Configuring Oracle Enterprise Content Management Suite 4-27

2. In the Certificate Import Wizard, explicitly select a certificate store for Trusted

Root Certification Authorities . The root certificate must be trusted on all client computers that will access the server. On a Windows operating system, install the certificate under Trusted Root Certification Authorities in Internet Explorer.

4.9 Reassociating the Identity Store with an External LDAP Authentication Provider

In a production system, Oracle Enterprise Content Management Suite applications need to use an external Lightweight Directory Application Protocol LDAP authentication provider rather than the Oracle WebLogic Server embedded LDAP server, which is part of the default configuration. You need to reassociate the identity store for your application with one of the following external LDAP authentication providers before you complete the configuration of a Managed Server, before you connect a Managed Server to a repository, and before the first user logs in to the application: ■ Oracle Internet Directory ■ Oracle Virtual Directory ■ Third-party LDAP server For an Oracle IPM application, the user who logs in first to an Oracle IPM Managed Server is provisioned with full security throughout the server. It is easier to reassociate the identity store for Oracle IPM with an external LDAP authentication provider before the first user logs in, completes the configuration of the Oracle IPM Managed Server, and connects it to the Oracle Universal Content Management Oracle UCM repository. For an Oracle IRM application, the Oracle IRM domain, which is different from the Oracle WebLogic Server domain, gets created the first time a user logs in to the Oracle IRM Management Console. The first user who logs in to the console is made the Domain Administrator for the Oracle IRM instance. Before you migrate user data for Oracle IRM, the users need to be in the target LDAP identity store. If you do not reassociate the identity store with an external LDAP authentication provider before the first user logs in to the Oracle IRM console, the general process for reassociating Oracle IRM users and migrating data follows: 1. Back up existing data with the setIRMExportFolder script. 2. Reassociate the identity store with an external LDAP directory. 3. Verify that all users and groups exist in target LDAP identity store. 4. Migrate data with the setIRMImportFolder script.

4.9.1 Reassociating the Identity Store with Oracle Internet Directory

You can reassociate the identity store for an Oracle WebLogic Server domain with Oracle Internet Directory and migrate users from the embedded LDAP directory to Oracle Internet Directory. The following procedure describes how to reassociate the identity store with Oracle Internet Directory. You can use a similar procedure to reassociate the identity store with other LDAP authentication providers. Each provider has a specific authenticator type, and only that type should be configured. Table 4–5 lists the available authenticator types. 4-28 Oracle Fusion Middleware Installation Guide for Oracle Enterprise Content Management Suite To reassociate the identity store with Oracle Internet Directory: 1. Ensure that there is no user in Oracle Internet Directory with the same name as the administrator of the Oracle WebLogic Server domain, which is weblogic by default. 2. Set both embedded and external LDAP providers to SUFFICIENT. 3. For Oracle IRM, log in to the management console as a user from Oracle Internet Directory, to be the Oracle IRM domain administrator. Do not log in to the management console with the user name of the Oracle WebLogic Server domain administrator. The Oracle recommendation is to not use the weblogic user account as the Oracle IRM administration user account. If you use a different account for the Oracle IRM domain administrator, you can use the Oracle WebLogic Server domain administrator, weblogic by default, to start and stop Oracle WebLogic Server as well as to alter server settings. If you have a problem with Oracle Internet Directory, you will not need to fix it before you can do maintenance on Oracle WebLogic Server. 4. For an Oracle IRM Managed Server, if a user has already logged into the Oracle IRM Management Console, you need to run the WebLogic Scripting Tool WLST setIRMExportFolder command before identity store reassociation. Use this command to set an export folder for exporting the user and group details referenced by Oracle IRM. Oracle IRM uses the export folder path to decide where to write out the user and group details, so the Managed Server must have write access to the folder path. The export folder must exist before you run the setIRMExportFolder command. The following example sets scratchirm-data as the export folder: cd ECM_ORACLE_HOMEcommonbin .wlst.sh connectweblogic, password, t3:adminServerHost:adminServerPort setIRMExportFolderscratchirm-data In the example, adminServerHost is the host name and adminServerPort is the port number for the Administration Server of the Oracle WebLogic Server domain. Table 4–5 LDAP Authenticator Types LDAP Authentication Provider Authenticator Type Microsoft AD ActiveDirectoryAuthenticator SunOne LDAP IPlanetAuthenticator Directory Server Enterprise Edition DSEE IPlanetAuthenticator Oracle Internet Directory OracleInternetDirectoryAuthenticator Oracle Virtual Directory OracleVirtualDirectoryAuthenticator EDIRECTORY NovellAuthenticator OpenLDAP OpenLDAPAuthenticator EmbeddedLDAP DefaultAuthenticator Configuring Oracle Enterprise Content Management Suite 4-29 After the Oracle IRM Managed Server picks up this configuration change, normally right away, it will write out a series of XML documents in the export folder. This process is complete when a folder named accounts appears under the export folder. The accounts folder will contain one or more folders named batchXXX, with each batch folder containing a set of XML documents that include the user and group details. For example: scratch irm-data accounts batch1 user1.xml user2.xml group1.xml The batch folders are used to ensure that the operating system limit of the maximum number of files in a folder is not exceeded. After this process is complete, reset the export folder: setIRMExportFolder This reset ensures that Oracle IRM does not perform any further data exporting when the Managed Server restarts. 5. Configure the Oracle Internet Directory authentication provider: a. Start the Administration Server for your Oracle WebLogic Server domain, as described in Section 10.1, Starting the Administration Server. b. Log in to the Oracle WebLogic Server Administration Console as the domain Administration user, at this URL: http:adminServerHost:adminServerPortconsole For adminServerHost, specify the name of the computer that hosts the Administration Server for your domain. For adminServerPort, specify the listen port number for the Administration Server. The default number is 7001. For example: http:myHost.example.com:7001console To log in, supply the user name and password that were specified on the Configure Administrator User Name and Password screen in the configuration wizard.

c. Under Domain Structure on the left, select Security Realms.