Integration with Oracle Identity Management 11-5 mail: weblogic_ecm objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 uid: weblogic_ecm cn: weblogic_ecm description: Admin User for the ECM Domain 2. Run the ldapadd command located under the ORACLE_HOMEbin directory to provision the user in Oracle Internet Directory. For example the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line: OIDHOST1 ORACLE_HOMEbinldapadd -h oid.mycompany.com -p 389 -D cn=orcladmin -w welcome1 -c -v -f admin_user.ldif 3. Create an ldif file named admin_group.ldif with the contents shown below and then save the file: dn: cn=ECM Administrators, cn=Groups, dc=us, dc=mycompany, dc=com displayname: ECM Administrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_ecm, cn=users, dc=us, dc=mycompany, dc=com cn: ECM Administrators description: Administrators Group for the ECM Domain 4. Run the ldapadd command located under the ORACLE_HOMEbin directory to provision the group in Oracle Internet Directory the command is shown as two lines in the example below for readability purposes, but you should enter the command on a single line: OIDHOST1 ORACLE_HOMEbinldapadd -h oid.mycompany.com -p 389 -D cn=orcladmin -w welcome1 -c -v -f admin_group.ldif

11.1.2.2.2 Assigning the Admin Role to the Admin Group After adding the users and

groups to Oracle Internet Directory, the group must be assigned the Admin role within the WebLogic domain security realm. This enables all users that belong to the group to be administrators for that domain. Follow these steps to assign the Admin role to the Admin group: 1. Log in to the WebLogic Administration Server Console.

2. In the left pane of the console, click Security Realms.

3. On the Summary of Security Realms page, click myrealm under the Realms table.

4. On the Settings page for myrealm, click the Roles Policies tab. Note: The ORACLE_HOME used here is the ORACLE_HOME for the Identity Management installation where Oracle Internet Directory resides. 11-6 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle ECM Suite 5. On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click on the Roles link to bring up the Global Roles page. 6. On the Global Roles page, click the Admin role to bring up the Edit Global Role page:

a. On the Edit Global Roles page, under the Role Conditions table, click the Add

Conditions button.

b. On the Choose a Predicate page, select Group from the drop down list for

predicates and click Next. c. On the Edit Arguments Page, specify ECM Administrators in the Group Argument field and click Add. 7. Click Finish to return to the Edit Global Rule page. 8. The Role Conditions table now shows the ECM Administrators Group as an entry.

9. Click Save to finish adding the Admin Role to the ECM Administrators Group.

10. Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_ecm user.

11.1.2.2.3 Updating the boot.properties File and Restarting the System The boot.properties

file for the Administration Server should be updated with the WebLogic admin user created in Oracle Internet Directory. Follow the steps below to update the boot.properties file: 1. On SOAHOST1, go the following directory: SOAHOST1cd ORACLE_BASEadmindomain_nameaserverdomain_nameservers AdminServersecurity 2. Rename the existing boot.properties file: SOAHOST1 mv boot.properties boot.properties.backup 3. Use a text editor to create a file called boot.properties under the security directory. Enter the following lines in the file: username=weblogic_ecm password=welcome1 Note: Each Oracle application in the Oracle ECM enterprise deployment topology may have its own predefined roles and groups defined for administration and monitoring purposes. By default, the Administrators group will allow these operations. However, this group may be too broad. For example, it may be undesirable that SOA administrators are also administrators for the Oracle WebLogic Server domain where Oracle SOA, IPM and UCM are running. This is why it may be desirable, as suggested in this section, to create a more specific group such as ECM Administrators. In order for the various applications to allow the ECM Administrators group to administer the different systems, you need to add the required roles to that group. For example, for SOA Worklistapps administration, add the SOAAdmin role. Refer to each components specific roles for the required roles in each case.