5-4 Oracle Fusion Middleware System Administrators Guide for Oracle Content Server ■ Security can be customized for user access and search results by using the Need to Know component. This component enables you to further configure user access restrictions, modify the display of search results, alter search behavior, and set up hit list roles. To use this component, you must install and enable it. For more information, see Appendix B, Need to Know Component . Be aware that Internet Explorer 7 supplies the following message to users logging in with basic authentication without a secure connection: Warning: This server is requesting that your username and password be sent in an insecure manner The behavior sending user name and password in text is not new for basic authentication and does not cause problems.

5.1.3 Additional Security Options

The Oracle Content Server system can combine authentication methods. For example, you can define some users with the Oracle WebLogic Server Administration Console, allow some users to log in using their Microsoft domain identity, and grant other users access to the Oracle Content Server instance based on their external Lightweight Directory Access Protocol LDAP credentials. However, authentication is configured through Oracle WebLogic Server, so the combination of methods is limited. Users can authenticate against multiple authentication stores, but because of the Oracle Platform Security Services OPSS and Oracle WebLogic Server integration, only one of the configured user stores can be used to extract authorization group information. The following options can be used to provide additional security: ■ Security can be customized to support encrypted socket communication and authentication by using the SecurityProviders component, which is installed enabled by default with the Oracle Content Server system. This component enables a Secure Sockets Layer SSL provider, which can be configured to use certificates for socket or server authentication. If you use SSL and HTTPS to connect to Oracle UCM, and are unable to connect through WebDAV, try connecting to the Oracle Content Server instance through the browser using the same URL you used in your WebDAV connection string. This lets you see if there is a problem with the certificate, which is used to encrypt communications. If you get a dialog box stating a problem with the certificate, resolve the issue and then try to connect through WebDAV again. ■ For users to access the Oracle Content Server instance using different web server front ends, when one server front end is HTTPS and the other is HTTP, you can customize the Oracle Content Server configuration using the BrowserUrlPath component. This component is installed disabled by default with the Oracle Content Server system and supports a web server front end using HTTPS and a load balancer that forwards itself as the HTTP Host header. If you only use one access method only HTTPS, or only HTTP, or you are not using a load balancer that blocks the Host parameter from the browser, then this component is unnecessary. For more information, see Section 5.9.2, Browser URL Customization. ■ Extended security attributes can be assigned to external users or to users for a specific application. The extended attributes are merged into pre-existing user attributes and enable additional flexibility in managing users. For more information, see Section 5.9.3, Extended User Attributes. Managing Security and User Access 5-5 ■ The Oracle Content Server instance can be customized to filter data input for illegal or corruptive HTML constructs. For more information, see Section 5.9.4, Filter Data Input. In all environments, a comprehensive understanding of your organizations security needs and a thorough planning phase is crucial to a successful security integration.

5.2 Oracle Fusion Middleware Security Configuration for Oracle UCM