2.0 General subtab.
In the Published Site URL field, enter http://BillingCare_hostname:port/saml2.

where:
- BillingCare_hostname is either the Billing Care application host name or the load balancer host name.
- port is the port on which Billing Care is listening on.
In the Entity ID field, enter samlBCAsserter.
Click Save.

Configuring the SAML2 Service Provider

To configure the SAML2 service provider:

Log in to WebLogic Server Administration Console.
In the Domain Structure section, expand Environment and then click Servers.

The Summary of Servers page appears.
In the Servers table, click the AdminServer link.

The Settings for AdminServer page appears.
Select the Configuration tab, the Federation Services subtab, and then the SAML 2.0 Service Provider subtab.
Select the Enabled check box.
From the Preferred Binding list, select POST.
In the Default URL field, enter http://BillingCare_hostname:port/bc/login.html.

where:
- BillingCare_hostname is the Billing Care application host name or load balancer name.
- port is the port on which Billing Care is listening on.
Restart WebLogic Server.

Updating the Deployment Plan of Billing Care

To update the deployment plan of Billing Care:

Merge the following contents with your existing Billing Care deployment plan:

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan
http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"
global-variables="false">
   <application-name>BillingCare.war</application-name>
   <variable-definition> 
      <variable>
         <name>cookie-name</name>
         <value>JSESSIONID</value>
      </variable>
      <variable>            
         <name>cookie-path</name>            
         <value>/bc</value>         
      </variable>
   </variable-definition>
   <module-override>
      <module-name>BillingCare.war</module-name>
      <module-type>war</module-type>
      <module-descriptor external="true">
         <root-element>weblogic-web-app</root-element>
         <uri>WEB-INF/weblogic.xml</uri>
         <variable-assignment>
            <name>cookie-name</name>
            <xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
            <operation>replace</operation>
         </variable-assignment>
         <variable-assignment>
            <name>cookie-path</name>
            <xpath>/weblogic-web-app/session-descriptor/cookie-path</xpath>
            <operation>remove</operation>
         </variable-assignment>
      </module-descriptor>
   </module-override>
</deployment-plan>

Log in to the Oracle WebLogic Server Administration Console.
In the Domain Structure section, click Deployments.
In the Configuration tab, select the BillingCare check box and then click Update.

The Update Application Assistant screen appears.
In Deployment plan path, click Change Path and enter the path to your Billing Care deployment file.
Click Finish.