3-2 Oracle Fusion Middleware Setup Guide for Universal Records Management

3.1 Fusion Middleware Security Considerations

This section describes how to configure your Fusion Middleware product to handle authentication and authorization, and other aspects of application security.

3.1.1 Oracle UCM Security Considerations

Oracle UCM uses the Oracle WebLogic Server user store to manage user names and passwords, so most user management tasks must be performed with the Oracle WebLogic Server user management tools instead of Oracle UCM’s User Admin applet. User logins must be created on Oracle WebLogic Server and the default Oracle WebLogic Server users should not be used for Oracle URM. Oracle UCM and workflow services use Java Platform Security JPS and the User and Role API. Oracle Internet Directory stores user and group information. When Oracle UCM uses Oracle Internet Directory, the Oracle Internet Directory Authentication provider must be the first provider listed in the security realm configuration. If the Oracle Internet Directory Authentication provider is not listed first for example, it is listed below the Oracle WebLogic Server provider, DefaultAuthenticator, then login authentication fails. You can use the Oracle WebLogic Server Administration Console to change the order in which the configured Authentication providers are called. When you use Oracle Internet Directory, all Oracle UCM administrator and other users must be defined in Oracle Internet Directory. Oracle UCM assigns an administrator role to users defined in the internal Oracle WebLogic Server user store. This is true regardless of whether Oracle Internet Directory is used or not used. However, if you use Oracle Internet Directory and if the OID Authentication provider is not listed first then any request by Oracle UCM to retrieve the roles of the Oracle WebLogic Server defined administrative users will fail. See Managing Security and User Access in the Oracle Fusion Middleware System Administrators Guide for Content Server for more details about security and user accounts. See the Oracle Fusion Middleware Application Security Guide and Oracle Fusion Middleware Securing Oracle WebLogic Server for details about LDAP providers.

3.1.2 Oracle URM-WNA Redeployment

For Windows Native Authentication through Kerberos to work with Oracle URM, you must redeploy Oracle URM. First create then save an .xml file for the Oracle URM domain type that includes the following information. Save the file as urm.xml: ?xml version=1.0 encoding=UTF-8? deployment-plan xmlns=http:xmlns.oracle.comweblogicdeployment-plan xmlns:xsi=http:www.w3.org2001XMLSchema-instance xsi:schemaLocation=http:xmlns.oracle.comweblogicdeployment-plan Permissions: Specific permissions are required to perform the tasks described here. For details about the required permissions, see the tasks outlined in later chapters of this manual. In general, users with the Record Administrator role should be able to perform the majority of these tasks. For details about rights and roles, see Chapter 5, Setting Up Security . Setting Up the Software 3-3 http:xmlns.oracle.comweblogicdeployment-plan1.0deployment-plan.xsd global-variables=false application-nameurm.earapplication-name variable-definition variable nameurl-patternname valuevalue variable variable namehttp-onlyname valuefalsevalue variable variable-definition module-override module-nameurm.warmodule-name module-typewarmodule-type module-descriptor external=false root-elementweb-approot-element uriWEB-INFweb.xmluri variable-assignment nameurl-patternname xpathweb-appsecurity-constraint[display-name=UCMConstraint]web-resource-collection[web-res ource-name=idcauth]url-patternxpath operationreplaceoperation variable-assignment module-descriptor module-descriptor external=false root-elementweblogic-web-approot-element uriWEB-INFweblogic.xmluri variable-assignment namehttp-onlyname xpathweblogic-web-appsession-descriptorcookie-http-onlyxpath variable-assignment module-descriptor module-override deployment-plan 1. As administrator, log in to the Oracle WebLogic Server Administration Console.

2. Click Deployments in the Domain Structure navigation tree.

3. Click the Control tab then Next until you see the Oracle Universal Records

Management deployment. 4. Select the checkbox to the left of that deployment.

5. Click Update.

6. Under the Deployment Plan Path, select Change Path.

7. Navigate to and select the urm.xml file just created.

8. Verify that Redeploy this application using the following deployment files is

selected.

9. Click Next.

10. Click Finish.

3-4 Oracle Fusion Middleware Setup Guide for Universal Records Management

3.1.3 Configuration for External LDAP Authentication Provider