10-2 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter

10.1.2 Credential Store Configuration

A credential store is a repository of security data credentials. A credential can hold user name and password combinations, tickets, or public key certificates. Credentials are used during authentication, when principals are populated in subjects, and, further, during authorization, when determining what actions the subject can perform. In this section, steps are provided to configure Oracle Internet Directory LDAP as a credential store for the Oracle Fusion Middleware WebCenter Enterprise Deployment topology. For more details on credential store configuration, refer to the Configuring the Credential Store chapter in the Oracle Fusion Middleware Security Guide. The following section describe credential store configuration: ■ Section 10.1.2.1, Creating the LDAP Authenticator ■ Section 10.1.2.2, Moving the WebLogic Administrator to LDAP ■ Section 10.1.2.3, Reassociating the Domain Credential Store

10.1.2.1 Creating the LDAP Authenticator

To be safe, before you create the LDAP authenticator, you should first back up the relevant configuration files: ORACLE_BASE admindomain_nameaserverdomain_nameconfigconfig.xml ORACLE_BASE admindomain_nameaserverdomain_ nameconfigfmwconfigjps-config.xml ORACLE_BASE admindomain_nameaserverdomain_ nameconfigfmwconfigsystem-jazn-data.xml Also back up the boot.properties file in the ORACLE_BASEadmindomain_ nameaserverdomain_nameserversAdminServersecurity directory for the Administration Server. To configure the credential store to use LDAP, set the proper authenticator using the WebLogic Server Console: 1. Log in to the WebLogic Server Console.

2. Click the Security Realms link on the left navigational bar.

3. Click the myrealm default realm entry to configure it.

4. Open the Providers tab within the realm.

5. Observe that there is a DefaultAuthenticator provider configured for the realm.

6. Click the New button to add a new provider.

7. Enter a name for the provider such as OIDAuthenticator or OVDAuthenticator

depending on whether Oracle Internet Directory or Oracle Virtual Directory will be used. Note: The backend repository for the policy store and the credential store must use the same kind of LDAP server. To preserve this coherence, note that reassociating one store implies reassociating the other one, that is, the reassociation of both the credential and the policy stores is accomplished as a unit using the Enterprise Manager or the WLST command reassociateSecurityStore. For more information, see Section 10.1.4, Reassociation of Credentials and Policies. Integration With Oracle Identity Management 10-3

8. Select the OracleInternetDirectoryAuthenticator or

OracleVirtualDirectoryAuthenticator type from the list of authenticators depending on whether Oracle Internet Directory or Oracle Virtual Directory will be used.

9. Click OK.

10. In the Providers screen, click the newly created Authenticator.

11. Set the control flag to SUFFICIENT. This indicates that if a user can be

authenticated successfully by this authenticator, then it should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT ; in particular, check the DefaultAuthenticator and set that to SUFFICIENT .

12. Click Save to save this setting.