5-56 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server more useful. For both types of connections, credentials mapping can provide additional security. Typical uses of the ProxyConnections8 component include the following: ■ To provide the capability to perform archive replication of content items over HTTP or HTTPS. For example, a company has acquired another company, but they do not a have common infrastructure for sharing information. Both companies have a Secure Sockets Layer SSL connection to the Internet. The company wants to share content between the two sites. ProxyConnections can be used to set up a secure Internet connection between the companies servers so that content can be securely accessed from one site, replicated, and archived at the other site. ■ To better restrict access to Oracle Content Server instances by using named passwords to target proxy connections. For example, a company wants to apply additional security to connections coming from one Oracle Content Server instance to another Oracle Content Server instance. Using named passwords, an administrator can restrict access by incoming connections to those with preset proxy connections and named passwords. The ProxyConnections8 component is installed enabled by default with Content Server software.

5.8.2 Credential Mapping

A credential map is a mapping of credentials used by an Oracle Content Server instance to credentials used in a remote system, which tell the Oracle Content Server instance how to connect to a given resource in that system. Administrators can create multiple credential maps for users, roles, and accounts. Credential mapping can be useful in a proxy scenario, for example, where credentials for users, roles, or accounts created on one Content Server instance can be mapped to the users, roles, or accounts on another Content Server instance, thus allowing users controlled access to information on more than one Content Server instance. This section covers the following topics: ■ Section 5.8.2.1, About Credential Mapping ■ Section 5.8.2.2, Credential Values ■ Section 5.8.2.3, Matching Accounts and Roles ■ Section 5.8.2.4, Creating a Credential Map

5.8.2.1 About Credential Mapping

When you create a credential map you enter a unique identifier for the map and specific credential values for users, roles, and accounts. In a proxy connection, when user credentials match an input value, then the user is granted the credentials Note: A site can have multiple Content Server instances, but each Content Server instance must be installed on its own Oracle WebLogic Server domain. Managing Security and User Access 5-57 specified in the output value. The user credentials are evaluated in the following order: 1. All the roles. 2. All the accounts. 3. The user name. After the translation is performed, the user only has the attribute values that were successfully mapped from input values. When you have created credential maps, you can specify a credential map along with a named password connection when configuring an outgoing provider. You also can specify a credential map when configuring a user provider such as LDAP. The default behavior for an LDAP provider is that the guest role is not automatically assigned to users. Credential mapping implementation is duplicated in the web server plug-in and in Oracle UCM. It is designed and implemented for optimal performance, so that any changes in the mapping are applied immediately. This can be compared to performance in NT or ADSI user storage using the NT administrator interfaces, where changes are cached and not reflected in the Oracle Content Server instance for up to a couple of minutes.

5.8.2.2 Credential Values

A credential input value is matched if there is an exact match in the case of a role or user name. An input account value is matched if one of the user accounts has a prefix, except for the case of a filter see Section 5.8.2.3, Matching Accounts and Roles . For example, the following credential values reduce all users who might otherwise have the admin role to instead have the guest role: admin, guest The following table lists the basic syntax for credential values: You can view which credentials are applied by default if no credential map is assigned. Use the following mapping, which maps everything without change. This Note: For information on credential mapping outside of an Oracle Content Server instance, see Credential Mapping Providers in Oracle Fusion Middleware Developing Security Providers for Oracle WebLogic Server. Value Prefix or Sequence Example User name name Role admin Account marketing Empty account none none All accounts all all Ignore the value or comment out the value comment 5-58 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server mapping first filters all roles, then all accounts. For more information about mapping syntax see Section 5.8.2.3, Matching Accounts and Roles. |all|,