12-4 Oracle Fusion Middleware Developers Guide for Oracle Universal Content Management

12.3 Installation and Configuration

The Oracle UCM web services are installed and ready to use by default with the Oracle UCM EAR. However, unless you configure WS-Security on any of the Oracle UCM web services, all connections to Oracle Content Server will use the “anonymous” user. Additional configuration is required to enable authentication.

12.4 Security

The following subsections describe how to configure security for Oracle UCM web services. ■ Section 12.4.1, Configuring WS-Security through WS-Policy ■ Section 12.4.2, Configuring SAML Support

12.4.1 Configuring WS-Security through WS-Policy

Web service security WS-Security is set through the use of web service policies WS-Policy. Security policies can be set to web services in order to define their security protocol. In particular, the Oracle UCM web services support OWSM policies. Two general classes of policies are supported: username-token, and SAML. The following is a list of supported OWSM policies: ■ oraclewss11_saml_token_with_message_protection_service_policy ■ oraclewss11_username_token_with_message_protection_service_policy To set WS-Policy 1. Access the Oracle WebLogic Server Administration Console.

2. Select Deployments from the side panel, then expand either the Oracle UCM

native web services or the Oracle UCM generic web services.

3. Select IdcWebLogicService or GenericSoapService, then click the Configuration

tab, and then click the WS-Policy tab. 4. Click the main service. From here you can choose which OWSM policies to add. 5. When you have finished adding OWSM policies, you must update the Oracle UCM native web services or the Oracle UCM generic web services.

12.4.2 Configuring SAML Support

To provide SAML support so that the client can be the identity provider that is, assert credentials then additional steps must be taken to configure a keystore, configure a JPS provider to use the keystore, create a client credential store CSF, and configure a Java client to use the keystore and CSF.

12.4.2.1 Configuring a Keystore

Both the server and client need a copy of a keystore. The server uses the keystore to authenticate the credentials passed by the client. A self-signed certificate can work for this situation, because the keystore is used only as a shared secret. Using Oracle UCM Web Services 12-5 You can use the keytool utility to generate a self-signed certificate. Many of the values used in the following example are the defaults for the domain’s configfmwconfigjps-config.xml file explained in the next section: keytool -genkey -alias orakey -keyalg RSA -keystore default-keystore.jks -keypass welcome -storepass welcome Any relevant data can be entered in the keytool command, but the specifics do not matter except for the passwords for the keystore and the certificate, which the client uses.

12.4.2.2 Configuring Server JPS to Use the Keystore

Configuring the keystore on the Oracle WebLogic Server domain involves editing the domainconfigfmwconfigjps-config.xml file. A provider must be defined in serviceProviders. A provider should be defined by default. serviceProvider type=KEY_STORE name=keystore.provider class=oracle.security.jps.internal.keystore.KeyStoreProvider descriptionPKI Based Keystore Providerdescription property name=provider.property.name value=owsm serviceProvider When you have verified the provider, or created or modified a provider, a keystore instance must be defined in serviceInstances. A keystore instance should be defined by default. serviceInstance name=keystore provider=keystore.provider location=.default-keystore.jks descriptionDefault JPS Keystore Servicedescription property name=keystore.type value=JKS property name=keystore.csf.map value=oracle.wsm.security property name=keystore.pass.csf.key value=keystore-csf-key property name=keystore.sig.csf.key value=sign-csf-key property name=keystore.enc.csf.key value=enc-csf-key serviceInstance The location of the keystore instance must be set to the same location as when you created the keystore. Additionally, the keystore must be added to jpsContexts. This setting should be in the jps-config.xml file by default. jpsContext name=default serviceInstanceRef ref=credstore serviceInstanceRef ref=keystore serviceInstanceRef ref=policystore.xml serviceInstanceRef ref=audit serviceInstanceRef ref=idstore.ldap jpsContext

12.4.2.3 Creating a Client CSF

On the client, there must be a credential store to store the keys to unlock the keystore. A Credential Store Framework CSF can be made in a variety of ways, but one way is to use the Oracle WebLogic Server Scripting Tool WLST. You must use the wlst command from the EM interface. 12-6 Oracle Fusion Middleware Developers Guide for Oracle Universal Content Management To use WLST to create a credential, you must be connected to the Oracle WebLogic Server domain. Note that the resulting wallet can be used only on the client. .wlst.sh connect createCredmap=oracle.wsm.security, key=keystore-csf-key, user=keystore, password=welcome createCredmap=oracle.wsm.security, key=sign-csf-key, user=orakey, password=welcome createCredmap=oracle.wsm.security, key=enc-csf-key, user=orakey, password=welcome The preceding example creates a CSF wallet at domainconfigfmwconfigcwallet.sso that must be given to the client. You need to change the values from the example to match the alias and passwords from the keystore you created.

12.4.2.4 Configuring a Java Client to Use the Keystore and CSF

In order to configure a Java client to use the keystore and CSF, there are two requirements: ■ The Java client must have a copy of both the keystore and the CSF wallet. ■ There must be a client version of the jps-config.xml file. This file must contain entries for locating the keystore as well as the CSF wallet. To configure security, the Java system property “oracle.security.jps.config” must point towards the jps-config.xml file. This can be set during execution in the client. System.setPropertyoracle.security.jps.config, “jps-config.xml”; The following example shows a jps-config.xml file for clients based on the configuration provided in previous examples. jpsConfig xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:noNamespaceSchemaLocation=jps-config.xsd serviceProviders serviceProvider name=credstoressp class=oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider descriptionSecretStore-based CSF Providerdescription serviceProvider serviceProvider type=KEY_STORE name=keystore.provider class=oracle.security.jps.internal.keystore.KeyStoreProvider descriptionPKI Based Keystore Providerdescription property name=provider.property.name value=owsm serviceProvider serviceProviders serviceInstances serviceInstance name=credstore provider=credstoressp location=. descriptionFile Based Credential Store Service Instancedescription serviceInstance Using Oracle UCM Web Services 12-7 serviceInstance name=keystore provider=keystore.provider location=.default-keystore.jks descriptionDefault JPS Keystore Servicedescription property name=keystore.type value=JKS property name=keystore.csf.map value=oracle.wsm.security property name=keystore.pass.csf.key value=keystore-csf-key property name=keystore.sig.csf.key value=sign-csf-key property name=keystore.enc.csf.key value=enc-csf-key serviceInstance serviceInstances jpsContexts default=default jpsContext name=default serviceInstanceRef ref=credstore serviceInstanceRef ref=keystore jpsContext jpsContexts jpsConfig 12-8 Oracle Fusion Middleware Developers Guide for Oracle Universal Content Management 13 Customizing DesktopTag 13-1 13 Customizing DesktopTag This chapter describes how to customize the DesktopTag component of Oracle Content Server to specify properties for checked out versions of Microsoft Word, Excel, and PowerPoint files. This chapter includes the following sections: ■ Section 13.1, About the DesktopTag Component ■ Section 13.2, System Requirements ■ Section 13.3, DesktopTag Component Operation ■ Section 13.4, Using the DesktopTag Component ■ Section 13.5, Configuring the DesktopTag Component

13.1 About the DesktopTag Component

DesktopTag is an Oracle Content Server component that manages custom properties in files created using the default formats of Microsoft Office applications 2002 or later versions. The component adds custom properties to Word documents DOC, DOCX, and DOT files, Excel spreadsheets XLS, XLSX, and XLT files, and PowerPoint presentations PPT and PPTX files when they are checked out of Oracle Content Server, and removes this information when they are checked in again. The properties to be added to the Microsoft Office files are specified in the DesktopTag configuration file. For more information, see Section 13.5, Configuring the DesktopTag Component. The custom properties provide information about where a content item resides in Oracle Content Server so that the file can be checked in to the right location, with the right content management parameters, and so on. This is particularly useful if the content item is processed outside of Oracle Content Server after check-out; for example, in an external workflow that is, one that is not managed by Oracle Content Server. Also, the information can be exposed to users; for example, in the task area of Microsoft Office applications. DesktopTag uses the Oracle Clean Content technology to add custom properties to and remove them from Microsoft Office files. 13-2 Oracle Fusion Middleware Developers Guide for Oracle Universal Content Management

13.2 System Requirements

The DesktopTag component is included with Oracle Content Server 11gR1. It must be enabled on Oracle Content Server because it is not enabled by default. The DesktopTag component requires that the OracleCleanContent component is enabled as well. The OracleCleanContent component is enabled with typical Oracle Content Server installations. You can enable components using Component Manager, which is launched from the Content Admin Server page. For more information about enabling components, see Enabling and Disabling a Component in the Oracle Fusion Middleware System Administrators Guide for Oracle Content Server. DesktopTag can add custom properties to the following Microsoft Office applications: ■ Microsoft Word 2002 XP and later versions ■ Microsoft Excel 2002 XP and later versions ■ Microsoft PowerPoint 2002 XP and later versions

13.3 DesktopTag Component Operation