11-2 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle ECM Suite

11.1.2 Credential Store Configuration

A credential store is a repository of security data credentials. A credential can hold user name and password combinations, tickets, or public key certificates. Credentials are used during authentication, when principals are populated in subjects, and, further, during authorization, when determining what actions the subject can perform. This section provides steps to configure Oracle Internet Directory LDAP as a credential store for the Oracle Enterprise Content Management Suite enterprise deployment topology. For more details on credential store configuration, refer to the Configuring the Credential Store chapter in the Oracle Fusion Middleware Security Guide. The following section describe credential store configuration: ■ Section 11.1.2.1, Creating the LDAP Authenticator ■ Section 11.1.2.2, Moving the WebLogic Administrator to LDAP ■ Section 11.1.2.3, Reassociating the Domain Credential Store

11.1.2.1 Creating the LDAP Authenticator

To be safe, before you create the LDAP authenticator, you should first back up the relevant configuration files: ORACLE_BASE admindomain_nameaserverdomain_nameconfigconfig.xml ORACLE_BASE admindomain_nameaserverdomain_nameconfigfmwconfigjps-config.xml ORACLE_BASE admindomain_nameaserverdomain_nameconfigfmwconfig system-jazn-data.xml Also back up the boot properties file for the Administration Server: ORACLE_BASE admindomain_nameaserverdomain_nameserversAdminServersecurity boot.properties Follow these steps to set the proper authenticator: 1. Log in to the WebLogic Server Console.

2. Click the Security Realms link on the left navigational bar.

3. Click the myrealm default realm entry to configure it.

4. Open the Providers tab within the realm.

5. Observe that there is a DefaultAuthenticator provider configured for the realm.

6. Click Lock Edit.

7. Click the New button to add a new provider.

Note: The backend repository for the policy store and the credential store must use the same kind of LDAP server. To preserve this coherence, note that reassociating one store implies reassociating the other one, that is, the reassociation of both the credential and the policy stores is accomplished as a unit using the Fusion Middleware Control or the WLST command reassociateSecurityStore. For more information, see Section 11.1.4, Reassociation of Credentials and Policies. Integration with Oracle Identity Management 11-3

8. Enter a name for the provider such as OIDAuthenticator or OVDAuthenticator

depending on whether Oracle Internet Directory or Oracle Virtual Directory will be used.

9. Select the OracleInternetDirectoryAuthenticator or

OracleVirtualDirectoryAuthenticator type from the list of authenticators depending on whether Oracle Internet Directory or Oracle Virtual Directory will be used.

10. Click OK.

11. In the Providers screen, click the newly created Authenticator.

12. Set the control flag to SUFFICIENT. This indicates that if a user can be

authenticated successfully by this authenticator, then it should accept that authentication and should not continue to invoke any additional authenticators. If the authentication fails, it will fall through to the next authenticator in the chain. Make sure all subsequent authenticators also have their control flag set to SUFFICIENT ; in particular, check the DefaultAuthenticator and set that to SUFFICIENT .

13. Click Save to save this setting.