12-4 Oracle Fusion Middleware Developers Guide for Oracle Universal Content Management

12.3 Installation and Configuration

The Oracle UCM web services are installed and ready to use by default with the Oracle UCM EAR. However, unless you configure WS-Security on any of the Oracle UCM web services, all connections to Oracle Content Server will use the “anonymous” user. Additional configuration is required to enable authentication.

12.4 Security

The following subsections describe how to configure security for Oracle UCM web services. ■ Section 12.4.1, Configuring WS-Security through WS-Policy ■ Section 12.4.2, Configuring SAML Support

12.4.1 Configuring WS-Security through WS-Policy

Web service security WS-Security is set through the use of web service policies WS-Policy. Security policies can be set to web services in order to define their security protocol. In particular, the Oracle UCM web services support OWSM policies. Two general classes of policies are supported: username-token, and SAML. The following is a list of supported OWSM policies: ■ oraclewss11_saml_token_with_message_protection_service_policy ■ oraclewss11_username_token_with_message_protection_service_policy To set WS-Policy 1. Access the Oracle WebLogic Server Administration Console.

2. Select Deployments from the side panel, then expand either the Oracle UCM

native web services or the Oracle UCM generic web services.

3. Select IdcWebLogicService or GenericSoapService, then click the Configuration

tab, and then click the WS-Policy tab. 4. Click the main service. From here you can choose which OWSM policies to add. 5. When you have finished adding OWSM policies, you must update the Oracle UCM native web services or the Oracle UCM generic web services.

12.4.2 Configuring SAML Support

To provide SAML support so that the client can be the identity provider that is, assert credentials then additional steps must be taken to configure a keystore, configure a JPS provider to use the keystore, create a client credential store CSF, and configure a Java client to use the keystore and CSF.

12.4.2.1 Configuring a Keystore

Both the server and client need a copy of a keystore. The server uses the keystore to authenticate the credentials passed by the client. A self-signed certificate can work for this situation, because the keystore is used only as a shared secret. Using Oracle UCM Web Services 12-5 You can use the keytool utility to generate a self-signed certificate. Many of the values used in the following example are the defaults for the domain’s configfmwconfigjps-config.xml file explained in the next section: keytool -genkey -alias orakey -keyalg RSA -keystore default-keystore.jks -keypass welcome -storepass welcome Any relevant data can be entered in the keytool command, but the specifics do not matter except for the passwords for the keystore and the certificate, which the client uses.

12.4.2.2 Configuring Server JPS to Use the Keystore

Configuring the keystore on the Oracle WebLogic Server domain involves editing the domainconfigfmwconfigjps-config.xml file. A provider must be defined in serviceProviders. A provider should be defined by default. serviceProvider type=KEY_STORE name=keystore.provider class=oracle.security.jps.internal.keystore.KeyStoreProvider descriptionPKI Based Keystore Providerdescription property name=provider.property.name value=owsm serviceProvider When you have verified the provider, or created or modified a provider, a keystore instance must be defined in serviceInstances. A keystore instance should be defined by default. serviceInstance name=keystore provider=keystore.provider location=.default-keystore.jks descriptionDefault JPS Keystore Servicedescription property name=keystore.type value=JKS property name=keystore.csf.map value=oracle.wsm.security property name=keystore.pass.csf.key value=keystore-csf-key property name=keystore.sig.csf.key value=sign-csf-key property name=keystore.enc.csf.key value=enc-csf-key serviceInstance The location of the keystore instance must be set to the same location as when you created the keystore. Additionally, the keystore must be added to jpsContexts. This setting should be in the jps-config.xml file by default. jpsContext name=default serviceInstanceRef ref=credstore serviceInstanceRef ref=keystore serviceInstanceRef ref=policystore.xml serviceInstanceRef ref=audit serviceInstanceRef ref=idstore.ldap jpsContext

12.4.2.3 Creating a Client CSF