Configuring Fusion Middleware Security for Content Server

16 Configuring Fusion Middleware Security for Content Server

This chapter provides security configuration information and procedures for integrating Oracle Fusion Middleware, Oracle WebLogic Server, and Oracle authentication and authorization software with Oracle WebCenter Content and Oracle WebCenter Content Server.

This chapter includes the following topics:

For more information about Oracle Fusion Middleware and Oracle WebLogic Server security, see the documentation listed in Table 16-1.

16.1 LDAP Authentication Providers

Oracle WebCenter Content runs on Oracle WebLogic Server. The Oracle WebLogic Server domain includes an embedded Lightweight Directory Access Protocol (LDAP) server that acts as the default security provider data store for the Default Authentication, Authorization, Credential Mapping, and Role Mapping providers. WebCenter Content provides the default JpsUserProvider to communicate with Oracle WebLogic Server. See Managing the Embedded LDAP Server in Administering Security for Oracle WebLogic Server, and Configure the Embedded LDAP Server in Oracle WebLogic Server Administration Console Online Help.

In almost all cases, an Oracle WebCenter Content production system identity store must be reassociated with an external LDAP authentication provider rather than use the embedded LDAP server. Once the new LDAP authentication provider is configured, then you migrate users from the embedded LDAP provider to the new LDAP provider. The external LDAP authentication provider, such as Oracle Internet Directory (OID), must be listed before all other authentication providers including the default authentication provider. See Reassociating the Identity Store with an External LDAP Authentication Provider in Installing and Configuring Oracle WebCenter Content.

Note:

As of 11g Release 1 (11.1.1.6.0) Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use two Oracle Internet Directory (OID) providers as sources of user and role information. See Configuring Single and Multiple LDAPs in Securing Applications with Oracle Platform Security Services.

Table 16-1 lists some of the LDAP providers that can be configured for user authentication.

Table 16-1 LDAP Authenticator Types

LDAP Servers	Authenticator Providers
Microsoft AD	ActiveDirectoryAuthenticator
SunOne LDAP	IPlanetAuthenticator
Oracle Directory Server Enterprise Edition (ODSEE)	IPlanetAuthenticator
Oracle Unified Directory (OUD)	IPlanetAuthenticator
Oracle Internet Directory	OracleInternetDirectoryAuthenticator
Oracle Virtual Directory	OracleVirtualDirectoryAuthenticator
EDIRECTORY	NovellAuthenticator
OpenLDAP	OpenLDAPAuthenticator
EmbeddedLDAP	DefaultAuthenticator

If you want to configure WebCenter Content to use an external LDAP server and have dynamic groups (as well as static groups) on your Directory whose privileges you want recognized by WebCenter Content, additional configuration is necessary. User creation, authentication, and authorization is managed using Oracle Platform Services Security (OPSS), which uses a different mechanism to gather Directory Server information when compared to the native Oracle WebLogic Server providers for an external LDAP server. See Oracle WebCenter and Dynamic Groups from an External LDAP Server blog.

16.2 Configuring Oracle WebCenter Content to Use SSL

You can configure Oracle Fusion Middleware to secure communications with WebCenter Content using SSL, which is an industry standard for securing communications. Oracle Fusion Middleware supports SSL version 3, as well as TLS version 1.

This section covers the following topics:

For additional information, see Configuring SSL in Administering Security for Oracle WebLogic Server. For information on Web Tier configuration, see SSL Configuration in Oracle Fusion Middleware in Administering Oracle Fusion Middleware.

16.2.1 Configuring WebCenter Content for Two-Way SSL Communication

WebCenter Content uses the Oracle WebLogic Server secure socket layer (SSL) stacks for two-way SSL configurations.

For the inbound Web service bindings, WebCenter Content uses the Oracle WebLogic Server infrastructure and, therefore, the Oracle WebLogic Server libraries for SSL.
For the outbound Web service bindings, WebCenter Content uses JRF HttpClient and, therefore, the Oracle Sun JDK libraries for SSL.

Due to this difference, start Oracle WebLogic Server with the following JVM option:

Open the following file:
- On UNIX operating systems, open $MIDDLEWARE_HOME/user_projects/domains/domain_name/bin/setDomainEnv.sh.
- On Window operating systems, open MIDDLEWARE_HOME\user_projects\domains\domain_name\bin\setDomainEnv.bat.
Add the following lines in the JAVA_OPTIONS section, if the server is enabled for one-way SSL (server authorization only):
```
-Djavax.net.ssl.trustStore=your_truststore_location
```
For two-way SSL, the keystore information (location and password) is not required.

To enable two-way SSL for WebCenter Content to invoke another application:

Note:

Both the server and client are assumed to have been configured for SSL with mutual authentication.

On the client side, provide the keystore location.
1. From the SOA Infrastructure menu, choose SOA Administration, then Common Properties.
2. At the bottom of the page, click More SOA Infra Advanced Configuration Properties.
3. Click KeystoreLocation.
4. In the Value column, enter the keystore location.
5. Click Apply.
6. Click Return.
On the client side, provide the keystore location in DOMAIN_HOME\config\soa-infra\configuration\soa-infra-config.xml.
```
<keystoreLocation>absolute_path_to_the_keystore_location_and_the_file_name
</keystoreLocation> 
```

During design time in Oracle JDeveloper, update the reference section in the composite.xml file with the oracle.soa.two.way.ssl.enabled property.

<reference name="Service1" 
   ui:wsdlLocation=". . ."> 
   <interface.wsdl interface=". . ."/> 
     <binding.ws port=". . ."> 
      <property name="oracle.soa.two.way.ssl.enabled">true</property> 
  </binding.ws> 
 </reference>

In Oracle Enterprise Manager Fusion Middleware Control Console, select WebLogic Domain, then domain_name.
Right-click domain_name and select Security, then Credentials.
Click Create Map.
In the Map Name field, enter a name (for example, SOA), and click OK.
Click Create Key.

Enter the following details:

Field	Description
Select Map	Select the map created in Step 7 (for this example, SOA).
Key	Enter the key name (`KeystorePassword` is the default).
Type	Select Password.
User Name	Enter the keystore user name (`KeystorePassword` is the default).
Password	Enter the password that you created for the keystore.

Note:

When you set up SSL on an Oracle WebLogic Server domain, a key alias is required. You must enter mykey as the alias value. This value is required.

Set the keystore location in Oracle Enterprise Manager Fusion Middleware Control Console. See Step 1 for instructions.

Modify the composite.xml syntax to use https and sslport to invoke Oracle WebCenter Content. For example, change the syntax shown in bold:

<?xml version="1.0" encoding="UTF-8" ?> 
<!-- Generated by Oracle SOA Modeler version 1.0 at [4/1/09 11:01 PM]. --> 
<composite name="InvokeEchoBPELSync" 
revision="1.0" 
label="2009-04-01_23-01-53_994" 
mode="active" 
state="on" 
xmlns="http://xmlns.example.com/sca/1.0" 
xmlns:xs="http://www.w3.org/2001/XMLSchema" 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
xmlns:orawsp="http://schemas.example.com/ws/2006/01/policy" 
xmlns:ui="http://xmlns.example.com/soa/designer/"> 
<import 
namespace="http://xmlns.example.com/CustomApps/InvokeEchoBPELSync/BPELProcess1"
  location="BPELProcess1.wsdl" importType="wsdl"/>
<import namespace="http://xmlns.example.com/CustomApps/EchoBPELSync/
BPELProcess1"location="http://hostname:port/soa-infra/services/default/EchoBPEL
Sync/BPELProcess1.wsdl"
importType="wsdl"/>

to use https and sslport:

location="https://hostname:sslport/soa-infra/services/default/EchoBPELSync
/BPELProcess1.wsdl"

16.2.2 Invoking References in One-Way SSL Environments in Oracle JDeveloper

When invoking a Web service as an external reference from WebCenter Content in one-way SSL environments, ensure that the certificate name (CN) and the host name of the server exactly match. This ensures a correct SSL handshake.

For example, if a Web service is named adfbc and the certificate has a server name of host, the following results in a SSL handshake exception.

<import namespace="/adfbc1/common/"
location="https://host.example.com:8002/CustomApps-adfbc1-context-root/AppModuleService?WSDL"
          importType="wsdl"/> 
<import namespace="/adfbc1/common/" location="Service1.wsdl" 
          importType="wsdl"/>

If you switch the order of import, the SSL handshake passes.

<import namespace="/adfbc1/common/" location="Service1.wsdl" 
          importType="wsdl"/> 
<import namespace="/adfbc1/common/" 
location="https://host.example.com:8002/CustomApps-adfbc1-context-root/AppModuleService?WSDL" 
          importType="wsdl"/>

Note the following restrictions around this issue:

There are no options for ignoring host name verification in Oracle JDeveloper as exist with the Oracle WebLogic Server Administration Console. This is because the SSL kit used by Oracle JDeveloper is different. Only the trust store can be configured from the command line. All other certificate arguments are not passed.
In the WSDL file, https://hostname must match with that in the certificate, as described above. You cannot perform the same procedures as you can with a browser. For example, if the host name is host.example.com in the certificate's CN, then you can use host, host.example.com, or the IP address from a browser. In Oracle JDeveloper, always use the same name as in the certificate (that is, host.example.com).

16.2.3 Configuring WebCenter Content, Oracle HTTP Server for SSL Communication

Follow these procedures to configure SSL communication between WebCenter Content and Oracle HTTP Server.

See Configuring SSL for the Web Tier in Administering Oracle Fusion Middleware.

To configure Oracle HTTP Server for SSL communication:

Append ssl.conf with the <Location /cs> location directive, where port is the port number of the target managed server.

<Location /cs>
      WebLogicPort 8002
      SetHandler weblogic-handler
      ErrorPage http://host.example.com:port/error.html
</Location>

Start the Oracle WebLogic Server as described in Configuring WebCenter Content for Two-Way SSL Communication .

To configure certificates for Oracle Client, Oracle HTTP Server, and Oracle WebLogic Server:

Export the user certificate from the Oracle HTTP Server wallet.

orapki wallet export -wallet . -cert cert.txt  -dn 'CN=\"Self-Signed Certificate for ohs1 \",OU=OAS,O=ORACLE,L=REDWOODSHORES,ST=CA,C=US'

Import the above certificate into the Oracle WebLogic Server truststore as a trusted certificate.
```
keytool -file cert.txt -importcert -trustcacerts -keystore DemoTrust.jks
```

Export the certificate from the Oracle WebLogic Server truststore.

keytool -keystore DemoTrust.jks -exportcert -alias wlscertgencab -rfc -file
certgencab.crt

Import the above certificate to the Oracle HTTP Server wallet as a trusted certificate.
```
orapki wallet add -wallet . -trusted_cert -cert certgencab.crt -auto_login_only
```
Restart Oracle HTTP Server.
Restart the Oracle WebLogic Server as described in Configuring WebCenter Content for Two-Way SSL Communication .

16.2.4 Switching from Non-SSL to SSL Configurations for WebCenter Content

Switching from non-SSL to SSL configurations for WebCenter Content requires the Frontend Host and Frontend HTTPS Port fields to be set in the Oracle WebLogic Server Administration Console. Not doing so results in exception errors when you attempt to create to-do tasks.

Log in to the wls_console.
In the Environment section, select Servers.
Select the name of the managed server (for example, UCM_server1).
Select Protocols, then select HTTP.
In the Frontend Host field, enter the host name on which the WebCenter Content domain is located.
In the Frontend HTTPS Port field, enter the SSL listener port.
Click Save.

16.2.5 Using a Custom Trust Store for One-Way SSL

To invoke WebCenter Content over HTTPS when using a custom trust store created with a tool such as keytool or orapki, perform the following actions in Oracle JDeveloper:

To fetch a WSDL file in the reference section, set the trust store information in Tools, then Preferences, then Http Analyzer, then HTTPS Setup, then Client Trusted Certificate Keystore.
During deployment to a SSL-enabled server, use the JSSE property at the command line:
```
jdev -J-Djavax.net.ssl.trustStore=your_trusted_location
```

16.2.6 Enabling an Asynchronous Process to Invoke an Asynchronous Process

To enable an asynchronous process deployed to a SSL-enabled, managed server to invoke another asynchronous process over HTTP, start by assuming you create the following environment:

Asynchronous BPEL process A that invokes asynchronous BPEL process B
Asynchronous BPEL process A is deployed to a one-way SSL enabled, managed server
All WSDL reference and bindings use plain HTTP

At run time, the WSDL is looked for over HTTPS, and the callback message from asynchronous BPEL process B fails.

To resolve this issue, the callbackServerURL property must be passed at the reference binding level in the composite.xml file. This explicitly indicates the value of the callback URL for the given reference invocation. If the client composite is running in a SSL-managed server, then the callback defaults to SSL.

<reference name="Service1" ui:wsdlLocation="http://localhost:8000/soa-infra/services/default/
                AsyncSecondBPELMTOM/BPELProcess1.wsdl"> 
    <interface.wsdl interface="http://xmlns.example.com/Async/AsyncSecondBPELMTOM/BPELProcess1# 
                wsdl.interface(BPELProcess1)" callbackInterface="http://xmlns.example.com/Async/ 
                AsyncSecondBPELMTOM/BPELProcess1#wsdl.interface(BPELProcess1Callback)"/> 
    <binding.ws port="http://xmlns.example.com/Async/AsyncSecondBPELMTOM/BPELProcess1#
                wsdl.endpoint(bpelprocess1_client_ep/BPELProcess1_pt)" 
        location="http://localhost:8000/soa-infra/services/default/AsyncSecondBPELMTOM 
                /bpelprocess1_client_ep?WSDL"> 
            <wsp:PolicyReference URI="oracle/wss_username_token_client_policy" 
                orawsp:category="security" orawsp:status="enabled"/>
            <wsp:PolicyReference URI="oracle/wsaddr_policy"  orawsp:category="addressing"
                orawsp:status="enabled"/> 
            <property name="callbackServerURL">http://localhost:8000/</property> 
    </binding.ws> 
    <callback> 
            <binding.ws port="http://xmlns.example.com/Async/AsyncSecondBPELMTOM/BPELProcess1#
                wsdl.endpoint(bpelprocess1_client_ep/BPELProcess1Callback_pt)"> 
              <wsp:PolicyReference URI="oracle/wss_username_token_service_policy"
                  orawsp:category="security" orawsp:status="enabled"/> 
            </binding.ws> 
    </callback> 
</reference>

16.2.7 Configuring RIDC SSL for Valid Certificate Path

To use Remote Intradoc Client (RIDC) and self-signed certificates, you must import the certificate into your local JVM certificate store so the certificate will be trusted.

Retrieve the key from the Content Server instance. For example:

openssl s_client -connect host.example.com:7045 2>/dev/null

CONNECTED(00000003)
---
Certificate chain
  
 0 s:/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN=hostname 
i:/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN=CertGenCAB
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIB6zCCAZUCEItVMwHDFXAnYG//RoVbXQgwDQYJKoZIhvcNAQEEBQAweTELMAkG
A1UEBhMCVVMxEDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15VG93bjEXMBUG
A1UEChMOTXlPcmdhbml6YXRpb24xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9OTFkx
EzARBgNVBAMTCkNlcnRHZW5DQUIwHhcNMDkwMzI5MjM0NDM0WhcNMjQwMzMwMjM0
NDM0WjB5MQswCQYDVQQGEwJVUzEQMA4GA1UECBYHTXlTdGF0ZTEPMA0GA1UEBxYG
TXlUb3duMRcwFQYDVQQKFg5NeU9yZ2FuaXphdGlvbjEZMBcGA1UECxYQRk9SIFRF
U1RJTkcgT05MWTETMBEGA1UEAxYKZGFkdm1jMDAyMjBcMA0GCSqGSIb3DQEBAQUA
A0sAMEgCQQCmxv+h8kzOc2xyjMCdPM6By5LY0Vlp4vzWFKmPgEytp6Wd87sG+YDB
PeFOz210XXGMx6F/14/yFlpCplmazWkDAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBn
uF/s6EqCT38Aw7h/406uPhNh6LUF7XH7QzmRv3J1sCxqRnA/fK3JCXElshVlPk8G
hwE4G1zxpr/JZu6+jLrW
-----END CERTIFICATE-----
subject=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING
ONLY/CN=host
issuer=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING
ONLY/CN=CertGenCAB
---
No client certificate CA names sent
---
SSL handshake has read 625 bytes and written 236 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : RC4-MD5
   Session-ID: 23E20BCAA4BC780CE20DE198CE2DFEE4
   Session-ID-ctx:
   Master-Key:
4C6F8E9B9566C2BAF49A4FD91BE90DC51F1E43A238B03EE9B700741AC7F4B41C72D2990648DE103
BB73B3074888E1D91
   Key-Arg   : None
   Start Time: 1238539378
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---

Copy and paste the Server Certificate including the surrounding -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Save the certificate into a new file. For example:

/tmp/host.pem:

-----BEGIN CERTIFICATE-----
MIIB6zCCAZUCEItVMwHDFXAnYG//RoVbXQgwDQYJKoZIhvcNAQEEBQAweTELMAkG
A1UEBhMCVVMxEDAOBgNVBAgTB015U3RhdGUxDzANBgNVBAcTBk15VG93bjEXMBUG
A1UEChMOTXlPcmdhbml6YXRpb24xGTAXBgNVBAsTEEZPUiBURVNUSU5HIE9OTFkx
EzARBgNVBAMTCkNlcnRHZW5DQUIwHhcNMDkwMzI5MjM0NDM0WhcNMjQwMzMwMjM0
NDM0WjB5MQswCQYDVQQGEwJVUzEQMA4GA1UECBYHTXlTdGF0ZTEPMA0GA1UEBxYG
TXlUb3duMRcwFQYDVQQKFg5NeU9yZ2FuaXphdGlvbjEZMBcGA1UECxYQRk9SIFRF
U1RJTkcgT05MWTETMBEGA1UEAxYKZGFkdm1jMDAyMjBcMA0GCSqGSIb3DQEBAQUA
A0sAMEgCQQCmxv+h8kzOc2xyjMCdPM6By5LY0Vlp4vzWFKmPgEytp6Wd87sG+YDB
PeFOz210XXGMx6F/14/yFlpCplmazWkDAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBn
uF/s6EqCT38Aw7h/406uPhNh6LUF7XH7QzmRv3J1sCxqRnA/fK3JCXElshVlPk8G
hwE4G1zxpr/JZu6+jLrW
-----END CERTIFICATE-----

Import the certificate into the local JVM certificate store. You will need the keystore password. For example (the password is changeit):

sudo /opt/java/jdk1.6.0_12/bin/keytool -import -alias host -keystore 
/opt/java/jdk1.6.0_12/jre/lib/security/cacerts -trustcacerts -file 
/tmp/host.pem

Enter keystore password: changeit 
Owner: CN=host, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown,
ST=MyState, C=US
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown,
ST=MyState, C=US
Serial number: -74aaccfe3cea8fd89f9000b97aa4a2f8
Valid from: Sun Mar 29 16:44:34 PDT 2009 until: Sat Mar 30 16:44:34 PDT 2024
Certificate fingerprints:
    MD5:  94:F9:D2:45:7F:0D:E3:87:CF:2B:32:7C:BF:97:FF:50
    SHA1: A8:A5:89:8B:48:9B:98:34:70:56:11:01:5C:14:32:AC:CB:18:FF:1F
    Signature algorithm name: MD5withRSA
    Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

16.3 Configuring WebCenter Content for Single Sign-On

You can configure one of these single sign-on (SSO) solutions for Oracle WebCenter Content:

Oracle Access Manager 11g
Oracle Access Manager 10g
Oracle Single Sign-On (OSSO)
Windows Native Authentication (WNA)

Oracle Access Manager (OAM) is the recommended single sign-on (SSO) solution for Oracle Fusion Middleware enterprise-class installations including WebCenter Content. OAM is part of Oracle's suite of enterprise-class products for identity management and security.

If your enterprise-class installation uses Microsoft desktop logins that authenticate with a Microsoft domain controller with user accounts in Active Directory, then configuring Windows Native Authentication (WNA) single sign-on may be an option. For more information about WNA, see Configuring WebCenter Content and Single Sign-On for Windows Native Authentication.

For an overview of Oracle WebLogic Server authentication providers, see Configuring Authentication Providers in Administering Security for Oracle WebLogic Server.

Note:

WebDAV (/dav) is protected by basic authentication per WebDAV protocol and is not protected by SSO, which typically requires form-based login. If you want to use a custom SSO solution for WebDAV, then a custom component is necessary.

Configuration information is provided in the following sections:

16.3.1 Configuring Oracle Access Manager 12c with WebCenter Content

This section describes how to integrate WebCenter Content with Oracle Access Manager (OAM) 12c. Configuration information is provided for Oracle WebCenter Content: Content Server (CS), Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

Configure OAM 12c, Oracle HTTP Server (OHS), and WebGate as described in Administrator’s Guide for Oracle Access Management for All Platforms.

Append entries to the mod_wl_ohs.conf file to add WebCenter Content Uniform Resource Identifiers (URIs) to forward. Use the appropriate location entries from the following example. Each entry in the example maps the incoming path to the appropriate Oracle WebLogic Server on which the corresponding application resides.

In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

Note:

The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr.

For Site Studio, the URI to forward is configured by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

Caution:

The Content Server location /cs can be customized, so the /cs designation can't guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.
```
# Content Server
<Location /cs>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# Content Server authentication
<Location /adfAuthentication>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# WebCenter online help
<Location /_ocsh>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# IBR
<Location /ibr>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```
```
# SS
<Location /customer-configured-site-studio
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```

Use the OAM 12c remote registration tool (oamreg) to register an OAM Agent, specifying Oracle WebCenter Content URIs to protect and to make public.

See Administrator’s Guide for Oracle Access Management for All Platforms.

Note:

The URIs you protect and make public depend on the WebCenter Content functionality that you have installed: Content Server (CS), Inbound Refinery (IBR), Site Studio (SS).

For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

Functionality	Type	URI
CS	Protect	`/adfAuthentication`
CS	Public	`/cs`
CS	Public	`/_ocsh`
IBR	Protect	`/ibr/adfAuthentication`
IBR	Public	`/ibr`
SS	Protect	`/customer_configured_site_studio`

Add the URL /oamsso/logout.html to the logout URL setting for the AccessGate so the single sign-on logout works properly. See Configuring Centralized Logout for Sessions Involving OAM WebGates in Oracle Fusion Middleware Administrator’s Guide for Oracle Access Management.

Configure the WebCenter Content domain by ensuring you perform these tasks.
1. Configure the OAM Identity Asserter. The control flag for the OAM Identity Asserter must be set to REQUIRED, and both OAM_REMOTE_USER and ObSSOCookie must be selected as Active Types.
2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OAM is using OID, then an OID Authentication provider must be added to the WebCenter Content domain.
  
  Note:
  
  When you configure the Oracle WebLogic Server for WebCenter Content to use an authentication provider other than the default one, ensure that it is the first authentication provider listed in the security realm configuration; otherwise, WebCenter Content will fail to load any user privileges. You can re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Configuring the First Authentication Provider.
3. Configure the OPSS (OAM) Single Sign-On provider.
After installing and configuring OAM 12c, check that you can access all of the configured applications, and that the login is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout where available and make sure you are logged out of all other related applications.

16.3.2 Configuring Oracle Access Manager 11g with WebCenter Content

This section describes how to integrate WebCenter Content with Oracle Access Manager (OAM) 11g. Configuration information is provided for Oracle WebCenter Content: Content Server (CS), Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

Before you can configure OAM 11g, install the software using the instructions provided in Installing and Configuring Oracle Identity Management in Oracle Fusion Middleware Installation Guide for Oracle Identity Management , 11g Release 1 (11.1.1.9.0).

Configure OAM 11g, Oracle HTTP Server (OHS), and WebGate as described in Administrator’s Guide for Oracle Access Management for All Platforms.

Append entries to the mod_wl_ohs.conf file to add WebCenter Content Uniform Resource Identifiers (URIs) to forward. Use the appropriate location entries from the following example. Each entry in the example maps the incoming path to the appropriate Oracle WebLogic Server on which the corresponding application resides.

In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

Note:

The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr.

For Site Studio, the URI to forward is configured by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

Caution:

The Content Server location /cs can be customized, so the /cs designation can't guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.
```
# Content Server
<Location /cs>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# Content Server authentication
<Location /adfAuthentication>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# WebCenter online help
<Location /_ocsh>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# IBR
<Location /ibr>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```
```
# SS
<Location /customer-configured-site-studio
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```

Use the OAM 11g remote registration tool (oamreg) to register an OAM Agent, specifying Oracle WebCenter Content URIs to protect and to make public.

See Administrator’s Guide for Oracle Access Management for All Platforms.

Note:

The URIs you protect and make public depend on the WebCenter Content functionality that you have installed: Content Server (CS), Inbound Refinery (IBR), Site Studio (SS).

For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

Functionality	Type	URI
CS	Protect	`/adfAuthentication`
CS	Public	`/cs`
CS	Public	`/_ocsh`
IBR	Protect	`/ibr/adfAuthentication`
IBR	Public	`/ibr`
SS	Protect	`/customer_configured_site_studio`

Add the URL /oamsso/logout.html to the logout URL setting for the AccessGate so the single sign-on logout works properly. See Configuring Centralized Logout for OAM 11g in Oracle Fusion Middleware Administrator’s Guide for Oracle Access Manager with Oracle Security Token Service, 11g Release 1 (11.1.1).

Configure the WebCenter Content domain by ensuring you perform these tasks.
1. Configure the OAM Identity Asserter. The control flag for the OAM Identity Asserter must be set to REQUIRED, and both OAM_REMOTE_USER and ObSSOCookie must be selected as Active Types.
2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OAM is using OID, then an OID Authentication provider must be added to the WebCenter Content domain.
  
  Note:
  
  When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Configuring the First Authentication Provider.
3. Configure the OPSS (OAM) Single Sign-On provider.
After installing and configuring OAM 11g, check that you can access all of the configured applications, and that the login is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout where available and make sure you are logged out of all other related applications.

16.3.3 Configuring Oracle Access Manager 10g with WebCenter Content

This section describes how to integrate WebCenter Content with Oracle Access Manager (OAM) 10g. Configuration information is provided for Oracle WebCenter Content Server (CS), Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

Before you can configure OAM, install the software. See information on OAM integration in Enterprise Deployment Guide for Oracle WebCenter Content.

Configure OAM 10g, Oracle HTTP Server (OHS), and WebGate.

Append entries to the mod_wl.conf file to add WebCenter Content Uniform Resource Identifiers (URIs) to forward. Use the appropriate location entries from the following example. The entries in the following Location list map the incoming paths to the appropriate Oracle WebLogic Server on which the corresponding applications reside.

In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

Note:

The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr.

For Site Studio, the URI to forward is defined by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

Caution:

The Content Server location /cs can be customized, so the /cs designation can't guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.
```
# Content Server
<Location /cs>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# Content Server authentication
<Location /adfAuthentication>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# WebCenter online help
<Location /_ocsh>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# IBR
<Location /ibr>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```
```
# SS
<Location /customer-configured-for-site-studio>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portname>
</Location>
```

Use the OAM 10g configuration tool (OAMCfgTool) to specify WebCenter Content URIs to protect.

The OAM Configuration tool is a command-line utility you can use to launch a series of scripts to request information and set up the required profiles and policies in OAM.

Note:

The URIs you protect depend on the WebCenter Content functionality that you have installed: Oracle WebCenter Content (CS), Inbound Refinery (IBR), Site Studio (SS).

For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

Functionality	URI
CS	`/adfAuthentication`
IBR	`/ibr/adfAuthentication`
SS	`/customer_configured_site_studio`

Note:

If the URL for WebCenter Content does not link correctly after completing the OAM configuration, you might need to change the server host and server port values. For more information, see Configuring the WebCenter Content URL for Single Sign-On.

Configure the WebGate to handle the end_url in order to complete the setup for OAM global logout. Without this additional configuration, you are logged out, but not redirected to the end URL because end_url is not processed.
Add the URL /oamsso/logout.html to the logout URL setting for the AccessGate so the single sign-on logout works properly. See Configuring Centralized Logout for OAM 11g in Oracle Fusion Middleware Administrator’s Guide for Oracle Access Manager with Oracle Security Token Service, 11g Release 1 (11.1.1).

Note:

Deploying WebCenter Content version 11gR1 in an environment using OAM version 10g requires additional configuration to process logout requests properly.

Configure the WebCenter Content domain by performing the following tasks.
1. Configure the OAM Identity Asserter. The control flag for the OAM Identity Asserter must be set to REQUIRED.
2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OAM is using OID, then an OID Authentication provider must be added to the Oracle WebCenter Content domain.
  
  Note:
  
  When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Configuring the First Authentication Provider.
3. Configure the OPSS (OAM) Single Sign-On provider.
After installing and configuring OAM 10g, check that you can access all of the configured applications, and that the login is giving you access to all of your configured applications without prompting you to sign in again. Also test global logout where available and make sure you are logged out of all other related applications.

16.3.4 Configuring Oracle Single Sign-On for WebCenter Content

Oracle Single Sign-On (OSSO) is part of the 12c Oracle Application Server suite. OSSO is an enterprise-level single sign-on solution that works with the application server in conjunction with Oracle Internet Directory and Oracle HTTP Server (OHS) 12c.

If OSSO is already in place as the enterprise solution for your existing Oracle deployment, Oracle Fusion Middleware continues to support the existing OSSO as a solution. However, Oracle recommends that you consider upgrading to OAM 12c Single Sign-On solution.

This section provides information for integrating WebCenter Content with OSSO. Configuration information is provided for Oracle WebCenter Content Server (CS), Oracle WebCenter Content: Inbound Refinery (IBR), and Oracle WebCenter Content: Site Studio (SS).

Before you can configure OSSO, ensure that the software is installed. OSSO and Oracle Delegated Administration Service are not part of the 11g release. Customers must download the 10.1.4.* versions of these products, which are compatible with 11g Oracle Internet Directory and Oracle Directory Integration Platform, to form what was known in 10g as the Application Server Infrastructure. For deployment instructions on these 10g products, read "Installing and Configuring JAZN-SSO/DAS" in the Oracle Application Server Enterprise Deployment Guide (B28184-02) for Oracle Identity Management release 10.1.4.0.1. This manual is available on Oracle Technology Network at:

http://download.oracle.com/docs/cd/B28196_01/core.1014/b28184/toc.htm

Configure OSSO.

Append WebCenter Content Uniform Resource Identifier (URI) entries to the mod_wl_ohs.conf file. Use the appropriate location entries from the following example. Each entry in the example maps the incoming path to the appropriate Oracle WebLogic Server on which the corresponding application resides.

In the following list of entries, hostname represents the name of the computer hosting the Content Server, and portnumber represents the port number of the Oracle WebLogic Server on which the corresponding applications resides. Replace hostname and portnumber with your system's host name and port name.

Note:

The URIs you forward depend on the WebCenter Content functionality that you have installed. Use the appropriate location entry for your functionality. For example: /cs, /adfAuthentication, /_ocsh, /ibr.

For Site Studio, the URI to forward is configured by the customer. For example, if the site is accessed as /mysite, then you need to append a location entry for /mysite.

Caution:

The Content Server location /cs can be customized, so the /cs designation can't guarantee that HTTP requests will include the correct location. If /cs has been changed, then forward the location the administrator has configured.
```
# Content Server
<Location /cs>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# Content Server authentication
<Location /adfAuthentication>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# WebCenter online help
<Location /_ocsh>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>

# IBR
<Location /ibr>
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```
```
# SS
<Location /customer-configured-site-studio
      SetHandler weblogic-handler
      WebLogicHost <hostname>
      WebLogicPort <portnumber>
</Location>
```

Modify the mod_osso.conf file (at ORACLE_HOME/ohs/conf/) to include WebCenter Content Uniform Resource Identifiers (URIs) to protect.

Note:

The URIs you protect depend on the WebCenter Content functionality that you have installed: Content Server (CS), Inbound Refinery (IBR), and Site Studio (SS).

For Site Studio, the URI to protect is configured by the customer. For example, if the site is accessed as /mysite, then you need to specify the URI /mysite.

Functionality	URI
CS	`/adfAuthentication`
IBR	`/ibr/adfAuthentication`
SS	/customer_configured_site_studio

Configure the WebCenter Content domain by ensuring you perform these tasks.
1. Add and configure the OSSO Identity Asserter for the Oracle WebLogic Server for WebCenter Content. Oracle recommends the following Authentication Providers: OSSO Identity Asserter, OID Authenticator, Default Authenticator.
  
  The OID Authenticator provider is for the Oracle Internet Directory server, which is used in production-level systems. The Default Authenticator provider is for the Oracle WebLogic Server embedded LDAP server.
  
  Ensure that OSSOIdentityAsserter is set as the primary provider authenticator for the domain, so that user profiles can be retrieved from the associated Oracle Internet Directory server. If necessary, reorder the providers so they appear in the following order, with control flags set as listed:
  
  OSSOIdentityAsserter (REQUIRED)
  
  OIDAuthenticator (SUFFICIENT)
  
  DefaultAuthenticator (SUFFICIENT)
  
  Note:
  
  When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Configuring the First Authentication Provider.
2. Configure the Authentication provider. This is necessary to specify the external LDAP server for the user store, such as Oracle Internet Directory (OID) or Oracle Virtual Directory (OVD), to match the LDAP server used by OAM. For example, if OSSO is using OID, then an OID Authentication provider must be added to the WebCenter Content domain.

Note:

If the URL for WebCenter Content does not link correctly after completing the OSSO configuration, you might need to change the server host and server port values. For more information, see Configuring the WebCenter Content URL for Single Sign-On.

16.3.5 Configuring the First Authentication Provider

When the Oracle WebLogic Server domain for WebCenter Content is configured to use an authentication provider other than its default authentication provider for user authentication (such as Oracle Internet Directory or another LDAP provider), the primary provider must be the first authentication provider listed in the security realm configuration, or login authentication will fail.

If the primary provider is not listed first (for example, it is listed below the Oracle WebLogic Server provider, DefaultAuthenticator), then WebCenter Content will fail to successfully load users' Group membership and therefore fail to load any user privileges. You can use the Oracle WebLogic Server Administration Console to change the order in which the configured authentication providers are called. See Configuring Authentication Providers in Administering Security for Oracle WebLogic Server.

Note:

When you use Oracle Internet Directory, all WebCenter Content administrator and other users must be defined in Oracle Internet Directory.

Note:

Content Server assigns a Content Server administrator role to administrative users defined in the internal Oracle WebLogic Server user store. This is true regardless of whether Oracle Internet Directory is used or not used. However, if you use Oracle Internet Directory and the Oracle Internet Directory Authentication provider is not listed first, then any request by the Content Server instance to retrieve the roles of the Oracle WebLogic Server defined administrative users will fail.

Note:

As of 11g Release 1 (11.1.1.6.0) Oracle WebCenter Content supports use of the Oracle Virtual Directory library (libOVD) feature, which enables a site to use multiple providers for login and group membership information. For example, it would be possible to use both Oracle Internet Directory (OID) and Active Directory as sources of user and role information. For more information about multi-LDAP configuration in Oracle WebLogic Server, see Configuring the Service for Multiple LDAP using Fusion Middleware Control in Oracle Fusion Middleware Application Security Guide.

16.3.6 Configuring the WebCenter Content URL for Single Sign-On

When you configure an Oracle application for use with Single Sign-On (SSO) and have set up Oracle Access Manager (OAM) or Oracle Single Sign-On (OSSO), the WebCenter Content GET_ENVIRONMENT service provides the server name, server port, and relative webroot to the application service call (for example, the WebCenter Content Doclib service). However, the values provided by GET_ENVIRONMENT might not be correct for your SSO configuration.

If you want to redirect the application service to use the OHS server host and server port (because both OAM and OSSO solutions require front-end applications with OHS), you must modify the Content Server host and server port configuration values.

You can use either of the following two methods to modify the Content Server host and server port values:

Use the Oracle WebLogic Server Administration Console.
Use the WebCenter Content standalone System Properties application.
1. Go to the WebCenter Content domain directory.
2. Change the directory to ucm/cs/bin
3. Run the standalone application: ./SystemProperties
4. In the System Properties window, select the Internet tab.
5. Update the HTTP Server address to the OHS (or Load Balancer) server host and server port values.
6. Exit the System Properties window.
7. Restart the Oracle WebLogic Server domain.

16.3.7 Configuring WebCenter Content and Single Sign-On for Windows Native Authentication

Setting up WebCenter Content and single sign-on (SSO) with Microsoft clients for Windows Native Authentication (WNA) requires configuring the Microsoft Active Directory, the client, and the Oracle WebLogic Server domain. Details including system requirements for SSO with Microsoft clients are provided in Configuring Single Sign-On with Microsoft Clients in Administering Security for Oracle WebLogic Server.

As part of configuring SSO with Microsoft clients, you must specify a LDAP authentication provider to access the external Microsoft Active Directory. Oracle WebLogic Server offers the Active Directory Authentication provider. See Configuring LDAP Authentication Providers in Administering Security for Oracle WebLogic Server.

Note:

When the Oracle WebLogic Server domain for WebCenter Content is configured to use a different authentication provider than the DefaultAuthenticator provider, the new authentication provider must be the first authentication provider listed in the security realm configuration, or WebCenter Content will fail to load any user privileges. Make sure to re-order the authentication providers so the new authentication provider is listed before the DefaultAuthenticator provider. Also ensure that the DefaultAuthenticator control flag is set to SUFFICIENT. For more information, see Configuring the First Authentication Provider.

As part of configuring SSO with Microsoft clients, you must configure the Negotiate Identity Assertion provider in Oracle WebLogic Server security realm. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. Use the Oracle WebLogic Server Administration Console to add a new provider in the appropriate security realm in the domain structure, assign it a name, then select NegotiateIdentityAsserter for its Type. Activate the changes and restart the Oracle WebLogic Server. Now your server can use the Kerberos ticket it receives from the browser.

You must redeploy each WebCenter Content application (Content Server, Inbound Refinery, Records) that will be used in the Windows Native Authentication (Kerberos) environment, using an associated deployment plan. A deployment plan is a XML document. Oracle provides a plan for each of the three WebCenter Content applications: Example 16-1 and Example 16-2. You also can implement a deployment plan using the Oracle WebLogic Scripting Tool.

Log in to the Oracle WebLogic Server Administration Console.
Click Deployments in the Domain Structure navigation tree.
In the Control tab, click Next until you see the WebCenter Content deployment you want to change:
- Oracle WebCenter Content Server
- Oracle WebCenter Content: Inbound Refinery
- Oracle WebCenter Content: Records
Select the check box to the left of the deployment to be changed.
Click Update.
Under the Deployment plan path, select Change Path.
Navigate to and select the appropriate plan file:
- cs-deployment-plan.xml (for Content Server)
- ibr-deployment-plan.xml (for Inbound Refinery)
Verify that Redeploy this application using the following deployment files is selected.
Click Next.
Click Finish.
To verify that SSO with Microsoft clients is configured properly, point a browser to the Microsoft Web application or Web service you want to use. If you are logged in to a Windows domain and have Kerberos credentials acquired from the Active Directory server in the domain, you should be able to access the Web application or Web service without providing a user name or password.

Example 16-1 cs-deployment-plan.xml

Use the provided cs-deployment-plan.xml file, or create a .xml file and name it cs-deployment-plan.xml.

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan
    xmlns="http://xmlns.oracle.com/weblogic/deployment-plan"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"
    global-variables="false">
  <application-name>cs.ear</application-name>
  <variable-definition>
   <variable>
      <name>http-only</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>cs.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>http-only</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-http-only</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

Example 16-2 ibr-deployment-plan.xml

Use the provided ibr-deployment-plan.xml file, or create a .xml file and name it ibr-deployment-plan.xml.

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd" global-variables="false">
  <application-name>ibr.ear</application-name>
  <variable-definition>
   <variable>
      <name>http-only</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>ibr.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>http-only</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-http-only</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

16.4 Configuring Oracle Infrastructure Web Services

Oracle Infrastructure Web services provide the ability to create and attach policy sets to subjects on a global scope (domain, server, application, or SOA composite). Oracle Infrastructure Web services are implemented according to the Web services for Java EE 1.2 specification, which defines the standard Java EE runtime architecture for implementing Web services in Java. The specification also describes a standard Java EE Web service packaging format, deployment model, and runtime services, all of which are implemented by Oracle Infrastructure Web services.

16.5 Configuring WebCenter Content for Oracle Identity Cloud Service (IDCS)

Configure Single Sign-On with IDCS for WebCenter applications such as WebCenter Content Server, Enterprise Capture (console and client), WebCenter Desktop Client, WebCenter Content: Imaging, and WebCenter Content ADFUI.

Configuration information is provided in the following sections:

16.5.1 Updating SSL.hostnameVerifier Property

To update SSL.hostnameVerifier property, do the following:

Note:

This is necessary for the IDCS provider to access IDCS.

Stop all the servers in the domain including Admin server and all managed Weblogic servers.
Update the SSL.hostnameVerifier property:
1. Create or modify the file <DOMAIN_HOME>/<domain_name>/bin/setUserOverrides.sh. Add the SSL.hostnameVerifier property for the IDCS Authenticator:
```
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES%- Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier
```
2. Alternatively, edit the file <DOMAIN_HOME>/<domain name>/bin/setDomainEnv.sh:
```
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier
```
Start the Admin server.

16.5.2 Configuring IDCS Security Provider

To obtain an OAuth client for IDCS Security Provider:

Log in to the IDCS admin console.
Create a trusted application. In the Add Confidential Application wizard:
1. Enter the client name and the description (optional).
2. Select the Configure this application as a client now option. To configure this application, expand the Client Configuration in the Configuration tab.
3. In the Client Credentials field, select the Allowed Grant Types check box.
4. In the Grant the client access to Identity Cloud Service Admin APIs section, click Add to add the application roles. You can add the Identity Domain Administrator role.
5. Keep the default settings for the pages and click Finish.
6. Record the Client ID and Client Secret.
  This is needed when you will create the IDCS provider.
7. Activate the application.

16.5.2.1 Configuring Oracle Identity Cloud Integrator Provider

To configure Identity Cloud Integrator Provider:

Log in to the Weblogic Server Administration console.
Select Security Realm in the Domain Structure pane.
On the Summary of Security Realms page, select the name of the realm (for example, myrealm). Click myrealm.
The Settings for myrealm page appears.
On the Settings for Realm Name page, select Providers and then Authentication. To create a new Authentication Provider, in the Authentication Provider's table, click New.
In the Create a New Authentication Provider page, enter the name of the authentication provider, for example, IDCSIntegrator and select the OracleIdentityCloudIntegrator type of authentication provider from the drop-down list and click OK.
In the Authentication Provider's table, click the newly created Oracle Identity Cloud Integrator, IDCSIntegrator link.
In the Settings for IDCSIntegrator page, for the Control Flag field, select the Sufficient option from the drop-down list.
Go to the Provider Specific page to configure the additional attributes for the security provider. Enter the values for the following fields: Host, Port, select SSLEnabled, Tenant, Client Id, and Client Secret. Click Save.

Note:
If IDCS URL is idcs-abcde.identity.example.com, then IDCS host would be identity.example.com and tenant name would be idcs-abcde.
Select Security Realm, then myrealm, and then Providers. In the Authentication Provider's table, click Reorder.
In the Reorder Authentication Providers page, move IDCSIntegrator on the top and click OK.
In the Authentication Provider's table, click the DefaultAuthenticator link. In the Settings for DefaultAuthenticator page, for the Control Flag field, select the Sufficient option from the drop-down list. Click Save.
All changes will be activated. Restart the Admin domain.

16.5.2.2 Setting Up Trust between IDCS and Weblogic

To set up trust between IDCS and Weblogic:

Import certificate in KSS store.

Run this from the Admin Server node.

Get IDCS certificate:

echo -n | openssl s_client -showcerts -servername <IDCS_HOST> -connect <IDCS_HOST>:443|sed -ne ‘/-BEGIN CERTIFICATE-/,/-END
      CERTIFICATE-/p’ > /tmp/idcs_cert_chain.crt

Optionally, IDCS Certificates can be downloaded directly from any browser.

Import certificate. Run <MW_HOME>/oracle_common/common/bin/wlst.sh file.

connect(“weblogic”,”Welcome_1”,”t3://<WEBLOGIC_HOST>:7001”)
      svc=getOpssService(name='KeyStoreService')
      svc.importKeyStoreCertificate(appStripe='system',name='trust',password='',alias='idcs_cert_chain',type='TrustedCertificate',filepath='/tmp/idcs_cert_chain.crt',keypassword='')
      syncKeyStores(appStripe='system',keystoreFormat='KSS')

exit()

Restart the Admin server.

Note:
After creating the IDCS provider and importing the certificate, unlike the users in the DefaultAuthenticator and LDAP servers, the IDCS users will not be present in the User's list. To view the list of users, click myrealm, then Users and Groups, and then Users.

16.5.2.3 Creating Admin User in IDCS for WebCenter Content

It is important to create the Admin user in IDCS because once the managed servers are configured for SAML, the domain admin user (typically weblogic user) will not be able to log into the managed servers.

To create WLS Admin user in IDCS for WebCenter Content JaxWS connection:

Go to the Groups tab and create Administrators and sysmanager roles in IDCS.
Go to the Users tab and create a wls admin user, for example, weblogic and assign it to Administrators and sysmanager groups.
Restart all the managed servers.
This step is not required if WebCenter Content connection type is socket as socket type WebCenter Content connection uses sysadmin user, which is WebCenter Content internal user.

Note:
This step is not required if WebCenter Content connection type is socket as socket type of UCM connection uses sysadmin user which is the WebCenter Content internal user.
Start all the managed Weblogic servers in domain.

16.5.2.4 Managing Group Memberships, Roles, and Accounts

Oracle Identity Cloud Service can be used for user log-in authentication and an external LDAP server (such as OID or Active Directory) can be used to get user group memberships.

For every user, the same user name will be required in both IDCS and the LDAP server. Oracle Identity Cloud Service can be used to provide the WCC user role and account group memberships.

This will require modifying OPSS and libOVD to access IDCS. The following steps are required if using IDCS for user authorization. Do not run these steps if you are using IDCS only for user authentication. Ensure that all the servers are stopped (including admin) before proceeding with the following steps:

Run the following script:
```
<MW_HOME>/oracle_common/common/bin/wlst.sh
```
Note:
It's not required to connect to the port of the Admin server.
Read the domain:
```
readDomain(<DOMAIN_HOME>)
```
Add the template:
```
addTemplate(“<MIDDLEWARE_HOME>/oracle_common/common/templates/wls/oracle.opss_scim_template.jar")
```
Note:
This step may throw a warning, which can be ignored. The addTemplate is deprecated. Use selectTemplate followed by loadTemplates in place of addTemplate.
Update the domain:
```
updateDomain()
```
Close the domain:
```
closeDomain()
```
Start the servers (Admin and managed).

16.5.3 Configuring WebCenter Content for User Logout

If the Logout link is selected, you will be re-authenticated by SAML. To be able to select the Logout link:

Log in to WebCenter Content as an administrator. Select Administration, then Admin Server, and then General Configuration.

In the Additional Configuration Variables pane, add the following parameter:

set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES%- Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier

Click Save.
Restart the WebCenter Content Managed server(s).

16.5.3.1 Configuring Logout for WebCenter Content and WebCenter Content: Imaging

Complete the following steps for WebCenter Content and WebCenter Content: Imaging Logout to work:

Deselect Enable Single Logout under SSO Configuration for WebCenter Content: Imaging and WebCenter Content applications in IDCS admin console.
The cookie path should be set to / for WebCenter Content: Imaging in the imaging.ear file and it should be redeployed.
Set IpmCustomLogoutURL property for WebCenter Content: Imaging via MBean (under oracle.imaging) in EM to this value: http://<IPM Host>:<IPM Port>/imaging/adfAuthentication?logout=true&end_url=https://<IDC Tenant id>.identity.oraclecloud.com/sso/v1/user/logout
For WebCenter Content, specify the logout URL in the WebCenter Content configuration. Either update the config.cfg file or you can do it from the WebCenter Content Admin configuration page. Make the following entry and restart WebCenter Content: LogoutServerUrl=http://<UCM Hostname>:<UCM Port>/adfAuthentication?logout=true&end_url=https://<IDC Tenant id>.identity.oraclecloud.com/sso/v1/user/logout

16.5.3.2 Configuring Logout for Enterprise Capture

Complete the following steps for Enterprise Capture Logout to work:

Go to Enterprise Manager Console, open MBean browser and change the Capture's MBean attribute logoutRedirectURL to https://<IDCS Tenantid>.identity.oraclecloud.com/sso/v1/user/logout. Save the changes. This change is effective immediately. To unset this attribute's value, put any empty string.

The cookie path of /dc-client and /dc-console should be set to / in the capture.ear file and it should be redeployed.
Go to the Enterprise Manager console, open the MBean browser and change the Capture's MBean attribute logoutRedirectURL to https://<IDCS Tenantid>.identity.oraclecloud.com/sso/v1/user/logout. Save the changes. This change is effective immediately. To unset this attribute's value, add an empty string.

16.5.3.3 Configuring Logout for ADFUI

For WebCenter Content ADFUI Logout feature to work, do the following:

Go to Enterprise Manager Console, open the System MBean browser.
Expand the Application Defined MBeans and oracle.adf.share.config and change the WccAdfConfiguration MBean attribute customLogoutUrl to https://<IDCSTenantid>.identity.oraclecloud.com/sso/v1/user/logout.
Save the changes to the parent MBean by invoking the save operation.
This change is effective after restarting the UI server.

To unset the attribute's value, add any empty string.

16.6 Configuring SAML-Based Single Sign-On

Security Assertion Markup Language (SAML) enables cross-platform user authentication between web-based applications or web services in a WebLogic Server domain and web browsers or other HTTP clients. When users log in to a website of the application that is part of a single sign-on network, they automatically gain access to all the applications in that network without having to log in separately in to each application.

This section covers the following topics:

SAML Components

SAML Single Sign-On Perquisites

Configuring SAML 1.1 Source Services

Configuring SAML 1.1 Destination Services

Configuring SAML 2.0 (IDCS) Single Sign-On

16.6.1 SAML Components

A SAML-based single-sign on setup includes the following components:

SAML Credential Mapping: The SAML Credential Mapping provider allows WebLogic Server to act as a source site for using SAML for single sign-on. This provider generates valid SAML 1.1 assertions for authenticated subjects based on the configuration of the target site or resource.

Inter Site Transfer Service (ITS): An addressable component that generates identity assertions and transfers the user to the destination site.

Assertion Retrieval Service (ARS): An addressable component that returns the SAML assertion corresponding to the artifact. You can allocate the assertion ID at the time of generating the assertion.

SAML Identify Asserter: The SAML Identity Assertion provider allows the WebLogic Server to act as a destination site for using SAML for single sign-on. This provider processes valid SAML 1.1 assertions for authenticated subjects obtained from the source site or resource.

Assertion Consumer Service (ACS): An addressable component that receives assertions and/or artifacts generated by ITS and uses them to authenticate users at the destination site.

SAML Relying Party: A SAML Relying Party is an entity that relies on the information in a SAML assertion produced by the SAML source site. You can configure SAML assertions for each Relying Party or use the defaults established by the Federation Services source site configuration for producing assertions.

SAML Asserting Party: A SAML Asserting Party is a trusted SAML Authority, which asserts security information in the form of SAML assertions.

16.6.2 SAML Single Sign-On Perquisites

Before configuring SAML 1.1 source and destination services, you must do the following:

Create a domain with WebCenter Content and Portal servers: Applicable for SAML configurations with Content Server as a source and Portal as a destination.

Create a domain with WebCenter Content and ADF UI servers: Applicable for SAML configurations with Content Server as a source and Application Development Framework (ADF) as a destination.

Create a domain with WebCenter Content and Imaging servers: Applicable for SAML configurations with Content Server as a source and Imaging as a destination.

The prerequisites for SAML-based SSO are described in the following topics:

Enabling SSL for Source Services

Enabling SSL for Destination Services

Creating and Exporting Certificates

Hiding Login Area for WebCenter Portal Landing Page

Note:
The instructions assume that you have already installed WebCenter Content and associated components.

These port numbers are used for source, destination, and SSL as examples:

Source-SSL Ports:

CS: 16200, SSL: 16201

Destination-SSl Ports:

Portal: 8888, SSL: 8788

Imaging: 16000, SSL: 16001

ADF UI: 16225, SSL: 16226

Note:

You can configure the port numbers based on your requirement.

16.6.2.1 Enabling SSL for Source Services

To enable SSL for source services:

Log in to the Oracle WebLogic Server Administration Console.
Click Environment in the Domain Structure pane.
The Summary of Environment page appears.
Click Servers.
The Summary of Servers page appears.
Click UCM_server1.
The Settings for UCM_server1 page appears.
In the Configurations > General tab, provide the following details:
- Select the SSL Listen Port Enabled check box.
- In the SSL Listen Port field, Enter 16201.

16.6.2.2 Enabling SSL for Destination Services

To enable SSL for destination services, such as Portal, ADF UI, and Imaging servers:

Log in to the Oracle WebLogic Server Administration Console.
Click Environment in the Domain Structure pane.
The Summary of Environment page appears.
Click Servers.
The Summary of Servers page appears.
Click one of the following servers based on the destination service that you want to configure.
- WC_Portal to configure Portal as the destination service.
- WCCADF_server1 to configure ADF UI as the destination service.
- IPM_server1 to configure Imaging as the destination service.
In the Configurations > General tab, select the SSL Listen Port Enabled check box.
In the SSL Listen Port field, enter one of the following values based on the destination service that you want to configure:
- 8788 to configure Portal as the destination service.
- 16226 to configure ADF UI as the destination service.
- 16001 to configure Imaging as the destination service.

16.6.2.3 Creating and Exporting Certificates

To create and export certificates:

Open oracle_common/common/bin and launch ./wlst.sh.
Connect to Admin Server of the source using the following wlst command:
- connect ('adminServerUsername','password','hostboxName:adminport/console').
List and export the certificates using following wlst commands:
- svc = getOpssService(name=’KeyStoreService’)
- svc.listKeyStoreAliases(appStripe=”system”,name=”demoidentity”,password=’DemoIdentityKeyStorePassPhrase’,type=”*”)
- svc.exportKeyStoreCertificate(appStripe=’system’,name=’demoidentity’,password=’DemoIdentityKeyStorePassPhrase’,alias=’DemoIdentity’,type=’Certificate’,filepath=’/scratch/priyaaro/demoidentity.der’)
Remove the value FORM from the <auth-method> element of the web.xml file and retain the value CLIENT-CERT from all the destination servers.
The web.xml file paths for the destination servers are:
- Portal: Oracle_Home/wcportal/archives/applications/webcenter.ear/spaces.war/WEB-INF/web.xml
- ADF UI: Oracle_Home/wccontent/wccadf/WccAdf.ear/WccAdf.war/WEB-INF/web.xml
- Imaging: ORACLE_HOME/wccontent/ipm/lib/imaging.ear/imaging-ui.war/WEB-INF/web.xml
Note:
After modifying the web.xml file, you must redeploy the destination application.

16.6.2.4 Hiding Login Area for WebCenter Portal Landing Page

To hide the login area in the WebCenter Portal landing page:

Open $MIDDLEWARE_HOME/user_projects/domains/ domain_name/bin/setDomainEnv.sh.and update the following property:
- EXTRA_JAVA_PROPERTIES="-Doracle.webcenter.spaces.osso=true ${EXTRA_JAVA_PROPERTIES}"
- export EXTRA_JAVA_PROPERTIES
Restart the Portal Server.

16.6.3 Configuring SAML 1.1 Source Services

You can configure a Content Server instance to function as a SAML source site that provides an Intersite Transfer Service (ITS). A source site generates assertions that are conveyed to a destination site using one of the single sign-on profiles.

The section covers the following topics:

Creating Credential Mapping Providers

Configuring Credential Mapping Providers

Creating Relying Parties

Configuring Relying Parties

Defining Federation Services for Source

16.6.3.1 Creating Credential Mapping Providers

To create the credential mapping providers:

Log in to the Oracle WebLogic Server Administration Console.
Click Security Realms in the Domain Structure pane.
The Summary of Security Realms page appears.
Click myrealm.
The Settings for myrealm page appears.
Click Providers, then Credential Mapping, and then New.
In the Name field, enter a name for the credential mapping provider. For example, SAMLCredentialMapper.
In the Type field, select SAMLCredentialmapperV2.
Click OK.
The credential mapper that you created is available in the Credential Mapping Providers section.

16.6.3.2 Configuring Credential Mapping Providers

To configure the provider-specific information:

Click the credential mapping provider created previously, for example SAMLCredentialMapper.
To create a credential mapping provider, see Creating Credential Mapping Providers.
Click Provider Specific.
In the Issuer URL field, enter http://www.oracle.com/webcenter.
In the Name Qualifier field, enter webcenter.com.
In the Default Time to Live field, enter 120.
In the Default Time to Live Offset field, enter 0.
In the Web Service Assertion Signing Key Alias field, enter DemoIdentity.
In the Web Service Assertion Signing Key Pass Phrase field, enter DemoIdentityPassPhrase.
In the Confirm Credential field, confirm the singing key pass phrase value by entering DemoIdentityPassPhrase.
Restart the WebCenter Content server.

16.6.3.3 Creating Relying Parties

To create a relying party:

Click the credential mapping provider created previously, for example SAMLCredentialMapper.
To create a credential mapping provider, see Creating Credential Mapping Providers.
Click Management, then Relying Parties, and then New.
In the Profile field, select Browser/POST.
In the Description field, enter relyingparty .
Click OK.
A relying party with the partner ID rp_00001 is created.

Note:
The partner ID increments by 1 for every new relying party that you create. For example, rp_00002.

16.6.3.4 Configuring Relying Parties

To specify relying party information for destination services such as Portal, ADF UI, and Imaging servers:

Click the relying partner ID created previously, for example, rp_00001.
To create a relying party, see Creating Relying Parties.
Select the Enabled check box.
In the Target URL field, enter one of the following values based on the destination service that you want to configure:
- http://hostboxname:8888/webcenter to configure Portal as the destination service.
- http://hostboxname:16225/wcc to configure ADF UI as the destination service.
- http://hostboxname:16007/imaging to configure Imaging as the destination service.
Note:
The preceding port numbers are used to configure the destination servers.
In the Assertion Consumer URL field, enter one of the following values based on the destination service you want to configure:
- https://hostboxname:8788/webcenter/samlacs/acs to configure Portal as the destination service.
- https://hostboxname:16226/wcc/samlacs/acs to configure ADF UI as the destination service.
- https://hostboxname:16001/imaging/samlacs/acs to configure Imaging as the destination service.
In the Assertion Consumer Parameters field, enter APID=ap_00001.
In the Assertion Time to Live field, enter 0.
In the Assertion Time To Live Offset field, enter 0.
Select the Sign Assertions check box.
The Include Keyinfo check box is selected by default. Leave the check box as is.
Click Save.

16.6.3.5 Defining Federation Services for Source

To define the federation services for source:

Click Environment in the Domain Structure pane.
The Summary of Environment page appears.
Click Servers.
The Summary of Servers page appears.
Click UCM_server1.
The Settings for UCM_server1 page appears.
Select the Source Site Enabled check box.
In the Source Site URl field, enter http://hostboxname:16200.
In the Signing Key Alias field, enter DemoIdentity.
In the Signing Key Passphrase field, enter DemoIdentityPassPhrase.
In the Confirm Signing Key Passphrase field, confirm the value by entering DemoIdentityPassPhrase.
In the Intersite Transfer URIs field, enter the following:
/samlits_ba/its

/samlits_ba/its/post

/samlits_ba/its/artifact

/samlits_cc/its

/samlits_cc/its/post

/samlits_cc/its/artifact
Select the ITS Requires SSL check box.
in the Assertion Retrieval URIs field, enter /samlars/ars.
Select the ARS Requires SSL check box.
Click Save.

16.6.4 Configuring SAML 1.1 Destination Services

To configure the SAML destination services, you must first configure a SAML Identity Asserter in the server's Security Realm. You can configure a WebLogic Server instance to function as a SAML destination site. A destination site receives SAML assertions and uses them to authenticate local subjects.

This section covers the following topics:

Creating Identity Asserters

Adding Source Certificates

Creating Asserting Parties

Configuring Asserting Parties

Defining Federation Services for Destination

16.6.4.1 Creating Identity Asserters

To create identity asserters for destination services such as Portal, ADF UI, and Imaging:

Log in to the Oracle WebLogic Server Administration Console.
Click Security Realms in the Domain Structure pane.
The Summary of Security Realms page appears.
Click myrealm.
The Settings for myrealm page appears.
Click Providers, then Authentication, and then New.
The Create a New Authentication Provider page appears.
In the Name field, enter a name for the identity asserter. For example, SAMLIdentityAsseter.
In the Type field, select SAMLIdentityAsserterV2.
Click Save.
Restart one of the following servers based on the destination service that you want to configure:
- Admin Server if you are configuring Portal as the destination service.
- ADF UI server if you are configuring ADF UI as the destination service.
- IPM server if you are configuring Imaging as the destination service.

16.6.4.2 Adding Source Certificates

To add a source certificate for the destination service:

Click the identity asserter created previously, for example, SAMLIdentityAsseter.
To create an identity asserter, see Creating Identity Asserters.
Click Management, then Certificates, and then New.
In the Alias field, enter demoidentity.
In the Path field, enter the path where you have exported the source certificate.
Click OK.

16.6.4.3 Creating Asserting Parties

To create an asserting party:

Click the identity asserter created previously, for example, SAMLIdentityAsseter.
To create an identity asserter, see Creating Identity Asserters.
Click Management, then Asserting Parties, and then New.
In the Profile field, select the value Browser/POST.
In the Description field, enter assertingparty.
Click OK.
An asserting party with the partner ID ap_00001 is created.

16.6.4.4 Configuring Asserting Parties

To specify the asserting party information for destination services such as Portal, ADF UI, and Imaging servers:

Click the asserting partner ID created previously, for example, ap_00001.
To create an asserting party, see Creating Asserting Parties.
Select the Enabled check box.
In the Target URL field, enter one of the following values based on the destination service that you want to configure:
- http://hostboxname:16200 to configure Portal as the destination service.
- http://hostboxname:16200 to configure ADF UI as the destination service.
- http://hostboxname:16200 to configure Imaging as the destination service.
In the POST Signing Certificate Alias field, enter demoidentity.
In the Source Site Redirect URIs field, enter one of the following values based on the destination service that you want to configure.
- /webcenter/adfAuthentication to configure Portal as the destination service.
- /wcc/adfAuthentication to configure ADF UI as the destination service.
- /imaging/faces/Pages/Welcome.jspx to configure Imaging as the destination service.
In the Source Site ITS URL field, enter https://hostboxname:16201/samlits_ba/its.
In the Source Site ITS Parameters field, enter RPID=rp_00001.
In the Issuer URI field, enter http://www.oracle.com/webcenter.
In the Assertion Signing Certificate field, enter demoidentity.
Select the Signature Required check box.
Click Save.

16.6.4.5 Defining Federation Services for Destination

To define the federation services for a destination such as Portal, ADF UI, and Imaging:

Click Environment in the Domain Structure pane.
The Summary of Environment page appears.
Click Servers.
The Summary of Servers page appears.
Click one of the following servers based on the destination service that you want to configure.
- WC_Portal to configure Portal as the destination service.
- WCCADF_server1 to configure ADF UI as the destination service.
- IPM_server1 to configure Imaging as the destination service.
Click Federation Services and then SAML 1.1 Destination Site.
Select the Destination Site Enabled check box.
In the Assertion Consumer URIs field, enter one of the following values based on the destination service that you want to configure.
- /webcenter/samlacs/acs to configure Portal as the destination service.
- /wcc/samlacs/acs to configure ADF UI as the destination service.
- /imaging/samlacs/acs to configure Imaging as the destination service.
Select the ARS Requires SSL check box.
In the SSL Client Identity Alias field, enter DemoIdentity.
In the SSL Client Identity Pass Phrase field, enter DemoIdentityPassPhrase.
In the Confirm SSL Client Identity Pass Phrase field, confirm the SSL client identity pass phrase by entering DemoIdentityPassPhrase.
Select the POST Recipient Check Enabled and the POST One-Use Check Enabled check boxes.
In the Used Assertions Cache Properties field, enter APID=ap_00001.
Click Save.

Note:
After configuring the destination services, log in to the source as a weblogic user and open the required destination URL. Notice that you can access the destination URL without having to log in again.

16.6.5 Configuring SAML 2.0 (IDCS) Single Sign-On

This section covers the steps for configuring SAML 2.0 SSO with IDCS for WebCenter applications including:

WebCenter Content Server (see Configuring WebCenter Content for Oracle Identity Cloud Service (IDCS))
WebCenter Desktop Client
Enterprise Capture (console and client)
WebCenter Content ADFUI
WebCenter Content: Imaging

The following topics are covered:

16.6.5.1 Configuring SAML 2.0 Asserter

To configure SAML 2.0 Asserter:

Log in to the Weblogic Server Administration Console.
Click Security Realm in the Domain Structure pane.
On the Summary of Security Realms page, select the name of the realm (for example, myrealm). Click myrealm.
The Settings for myrealm page appears.
Click Providers and then Authentication. To create a new Authentication Provider, in the Authentication Provider's table, click New.
In the Create a New Authentication Provider page, enter the name of the new asserter, for example, SAML2Asserter and select the SAML2IdentityAsserter type of authentication provider from the drop-down list and then click OK.
In the Authentication Provider's table, click the newly created Identity Asserter Provider SAML2Asserter link.
Select Security Realm, then myrealm, and then Providers. In the Authentication Provider's table, click Reorder.
In the Authentication Providers page, move SAML2Asserter on the top (above the already configured IDCS authentication provider) and click OK.
Restart the Admin and the managed servers.

16.6.5.2 Configuring Weblogic Managed Servers as SAML 2.0 SSO Service Providers

To configure the Weblogic Managed Servers as SAML 2.0 SSO Service Providers:

Log in to the Weblogic Server Administration Console.
Click Environment in the Domain Structure pane.
The Summary of Environment page appears.
Click Servers.
The Summary of Servers page appears.
Go to the managed server (for Content Server), click Federation Services and then SAML 2.0 Service Provider. In the Service Provider page:
1. Select the Enabled check box.
2. In the Preferred Binding field, select the value POST from the drop-down list.
3. In the Default URL field, enter http://<HOST/IP>:<PORT>/cs or https://<HOST/IP>:<SSL_PORT>/cs.
4. Click Save.
5. Repeat the above steps for other managed servers, Capture and Content UI. The Default URL for Capture is http://<HOST/IP>:<PORT>/dc-console or https://<HOST/IP>:<SSL_PORT>/dc-console. The Default URL for Content UI is http://<HOST/IP>:<PORT>/wcc or https://<HOST/IP>:<SSL_PORT>/wcc.
  Note:
  If OHS is in place, enter the following default URLs:
  1. Content Server: http://<HOST/IP>/cs or https://<OHS HOST/IP>:<SSL_PORT>/cs
  2. Capture: http://<HOST/IP>/dc-console or https://<OHS HOST/IP>:<SSL_PORT>/dc-console
  3. Content UI: http://<HOST/IP>/wcc or https://<OHS_HOST/IP>:<SSL_PORT>/wcc
Go to the managed server (for Content Server), click Federation Services and then SAML 2.0 Service Provider.
1. Select the Replicated Cache Enabled check box.
2. In the Published Site URL field, enter http://<HOST/IP>:<PORT>/saml2.
3. In the Entity ID field, enter the value ucm. It can be any name, such as ucm, but it must be unique. Note the ID as it will be used while configuring SAML in IDCS.
4. Click Save. Restart the managed server.
5. Publish SP metadata to file, <DOMAIN_HOME>/<Entity_ID>_sp_metadata.xml. Unlike other SAML IDPs, IDCS doesn’t require this to be imported; however, it can be useful for reference purpose.
  Repeat the above steps for other managed servers, Capture and Content UI, with Entity ID as capture, wcc respectively. Publish the respective metadata:
  - Published Site URL [Capture]: http://<HOST/IP>:<PORT>/saml2o
  - Published Site URL [Content UI]: http://<HOST/IP>:<PORT>/saml2
Note:
If OHS is in place, enter the following for the Published Site URLs:
1. Content Server: http://<HOST/IP>/saml2
2. Capture: http://<HOST/IP>/saml2_capture
3. Content UI: http://<HOST/IP>/saml2_wcc
After configuration, publish the respective metadata files.

16.6.5.3 Completing SAML 2.0 Identity Asserter Configuration

To complete SAML 2.0 Identity Asserter Configuration:

Download the IDCS metadata file from https://<IDCS_HOST>/fed/v1/metadata. This is the IdP (IDCS in this case) metadata which needs to be imported in SP (weblogic server in our case). Copy the file to the Admin server.
Click Security Realm in the Domain Structure pane.
On the Summary of Security Realms page, select the name of the realm (for example, myrealm). Click myrealm.
The Settings for myrealm page appears.
On the Settings for Realm Name page, select Providers > Authentication. In the Authentication Providers table, select the SAML 2.0 Identity Assertion provider, for example, SAML2Asserter.
The Settings for SAML2Asserter page appears.
On the Settings for SAML2Asserter page, select Management.
In the table under Identity Provider Partners, click New > Add New Web Single Sign-On Identity Provider Partner.
On the Create a SAML 2.0 Web Single Sign-on Identity Provider Partner page:
1. Specify the name of the Identity Provider partner.
2. In the field Path, specify the location of the IDCS metadata file.
3. Click OK.
On the Settings for SAML 2.0 Identity Asserter page, in the Identity Provider Partners table, select the name of your newly-created web single sign-on Identity Provider partner.
In the General page, select the Enabled check box.
Provide the Redirect URIs specific to the servers:
- For Content server, /adfAuthentication.
- For Capture Console, /dc-console/adfAuthentication.
- For Capture Client, /dc-client/*.
- For Content UI, /wcc/adfAuthentication.
Click Save.
Select Security Realm > myrealm > Providers. In the Authentication Provider's table, click Reorder.
In the Reorder Authentication Providers page, move SAML2Asserter on the top of the list of Authenticators and click OK.
Restart the Admin and the managed servers.

16.6.5.4 Creating SAML Applications in IDCS

To create SAML applications in IDCS:

Log in to the IDCS admin console.
In the IDCS admin console,on the Applications icon, click Add an Application. The list of applications will be displayed. Select the SAML Application.
In the Add SAML Application Details's page, enter the name of the application and it's URL. For example, http://<HOST/IP>:<PORT>/cs or https://<HOST/IP>:<SSL_PORT>/cs.
The application name must be unique, for example, UCMSAML.
In the Add SAML Application SSO Configuration's page, do the following:
- In the Entity ID field, enter the value ucm. This is the same Entity ID as set in the managed server Service Provider.
- In the Assertion Consumer URL field, enter http://<HOST/IP>:<PORT>/saml2/sp/acs/post or https://<HOST/IP>:<SSL_PORT>/saml2/sp/acs/post (copy the Location from md:AssertionConsumerService attribute of SP metadata xml file, for example, ucm_sp_metadata.xml).
- For the NameID Format field, select the Unspecified option from the drop-down list.
- For the NameID Value field, select the User Name option from the drop-down list.
Click Finish to create a SAML application.
Create two more SAML applications for Capture Server and Content UI.

Provide above values from the respective metadata files and activate both the applications.

Note:

If OHS is in place, use the below values for the Application URLs and Assertion Consumer Service [ACS] URLs:

Application	Assertion Consumer Service URLs	Application URL
Content Server	http://<HOST>/saml2/sp/acs/post	http://<HOST>/cs
Capture	http://<HOST>/saml2_capture/sp/acs/post	http://<HOST>/dc-console
Content UI	http://<HOST>/saml2_wcc/sp/acs/post	http://<HOST>/wcc

16.6.5.5 Assigning Groups to SAML Applications

For users to be authenticated through the IDCS SAML, users must be added to the SAML application. If users are members of an IDCS group, that group can be added to the application and those users will be authenticated. If IDCS will be used for user WCC authorization, the groups that will be used for corresponding WCC roles that can be added to the application (as WCC users will already be members of those groups).

To assign groups to SAML applications:

Create a group in IDCS, for example, WebcenterGroup and assign it to SAML applications.
Go to the SAML Application. Click Groups > Assign. Assign WebcenterGroup group.

Note:
Users who are part of the group will only be able to use the WebCenter applications.
Assign the group to all SAML applications that are already created.
Add IDCS users to the WebcenterGroup group.

16.6.5.6 Modifying Cookie Path

For SAML 2.0, cookie path must be set to "/". Follow these steps to update cookie path to “/” for capture.ear and WccAdf.ear:

Note:

Before you make changes, take a backup copy of the ear file.

Go to <MW_HOME>/wccapture/capture/lib.
Unzip the capture.ear file: jar xvf capture.ear
After extracting the capture.ear file, you should get two war files along with other contents:
1. For Capture console, dc-admin.war
2. For Capture client, dc-wa.war
Unzip dc-admin.war and dc-wa.war files in separate directories
Open /WEB-INF/weblogic.xml file after the extraction of war files and then modify the cookie-path element under session-descriptor element to the following value: <cookie-path>/</cookie-path>
Remove the old dc-admin.war and dc-wa.war files and recreate them.
```
jar -cvf dc-admin.war *
jar -cvf dc-wa.war *
```
Remove the old capture.ear file and recreate it.
```
jar -cvf capture.ear *
```
Replace the old capture.ear file with the new one.
Restart the Admin and the managed servers.
Similarly, update the cookie path for WccAdf.ear located at <MW_HOME>/wccontent/wccadf/lib/WccAdf.ear.
In addition to modifying the cookie path, remove the following line only for WCC ADFUI: <cookie-name>WCCSID</cookie-name>.

Note:
The above approach is suitable for development and staging environments. If a Bundle Patch is applied, the ear files may get overwritten, requiring that the modification be made again.

16.6.5.6.1 Creating a Deployment Plan to Override the Cookie-Path

For production deployments, follow these steps:

Create a plan.xml file in DOMAIN_HOME. The config-root element in plan.xml should point to DOMAIN_HOME directory, for example, <config-root> MW_HOME/user_projects/domains/base_domain/</config-root>.

Redeploy using weblogic.Deployer:

java -cp <MW_HOME>/wlserver/server/lib/weblogic.jar:. weblogic.Deployer
        -username weblogic -password <password> -adminurl t3://<admin
        hostname>:7001 -plan <path of plan.xml> -deploy
        <MW_HOME>/wccapture/capture/lib/capture.ear -targets <comma separated cluster
        targets>

16.6.5.7 Configuring Oracle HTTP Server

For each OHS location, you must have a unique URI so that there can be only one <Location /saml2>. If there are multiple managed servers configured for SAML, then each managed server requires its own unique location.

After OHS installation and configuration is done, the mod_wl_ohs file have the routing rules. Additionally, ensure the below port mappings are there:

/saml2 mapped to port for Content server.
/saml2_capture mapped to port for Capture.
/saml2_wcc mapped to port for Content UI.

16.6.5.7.1 Manual Deployment of `saml2.war` File

As different SAML2 context roots will be used for each of the SAML2 applications, for each managed server or cluster, the saml2.war application needs to be deployed manually, except of the managed server or cluster that will use the SAML2 context root where it’s already automatically deployed.

In the domain AdminServer console, select Deployments. Click Install.
Set path to <Middleware Home>/wlserver/server/lib.
Select the saml2.war file. Click Next.
The Install this deployment as an application check box is selected and click Next.
Select the managed server or cluster to deploy this. Do not make any changes to the pages and click Finish.
Select the Configuration tab.
Set the context root to match that of the OHS location:
```
/saml2_capture
/saml2_wcc
```
Click Save.
Set the path for the deployment plan.xml file:
```
<Domain Home>/servers/<Managed Server>/plan.xml
```
For a cluster, the plan.xml file shouldn’t be under a particular managed server directory, in case that system is down.
Click Save.
Restart the managed server(s).

16.6.5.8 Configuring Desktop Client

For Desktop client to be able to recognize an IDP’s login page, the string  needs to be added to the SSO provider’s login page. As this string can’t be added to the default IDCS login page, hence we need to build a custom sign-in page so that we can add the string to that page.

Creating a Custom Sign-in Page in IDCS

To configure the custom sign-in page, see Customize the Oracle Identity Cloud Service Sign-In Page.

For Step 2 in the above link, Configure an Application to Use the Custom Sign-In Page, we need not create a new application instead use the existing SAML application for the WebCenter Content server. We need to update only the Custom Login URL field.

Note:

This tutorial uses localhost:3000 to host the sample custom sign-in application. If you deploy this application to another location, update the Custom Login URL field with the corresponding URL for the sign-in sample application.
Don't deploy the custom sign-in application in the same domain, URL and server where you host your other applications. The sign-in page needs to be deployed as a single central service accessible to all other applications and users.
After performing the above steps, the WebCenter Content server would also get redirected to the custom sign-in page instead of the default IDCS login page.

16.1 LDAP Authentication Providers

16.2 Configuring Oracle WebCenter Content to Use SSL

16.2.1 Configuring WebCenter Content for Two-Way SSL Communication

16.2.2 Invoking References in One-Way SSL Environments in Oracle JDeveloper

16.2.3 Configuring WebCenter Content, Oracle HTTP Server for SSL Communication

16.2.4 Switching from Non-SSL to SSL Configurations for WebCenter Content

16.2.5 Using a Custom Trust Store for One-Way SSL

16.2.6 Enabling an Asynchronous Process to Invoke an Asynchronous Process

16.2.7 Configuring RIDC SSL for Valid Certificate Path

16.3 Configuring WebCenter Content for Single Sign-On

16.3.1 Configuring Oracle Access Manager 12c with WebCenter Content

16.3.2 Configuring Oracle Access Manager 11g with WebCenter Content

16.3.3 Configuring Oracle Access Manager 10g with WebCenter Content

16.3.4 Configuring Oracle Single Sign-On for WebCenter Content

16.3.5 Configuring the First Authentication Provider

16.3.6 Configuring the WebCenter Content URL for Single Sign-On

16.3.7 Configuring WebCenter Content and Single Sign-On for Windows Native Authentication

16.4 Configuring Oracle Infrastructure Web Services

16.5 Configuring WebCenter Content for Oracle Identity Cloud Service (IDCS)

16.5.1 Updating SSL.hostnameVerifier Property

16.5.2 Configuring IDCS Security Provider

16.5.2.1 Configuring Oracle Identity Cloud Integrator Provider

16.5.2.2 Setting Up Trust between IDCS and Weblogic

16.5.2.3 Creating Admin User in IDCS for WebCenter Content

16.5.2.4 Managing Group Memberships, Roles, and Accounts

16.5.3 Configuring WebCenter Content for User Logout

16.5.3.1 Configuring Logout for WebCenter Content and WebCenter Content: Imaging

16.5.3.2 Configuring Logout for Enterprise Capture

16.5.3.3 Configuring Logout for ADFUI

16.6 Configuring SAML-Based Single Sign-On

16.6.1 SAML Components

16.6.2 SAML Single Sign-On Perquisites

16.6.2.1 Enabling SSL for Source Services

16.6.2.2 Enabling SSL for Destination Services

16.6.2.3 Creating and Exporting Certificates

16.6.2.4 Hiding Login Area for WebCenter Portal Landing Page

16.6.3 Configuring SAML 1.1 Source Services

16.6.3.1 Creating Credential Mapping Providers

16.6.3.2 Configuring Credential Mapping Providers

16.6.3.3 Creating Relying Parties

16.6.3.4 Configuring Relying Parties

16.6.3.5 Defining Federation Services for Source

16.6.4 Configuring SAML 1.1 Destination Services

16.6.4.1 Creating Identity Asserters

16.6.4.2 Adding Source Certificates

16.6.4.3 Creating Asserting Parties

16.6.4.4 Configuring Asserting Parties

16.6.4.5 Defining Federation Services for Destination

16.6.5 Configuring SAML 2.0 (IDCS) Single Sign-On

16.6.5.1 Configuring SAML 2.0 Asserter

16.6.5.2 Configuring Weblogic Managed Servers as SAML 2.0 SSO Service Providers

16.6.5.3 Completing SAML 2.0 Identity Asserter Configuration

16.6.5.4 Creating SAML Applications in IDCS

16.6.5.5 Assigning Groups to SAML Applications

16.6.5.6 Modifying Cookie Path

16.6.5.6.1 Creating a Deployment Plan to Override the Cookie-Path

16.6.5.7 Configuring Oracle HTTP Server

16.6.5.7.1 Manual Deployment of saml2.war File

16.6.5.8 Configuring Desktop Client

16.6.5.7.1 Manual Deployment of `saml2.war` File