28-26 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter 6. Grant System Admin privileges to the user you created, as shown in Figure 28–24 . Figure 28–24 Grant New Permissions Pane with New User

7. Click System System Properties.

The Jive Properties page displays see Figure 28–25 . Figure 28–25 Jive Properties Page 8. Check that the properties marked in red have been added and are set as shown in Figure 28–25 . 9. Log in to the WebLogic Server Administration Console. For information on logging in to the WebLogic Server Administration Console, see Section 1.13.2, Oracle WebLogic Server Administration Console. 10. In the Domain Structure pane see Figure 28–26 , click Security Realms. Configuring the Identity Store 28-27 Figure 28–26 Domain Structure Pane The Summary of Security Realms pane displays see Figure 28–27 . Figure 28–27 Summary of Security Realms pane 11. In the Name column, click the realm for which you want to change the administrator group name. The Realm Settings pane displays see Figure 28–28 . 28-28 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Figure 28–28 Realm Settings Pane 12. Select the Providers tab and the Authentication sub-tab, and reorder the authentication providers so that the authenticator for the external LDAP appears at the top of the list as shown in the example in Figure 28–29 : Figure 28–29 Providers Tab with Reordered Authentication Providers Configuring the Identity Store 28-29 13. Restart the domain Administration Server and discussions server.

28.5.2 Changing the Administrator Group Name

You can change the group name to any other valid enterprise role in your LDAP server that contains users authorized to manage the domain. This lets you delegate the administration of specific domains in your enterprise. You can create various administration groups in the directory and have the corresponding domains be configured to use the appropriate group for defining its administrators. The following example LDIF file creates an administrative group in Oracle Internet Directory: dn: cn=wc_domain_Admin,cn=groups,dc=example,dc=com cn: wc_domain_Admin uniquemember: cn=joe.admin,cn=users,dc=example,dc=com owner: cn=orcladmin displayname: WebLogic Administrators Group description: WebLogic Administrators Group objectclass: orclgroup objectclass: groupofuniquenames Once this group is created, you must update the role definition for the WebLogic Server global Admin role using the WebLogic Server Administration Console. To update the role definition for the WebLogic Server global Admin role: 1. Log in to the WebLogic Server Administration Console. For information on logging into the WebLogic Server Administration Console, see Section 1.13.2, Oracle WebLogic Server Administration Console. 2. In the Domain Structure pane see Figure 28–30 , click Security Realms. Figure 28–30 Domain Structure Pane The Summary of Security Realms pane displays see Figure 28–31 . 28-30 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Figure 28–31 Summary of Security Realms pane 3. In the Name column, click the realm for which you want to change the administrator group name. The Realm Settings pane displays see Figure 28–32 . Figure 28–32 Realm Settings Pane Configuring the Identity Store 28-31 4. Open the Roles and Policies tab, and then the Realm Roles subtab. The Realm Roles settings pane displays see Figure 28–33 . Figure 28–33 Realm Roles Settings Pane 5. Expand the Global Roles node, and then the Roles node.

6. Click View Role Conditions for the Admin role.

The Edit Global Role page displays see Figure 28–34 . 28-32 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Figure 28–34 Edit Global Role Page By default, the Administrators group in Oracle Internet Directory or other configured identity store defines who has the administrator role in WebLogic Server.

7. Click Add Conditions to add a different group name.

The Edit Global Role - Predicate List page displays see Figure 28–35 . Figure 28–35 Edit Global Role Page - Predicate List

8. Select Group from the Predicate List list and click Next.

The Edit Global Role - Arguments page displays see Figure 28–36 . Configuring the Identity Store 28-33 Figure 28–36 Edit Global Role Page - Arguments

9. Enter the name for the new administrator group and click Add.

10. Select the pre-existing administrator group and click Remove to delete it leaving

the new one youve selected in its place.

11. Click Finish to save your changes.

After making this change, any members of the new group specified are authorized to administer WebLogic Server.

28.6 Configuring the Oracle Content Server to Share the WebCenter Spaces Identity Store LDAP Server

Oracle Content Server OCS must be configured to use the same identity store LDAP server as Oracle WebCenter Spaces. For more information on configuring the OCS, see Chapter 11, Managing Content Repositories and also Configuring the LDAP Identity Store Service in the Oracle Fusion Middleware Security Guide.

28.7 Aggregating Multiple Identity Store LDAP Servers Using libOVD

Sites with muliple identity stores can use libOVD to aggregate their user profile information. Two scenarios are covered in the step-by-step configuration instructions below: ■ Users are available in distinct identity stores with complete user profile information available in the respective identity store. ■ The same user is available in both identity stores with some attributes in one store and other attributes in the other store. This section contains the following subsections: Note: If you are supporting self-registration with Active Directory, be sure to see the troubleshooting note in Section 27.3.3, Users Cannot Self-Register when WebCenter Spaces Configured with Active Directory. 28-34 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter ■ Section 28.7.1, Configuring libOVD for Identity Stores with Complete User Profiles ■ Section 28.7.2, Configuring libOVD for Identity Stores with Partial User Profiles ■ Section 28.7.3, Restoring the Single Authenticator

28.7.1 Configuring libOVD for Identity Stores with Complete User Profiles

To configure libOVD where each identity store contains complete user profiles: 1. Create the required authenticators in the WLS Admin Console for the identity stores being configured and restart the Weblogic Admin and Managed Servers for the domain. Alternatively, you can also configure the identity store information in jps-config.xml by hand. 2. Update the identity store service instance in jps-config.xml and add a property virtualize with the value true. You can do this either by editing the jps-config.xml file by hand, or using Fusion Middleware Control. 3. WebCenter lets users self-register, which creates a new user or group in the identity store. Since multiple identity stores are being used, you also need to explicitly specify the user create bases and group create bases in jps-config.xml. This step must be done by directly editing jps-config.xml. Thejps-config.xml file should look like the example below after the configuration. serviceInstance provider=idstore.ldap.provider name=idstore.ldap property value=oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider name=idstore.config.provider property value=oracle.security.idm.providers.stdldap.JNDIPool name=CONNECTION_POOL_CLASS property value=true name=virtualize serviceInstance extendedProperty nameuser.create.basesname values valueou=people,ou=myrealm,dc=wc_domainvalue values extendedProperty extendedProperty namegroup.create.basesname values valueou=groups,ou=myrealm,dc=wc_domainvalue values extendedProperty serviceInstance Be sure to replace the actual values for the user create base in ou=people,ou=myrealm,dc=wc_domain and group create base ou=groups,ou=myrealm,dc=wc_domain.

28.7.2 Configuring libOVD for Identity Stores with Partial User Profiles

To configure libOVD where each identity store contains only partial user profiles: 1. Create the required authenticators in the WLS Admin Console for the identity stores being configured and restart the Weblogic Admin and Managed Servers for Configuring the Identity Store 28-35 the domain. Alternatively, you can also configure the identity store information in jps-config.xml by hand. 2. Update the identity store service instance in jps-config.xml and add a property virtualize with the value true. You can do this either by editing thejps-config.xml file by hand, or using Fusion Middleware Control. 3. WebCenter lets users self-register, which creates a new user or group in the identity store. Since multiple identity stores are being used, you also need to explicitly specify the user create bases and group create bases in jps-config.xml. This step must be done by directly editing jps-config.xml. Thejps-config.xml file should look like the example below after the configuration. serviceInstance provider=idstore.ldap.provider name=idstore.ldap property value=oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider name=idstore.config.provider property value=oracle.security.idm.providers.stdldap.JNDIPool name=CONNECTION_POOL_CLASS property value=true name=virtualize extendedProperty nameuser.create.basesname values valueou=people,ou=myrealm,dc=wc_domainvalue values extendedProperty extendedProperty namegroup.create.basesname values valueou=groups,ou=myrealm,dc=wc_domainvalue values extendedProperty serviceInstance In the above example ou=people,ou=myrealm,dc=wc_domain and ou=groups,ou=myrealm,dc=wc_domain are the user and group create bases respectively. The actual values should be substituted while doing the configuration. 4. Run the following OVD WLST commands to configure the Join Adapter for the identity stores. Go to MWHOMEoracle_commoncommonbin and invoke wlst.sh wlst.cmd in windows and bring up the WLST prompt. Connect to the Weblogic Administration Server and run the following WLST commands. createJoinAdapteradapterName=Join Adapter Name, root=Namespace, primaryAdapter=Primary adapter Name addJoinRuleadapterName=Join Adapter Name, secondary=Secondary Adapter Name, condition=Join Condition If there are more secondary identity stores, then run the addJoinRule command for each secondary identity store. modifyLDAPAdapteradapterName=AuthenticatorName, attribute=visible, value=Internal Run the above modifyLDAPAdapter command for each identity stores that is configured. 28-36 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter Example Authenticator 1: In this example, the same user is available in both identity stores with some attributes in one store and some in the other. For this example, AD is the primary store and OID is the secondary store. Authenticator Name: AD User Base: cn=users,dc=acme,dc=com Authenticator 2: Authenticator Name: OID User Base: cn=users,dc=oid,dc=com Perform steps 1 - 3 above, specifying the user.create.bases and group.create.bases corresponding to the primary adapters namespace. Perform the following WLST commands: createJoinAdapteradapterName=JoinAdapter1, root=dc=acme,dc=com, primaryAdapter=AD addJoinRuleadapterName=JoinAdapter1, secondary=OID, condition=uid=cn uid=cn is the join condition in the above example, which indicates that if the uid value of a user in the secondary identity store OID matches with the cn value of the user in the primary identity store AD, then the attributes will be combined. modifyLDAPAdapteradapterName=OID, attribute=visible, value=Internal modifyLDAPAdapteradapterName=AD, attribute=visible, value=Internal Restart the WebLogic Administration server and Managed Servers.

28.7.3 Restoring the Single Authenticator

You can restore the single authenticator by removing the Join Adapter rule, thereby backing out the configuration done in Section 28.7.2, Configuring libOVD for Identity Stores with Partial User Profiles. To remove the Join Adapter rule, connect to the Weblogic Administration Server and run the following WLST commands: deleteAdapteradapterName=JoinAdapter1 modifyLDAPAdapteradapterName=oid auth, attribute=Visible, value=Yes modifyLDAPAdapteradapterName=AD, attribute=Visible, value=Yes Restart the WebLogic Administration server and Managed Servers and make sure that users from both identity stores are able to log in.

28.8 Configuring the REST Service Identity Asserter

This section describes how to configure an identity asserter for the REST service. For the REST service, including REST service APIs, to be used with WebCenter requires that an identity asserter be configured for it in the WebCenter domain identity store. The following sections show how to configure OPSS Trust Service instances and identity asserters for Oracle WebLogic Server. This section contains the following subsections: ■ Section 28.8.1, Understanding the REST Service Instance and Identity Asserter Configuring the Identity Store 28-37 ■ Section 28.8.2, Setting up the Client Application ■ Section 28.8.3, Configuring the WLS Trust Service Asserter

28.8.1 Understanding the REST Service Instance and Identity Asserter

Although WebCenter Portal applications, and other Oracle WebLogic applications, can use REST APIs to display information the way they need to, since such calls originate from the mid-tier, users will be prompted again to provide login credentials. To overcome this, we use perimeter authentication where the user identity is propagated in the HTTP header and asserted using the OPSS Trust Service Asserter. In order to successfully propagate user identity from one application to another application, these applications must be using correctly configured Trust Service instances. Figure 28–37 shows the different components involved in the identity propagation and assertion. Figure 28–37 REST Identity Propagation and Assertion The following depicts the sequence of events involved in REST identity propagation and assertion:

1. End clients browsers, smart phone apps connect to a WebCenter Portal

application.

2. The application page queries data from REST APIs and builds its own UI on top

and therefore needs to call the REST end point.

3. The WebCenter Portal application calls WebCenter Security API

WCSecurityUtility.issueTrustServiceSecurityToken to issue the token used for securely propagating the user identity. The token is generated using the Trust Service Embedded Provider. Generated tokens are compressed to optimize token size and then BASE64-encoded to ensure that the token can be safely transported using an HTTP header. 28-38 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter 4. The WebCenter Portal application takes the issued token and adds it against the Authorization security header. The client then dispatches the token as part of its call to the REST URI. 5. WebLogic Server checks if the identity asserter exists for the given token type. 6. The identity asserter parses and verifies that the token is using OPSS Trust Service APIs. 7. The asserter maps the username to a WLS username, a user Subject is established, and the call ends up on the REST application. 8. The REST application recognizes that the user is already an authenticated user and sends a response. The WebCenter Portal application uses the response and shows the page to the end user.

28.8.2 Setting up the Client Application

This section describes how to configure the client for a REST service identity asserter. To configure the client for a REST service identity asserter: 1. Using JDeveloper, create the client application. The client application could be a JSE or a servlet application. The following example shows the skeleton of a sample client application. The authenticated username String user = weblogic; URL of the target application URL url = http:host:portdestinationApp; ----------------------------------------- String b64EncodedToken = WCSecurityUtility.issueTrustServiceSecurityToken HttpURLConnection connection = HttpURLConnection url.openConnection; connection.setRequestMethodGET; connection.setDoOutputtrue; connection.setReadTimeout10000; connection.setRequestPropertyAuthorization, AUTH_TYPE_NAME + + b64tok; connection.connect; BufferedReader rd = new BufferedReadernew InputStreamReader connection.getInputStream; StringBuilder sb = new StringBuilder; String line = null; while line = rd.readLine = null { sb.appendline; } connection.disconnect; System.out.printlnsb.toString; 2. Create and configure the keystore. Create the keystore for the domain and then configure WebLogic Server for the identity asserter. The keystore is first provisioned for a client certificate and private key. The client certificate is then exported and imported into a trust key store. a. Create the keystore as shown in Section 32.1.2.1, Creating the WebCenter Domain Keystore.