29-4 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter

5. Under LDAP Server Details, select Oracle Internet Directory as the LDAP Server

Type.

6. In the Host and Port fields, enter the host name and the LDAP port for Oracle

Internet Directory.

7. Set the User DN field to cn=orcladmin, and enter the associated password in

the Password field. 8. Under LDAP Root Node Details, set the JPS Root DN field to the one you added to the root.ldif file for example, cn=root_webcenter_abcd99. Be sure to include the cn=.

9. Click OK to begin the reassociation. Restart the WebLogic server when prompted

after migration.

29.3 Reassociating the Credential and Policy Store Using WLST

Before reassociating the policy and credential store with Oracle Internet Directory, you must first have created the root node as described in Section 29.1, Creating a root Node. 1. Start WLST as described in Section 1.13.3.1, Running Oracle WebLogic Scripting Tool WLST Commands. 2. Connect to the Administration Server for the target domain with the following command: connectusername,password, host_id:port where: ■ username is the administrator account name used to access the Administration Server for example, weblogic ■ password is the administrator password used to access the Administration Server for example, weblogic ■ host_id is the server ID of the Administration Server for example, example.com ■ port is the port number of the Administration Server for example, 7001. 3. Reassociate the policy and credential store using the reassociateSecurityStore command: reassociateSecurityStoredomain=domain_name, admin=admin_name, password=password, ldapurl=ldap_uri, servertype=ldap_srvr_type, jpsroot=root_webcenter_xxxx Where: ■ domain_name specifies the domain name where reassociation takes place. ■ admin_name specifies the administrators user name on the LDAP server. The format is cn=usrName. ■ password specifies the password associated with the user specified for the argument admin. ■ ldap_uri specifies the URI of the LDAP server. The format is ldap:host:port, if you are using a default port, or ldaps:host:port, if you are using a secure LDAP port. The secure port Configuring the Policy and Credential Store 29-5 must have been configured to handle an anonymous SSL connection, and it is distinct from the default non-secure port. ■ ldap_srvr_type specifies the kind of the target LDAP server. Specify OID for Oracle Internet Directory. ■ root_webcenter_xxxx specifies the root node in the target LDAP repository under which all data is migrated. Be sure to include the cn=. The format is cn=nodeName. All arguments are required. For example: reassociateSecurityStoredomain=myDomain, admin=cn=adminName, password=myPass, ldapurl=ldaps:myhost.example.com:3060, servertype=OID, jpsroot=cn=testNode

29.4 Reassociating the Policy and Credential Store with a Database

As well as using an LDAP server, such as OID, for your policy and credential store, you can also reassociate the policy and credential store with an Oracle database. Prior to reassociating the policy and credential store with a database, you should have: ■ Installed the RCU and the OPSS schema ■ Installed an Oracle database Oracle RDBMS version 10.2.0.4+, 11.1.0.7+, or 11.2.0.1+ ■ Installed WebLogic Server and SOA ■ Created a domain For instructions on how to create a new domain, see Creating a New Domain in the Oracle Fusion Middleware Installation Guide for Oracle WebCenter. ■ Created a data source For instructions on how to create a data source, see Creating a JDBC Data Source in the Oracle Fusion Middleware Configuring and Managing JDBC for Oracle WebLogic Server. Follow the steps below to configure a database as your policy and credential store: 1. Associate the schema and database connection. For information about how to associate the schema and database connection, see Section 7.1.5, Creating and Registering the Metadata Service Repository. 2. Migrate the policy and credential store to the database using WLST using the following command: reassociateSecurityStoredomain=your_domain, datasourcename=your_data_source, servertype=DB_ORACLE, jpsroot=cn=jpsTestNode For more information about using the reassociateSecurityStore command, see reassociateSecurityStore in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

29.5 Managing Credentials

Administrators can manage credentials for the WebCenter domain credential store using Fusion Middleware Control and WLST commands. For more information, see Managing Credentials in the Oracle Fusion Middleware Security Guide. 29-6 Oracle Fusion Middleware Administrators Guide for Oracle WebCenter

29.6 Configuring Self-Registration By Invitation in WebCenter Spaces

WebCenter Spaces supports self-registration by invitation, as described in Enabling Self-Registration By Invitation-Only in Oracle Fusion Middleware Users Guide for Oracle WebCenter. The self-registration by-invitation feature requires that the WebCenter domain credential store contain the following password credentials: ■ map name = o.webcenter.security.selfreg ■ key= o.webcenter.security.selfreg.hmackey ■ user name = o.webcenter.security.selfreg.hmackey To enable self-registration by invitation in WebCenter Spaces, use Fusion Middleware Control or the WLST command createCred to create the password credentials detailed above. For example: createCredmap=o.webcenter.security.selfreg, key=o.webcenter.security.selfreg.hmackey, type=PC, user=o.webcenter.security.selfreg.hmackey, password=password, url=url, port=port, [desc=description] For more information, see Managing Credentials in the Oracle Fusion Middleware Security Guide. 30 Configuring Single Sign-on 30-1 30 Configuring Single Sign-on This chapter describes the available single sign-on SSO solutions for your WebCenter Portal application to use, and how each is configured. This chapter includes the following sections: ■ Section 30.1, Introduction to Single Sign-on ■ Section 30.2, Configuring Oracle Access Manager OAM ■ Section 30.3, Configuring Oracle Single Sign-On OSSO ■ Section 30.4, Configuring SAML-based Single Sign-on ■ Section 30.5, Configuring SSO for Microsoft Clients ■ Section 30.6, Configuring SSO with Virtual Hosts Audience The content of this chapter is intended for Fusion Middleware administrators users granted the Admin role through the Oracle WebLogic Server Administration Console. Users with the Monitor or Operator roles can view security information but cannot make changes. See also, Section 1.8, Understanding Administrative Operations, Roles, and Tools.

30.1 Introduction to Single Sign-on

Single sign-on can be implemented for WebCenter applications using several solutions. This section describes their benefits and recommended application. Oracle Access Manager OAM, part of Oracles enterprise class suite of products for identity management and security, provides a wide range of identity administration and security functions, including several single sign-on options for WebCenter Spaces and WebCenter Portal applications. OAM in particular, OAM 11g is the recommended single sign-on solution for Oracle WebCenter 11g installations. For deployment environments that are already invested in Oracle 10g infrastructure, and where the Oracle Application Server Single Sign-On OSSO server is used as the primary SSO solution, WebCenter 11g can also be configured to use OSSO for single sign-on. For non-production, development environments where you do not have an enterprise-class single sign-on infrastructure like Oracle Access Manager or Oracle SSO, and you only need to provide a single sign-on capability within WebCenter Spaces and its associated Web applications like Discussions, and Worklist, you can configure a SAML-based SSO solution. If you need to provide single sign-on for other enterprise applications as well, this solution is not recommended.