Initially, the policy and credential store for WebCenter Portal is configured to use a database. For production environments, your policy and credential store must be configured to use the default database or an external LDAP (either Oracle Internet Directory 11gR1 or 10.1.4.3). You should not attempt to use a file-based LDAP for HA or production environments.
Reassociating the policy and credential store with OID consists of creating a root node in the LDAP directory, and then reassociating the policy and credential store with the OID server using Fusion Middleware Control, or from the command line using WLST. Note that if you reassociate the policy and credential store to use an external LDAP-based store, the credential store and policy store must be configured to use the same LDAP server. The identity store can, however, use any of the other supported LDAP servers; it does not need to use the same LDAP server as the policy and credential stores. For troubleshooting information, see Reassociation Failure in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
Caution:
Before reassociating the policy store, be sure to back up the relevant configuration files:
jps-config.xml
system-jazn-data.xml
As a precaution, you should also back up the boot.properties
file for the Administration Server for the domain.
Permissions:
To perform the tasks in this chapter, you must be granted the WebLogic Server Admin
role through the Oracle WebLogic Server Administration Console. Users with the Monitor
or Operator
roles can view security information but cannot make changes.
See also Understanding Administrative Operations, Roles, and Tools.
The first step in reassociating the policy and credential store with OID, is to create an LDIF file in the LDAP directory and add a root node under which all data is added. To create the root node, follow the steps in Prerequisites to Using an LDAP-Based Security Store in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services. After creating the file and adding the node, continue by reassociating the store using either Fusion Middleware Control or WLST.
Before reassociating the policy and credential store with Oracle Internet Directory, you must first have created the root node as described in Prerequisites to Using an LDAP-Based Security Store in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services. After creating the root node, follow the steps in Reassociating with Fusion Middleware Control in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services. If the reassociation fails, see Reassociation Failure in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
Before reassociating the policy and credential store with Oracle Internet Directory, you must first have created the root node as described in Prerequisites to Using the LDAP Policy Store in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services. If the reassociation fails, see Reassociation Failure in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
To reassociate the Credential and Policy Store using WLST:
Administrators can manage credentials for the WebCenter Portal domain credential store using Fusion Middleware Control. For more information, see Managing Credentials with Fusion Middleware Control in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
This section describes how you can use Fusion Middleware Control, WLST, and the runtime administration pages in WebCenter Portal to manage users and application roles.
This section contains the following subsections:
WebCenter Portal only recognizes users in the identity store that is mapped by the first authenticator. Since the WebCenter Portal Administrator account is initially created only in the embedded LDAP server, if an external LDAP such as Oracle Internet Directory is configured as the primary authenticator for WebCenter Portal, you must also create a user in that LDAP and grant that user the WebCenter Portal Administrator role.
You can grant a user the WebCenter Portal Administrator role using Fusion Middleware Control or WLST as shown below in the sections on:
This section describes how to grant the WebCenter Portal administrator role to a user account other than the default "weblogic" account.
To grant the WebCenter Portal Administrator role using Fusion Middleware Control:
Log into Fusion Middleware Control and navigate to the WebCenter Portal home page.
From the WebCenter Portal menu, select Security and then Application Roles.
The Application Roles page opens (see Figure 27-1).
Search for the WebCenter Portal Administrator role:
In the Role Name field, enter the following internal identifier for the Administrator role, and then click the Search (arrow) icon:
s8bba98ff_4cbb_40b8_beee_296c916a23ed#-#Administrator
The search should return s8bba98ff_4cbb_40b8_beee_296c916a23ed#-#Administrator
, which is the administrator role identifier.
Click the administrator role identifier from the search results and click Edit.
The Edit Application Role page opens (see Figure 27-2).
Click Add from the Members section.
The Add Principal dialog opens (see Figure 27-3).
Search for the user to assign the Administrator role to.
From the Type drop-down, select User.
Enter search criteria in the Principal Name and/or Display Name fields to either include part of the user name and/or the initial characters of the user name.
Optionally, when you select User, select the Check to enter principal name here option from the Advanced Option section, enter your search criteria in the Principal Name and/or Display Name fields.
Click OK.
The Add Principal dialog closes and the user name is added to the list of members.
To remove the weblogic
role from the Edit Application Role page, select the role and click Delete, then click Yes on the confirmation dialog.
On the Edit Application Role page, click OK.
This section describes how to add users to application roles using Fusion Middleware Control and WLST commands.
This section contains the following topics:
This section describes how to grant an application role to users using Fusion Middleware Control.
Log in to Fusion Middleware Control and navigate to the home page for WebCenter Portal.
From the WebCenter Portal menu, select Security and then Application Roles.
The Application Roles page opens.
In the Role Name field, enter webcenter
to search for all application roles in WebCenter Portal, or enter the name of the role (for example, appConnectionManager
), and then click the Search (arrow) icon: .
If you are not sure of the name, enter a partial search term or leave the field blank to display all the application roles.
The Application Roles page opens.
Select the role you want to add the user to, then click Edit.
For example, to add a user to the Public Role, select the row Public Role.
Figure 27-6 Role Name Search Results
In the Edit Application page that opens for the selected role, click Add .
In the Add Principal dialog that opens, search for the user.
From the Type drop-down, select User.
Enter search criteria in the Principal Name and/or Display Name fields to either include part of the user name and/or the initial characters of the user name.
Select the user name from the Searched Principals table, then click OK.
The Add Principal dialog closes and the user name is added to the list of members for the application role on the Edit Application Role page.
Figure 27-8 User Added to Application Role
On the Edit Application Role page, click OK.
Restart the WebCenter Portal (WC_Portal
) managed server.
WebCenter Portal provides a Security tab from which an administrator can define application roles and grant application roles to users defined in the identity store. For information about managing users and application roles in WebCenter Portal, see Managing Users and Application Roles.
Caution:
The "Allow Password Change" property, which specifies whether users can change their passwords within WebCenter Portal, should be carefully controlled for corporate identity stores. WebCenter Portal administrators can set this property from the Profile Management Settings page in WebCenter Portal. For more information, see Configuring Profile.
WebCenter Portal supports self-registration by invitation, as described in Enabling Self-Registration By Invitation-Only. The self-registration 'by-invitation' feature requires that the WebCenter Portal domain credential store contain the following password credentials:
map name = o.webcenter.security.selfreg
key= o.webcenter.security.selfreg.hmackey
user name = o.webcenter.security.selfreg.hmackey
To enable Allow Self-Registration Through Invitations in WebCenter Portal Administration, use Fusion Middleware Control or the WLST command createCred
to create the password credentials detailed above. For example:
createCred(map="o.webcenter.security.selfreg", key="o.webcenter.security.selfreg.hmackey", type="PC", user="o.webcenter.security.selfreg.hmackey", password="<password>", url="<url>", port="<port>", [desc="<description>"])
For more information, see “Managing Credentials with WLST Commands in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
This section provides recommended cache settings that should be configured after installation. Although settings for cache sizes and maximum group hierarchies should be based on your specific environment, the following sections provide recommendations that you can use as a starting point. For a complete list of tuning parameters and recommended values for WebCenter Portal, see Oracle WebCenter Portal Performance Tuning in Oracle Fusion Middleware Tuning Performance.
This section includes the following topics:
The authorization policies used by WebCenter Portal use an in-memory cache with a default policy refresh time of 10 minutes. When a portal is created in a multi-node high availability environment, and you need a node failure to replicate the policy data more quickly, you can shorten the policy store refresh interval by modifying the domain-level jps-config.xml
file, and adding the following entry:
oracle.security.jps.ldap.policystore.refresh.interval=<time_in_milli_seconds>
This should be added to the PDP service node:
<serviceInstance provider="pdp.service.provider" name="pdp.service">
Note that the policy refresh interval should not be set to too small a value as the frequency at which the server cached policy is refreshed may impact performance.
After modifying the jps-config.xml
file, restart all servers in the domain. For more information, see Refreshing the Policy Cache in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.
This section describes the recommended settings for the connection pool cache.
To set the connection pool cache:
This section describes the recommended settings for user cache settings.
To set user cache settings: