This discussion is archived
5 Replies Latest reply: May 22, 2009 10:34 AM by hbuelow RSS

Documentation for configuring the identity service?

128719 Newbie
Currently Being Moderated
Is there beta documentation for configuring the identity service underneath SOA Suite/HWS that can be made available?



19.6 Configuring the Identity Service

Author's Comment: This section is being written by John Jerney and reviewed by appropriate SMEs separately. This section will be placed into this guide soon when it has been finalized.
  • 1. Re: Documentation for configuring the identity service?
    hbuelow Explorer
    Currently Being Moderated
    What book is this? I can't find this chapter.

    Heidi.
  • 2. Re: Documentation for configuring the identity service?
    128719 Newbie
    Currently Being Moderated
    Oracle® Fusion Middleware Administrator's Guide for Oracle SOA Suite
    11g Release 1 (11.1.1)
    Part Number E10226-01
  • 3. Re: Documentation for configuring the identity service?
    hbuelow Explorer
    Currently Being Moderated
    Oh, the Admin guide! Here is what I found (sorry the pictures didn't come over):


    18.1 Configuring Human Workflow Notification Properties

    You can configure human workflow notification properties, such as setting the notification mode for messages and setting actionable addresses. These properties are used to notify users of changes to the state of a task. Workflow notifications can use three types of addresses:

    *

    From address: For sending notifications.
    *

    Actionable address: For receiving actionable responses.
    *

    Reply to address: For receiving reply notifications.

    Note:
    In the following procedures, you must configure your channel drivers before configuring your workflow notification properties. Ensure that you know all necessary driver addresses before beginning (for example, the incoming IMAP and outgoing SMTP e-mail servers).

    To configure human workflow notification properties:

    1.

    Access this page through one of the following options:
    From the SOA Infrastructure Menu...      From the SOA Folder in the Navigator...
    1. Select SOA Administration > Workflow Notification Properties.
         
    1. Right-click soa-infra.
    2.

    Select SOA Administration > Workflow Notification Properties.

    The Workflow Notification Properties page appears.
    Description of soaadmin_hwf_notifprops.gif follows
    Description of the illustration soaadmin_hwf_notifprops.gif

    You now configure Oracle User Messaging Service to send and receive notifications. During configuration, you provide the addresses that are used by human workflow.
    2.

    Click Go to the Messaging Driver Page.
    3.

    Click Configure Driver in the upper right section of the page. This takes you to a page to configure the messaging service driver, including properties such as incoming IMAP and outgoing SMTP e-mail servers, outgoing server user names and passwords, and so on. For handling incorrect e-mail responses, the e-mail driver should be configured to handle incoming mails. This action enables human workflow participants to receive and forward notifications. Messaging drivers support the various messaging transports. See section Section 24.4.1, "How to Configure a Driver" for instructions.
    Description of hwf_ums.gif follows
    Description of the illustration hwf_ums.gif

    Notes:
    *

    The host name and IP address of the e-mail server with which you configure must also be added to the /etc/hosts file of the server on which Oracle SOA Suite is running. For example, if the host name is xyz.oracle.com and the IP address is aa.bb.cc.dd, then add this information to the /etc/hosts file.
    *

    After you configure the inbound (IMAP) e-mail server, the outbound (SMTP) e-mail server, or both, you must restart the managed Oracle WebLogic Server on which the SOA Infrastructure is configured for these setting to take effect.
    4.

    Return to the Workflow Notification Properties page.
    5.

    Specify the mode of the notification service. The possible values are:
    *

    ALL: The e-mail, short message service (SMS), instant message (IM), and voice channels are configured and notification is sent through any channel that you use.
    *

    EMAIL: Only the e-mail channel is configured for sending notification messages.
    *

    NONE: No channel is configured for sending notification messages. This is the default setting.
    6.

    Specify notification channel values:
    Field      Description      Example
    Email: From Address      Enter the outgoing e-mail address from which end users receive notifications.

    Note: You can only receive error messages when the outgoing e-mail address is also configured to receive incoming messages. This ensures that error messages from incorrect or nonexistent e-mail addresses are captured by the server. Even if you configure a separate incoming account in the Email: Reply To Address field, error messages do not appear in the server logs.
         workflow.notifications@mycompany.com
    Email: Actionable Address      Enter the incoming email address for performing task actions. The actionable e-mail account is the account in which task action-related e-mails are received and processed by human workflow.      workflow.actions@mycompany.com
    Email: Reply To Address      Enter the address to display in e-mails sent out from Oracle SOA Suite. It can be a dummy address such as no.reply@myoracle.com or a valid address. If a valid address is provided, and configured in the Messaging Driver page, then if a user replies to actionable e-mails, human workflow sends an automated e-mail indicating the correct usage. This is another incoming email account.      workflow.no.reply@mycompany.com

    7.

    Click Apply.

    Note:
    If your IM message contains content that appears to be actionable, note that acting upon the task from within the message does not cause any action to be taken. For example, acting upon the task in the following IM message does not cause any action to occur.

    Help desk request for wfaulk Task Help desk request for wfaulk
    requires your attention. NOTE: You can act on the task by
    copy-pasting one of following lines as your response.

    RESOLVED : [[NID]] :
    Pt12uRUu9H+Xem4NYS2o7dKDtqNLs42d4YIs8ySO8Gn0ZVYFsb1SQVenRukRE+
    IcE7c4XDb+tPazvP v9T2iA0qylDg0bTaVxX13HhsrCYAg= : [[NID]]
    UNRESOLVED : [[NID]] :
    xT9l06rbaGRAey+BtgQyJIXk62mkFtCe7ocKxwNLIsPzyE5/7AnGwXlBodEgQxr6
    jorvsw2F54k/C1 r5mvyAJpAp4I4IekOHi4qhQ3eSbBHdzET1IL4F3qV/KZ/BAUsq :
    [[NID]]

    For more information about notifications and the User Messaging Service, see the following documentation:

    *

    Part X, "Administering Oracle User Messaging Service"
    *

    Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite
  • 4. Re: Documentation for configuring the identity service?
    128719 Newbie
    Currently Being Moderated
    Hi Heidi,

    I'm looking for the Identity Service documentation, not Notification documentation.

    Thanks,
    Todd
  • 5. Re: Documentation for configuring the identity service?
    hbuelow Explorer
    Currently Being Moderated
    Oops. Here you are:

    18.6 Configuring the Identity Service

    By default, the identity service uses the embedded LDAP server in Oracle WebLogic Server as the default authentication provider. You can, however, configure Oracle WebLogic to use an alternative authentication provider, such as Oracle Internet Directory, Microsoft Active Directory, or Sun iPlanet, along with the default authenticator.

    This section describes how to add an authentication provider and create users and groups in the authentication provider using either Oracle WebLogic Administration Console or Oracle Directory Services Manager.

    This section describes the following topics:

    *

    Section 18.6.1, "Adding an Authentication Provider"
    *

    Section 18.6.2, "Creating Users and Groups in the Authentication Provider"
    *

    Section 18.6.3, "Configuring the Directory Service"

    18.6.1 Adding an Authentication Provider

    You can add an authentication provider to a security realm using Oracle WebLogic Server Administration Console.

    To add an authentication provider:

    1.

    Log in to the Oracle WebLogic Server Administration Console.
    2.

    Click Security Realms in the Domain Structure pane, and click the name of a realm in the list (myrealm, for example).
    3.

    Click Providers > Authentication.

    The Authentication Providers page appears.

    Figure 18-1 Security Realm Authentication Providers
    Description of Figure 18-1 follows
    Description of "Figure 18-1 Security Realm Authentication Providers"

    4.

    Click New to add a new authentication provider.

    The Create a New Authentication Provider page appears.

    Figure 18-2 Create a New Authentication Provider
    Description of Figure 18-2 follows
    Description of "Figure 18-2 Create a New Authentication Provider"

    5.

    Type a name for the provider in the Name field, choose the authenticator type using the Type drop-down list, and click OK.

    For example, you can type OIDAuthenticator as the name and choose OracleInternetDirectoryAuthenticator as the type for a provider that authenticates users using the Oracle Internet Directory.

    Similarly, you can type a name and choose ActiveDirectoryAuthenticator, iPlanetAuthenticator, or openLDAPAuthenticator from the list to specify the corresponding authenticator.

    Note:
    When using Oracle Internet Directory as the authentication provider, you must set the orclsslinteropmode attribute to 0 (zero) using Oracle Directory Services Manager. See Section 18.6.3, "Configuring the Directory Service" for more information.
    6.

    On the Providers > Authentication page, click the authenticator that you just created.

    The settings for the authentication provider appears.

    Figure 18-3 Settings for the Authentication Provider
    Description of Figure 18-3 follows
    Description of "Figure 18-3 Settings for the Authentication Provider"

    7.

    Choose SUFFICIENT from the Control Flag drop-down list, and click Save.

    This specifies that if a user is authenticated successfully using this authenticator, WebLogic should accept the authentication and not continue to invoke any additional authenticators. If the authentication fails, Oracle WebLogic Server attempts to authenticate the user using the next authenticator in the list.

    If you set the Control Flag to SUFFICIENT, ensure that all subsequent authenticators also have the Control Flag set to SUFFICIENT. Likewise, ensure that the Control Flag of the default authenticator is set to SUFFICIENT as well.
    8.

    Click Provider Specific to enter the details for the authenticator server.
    9.

    Enter the provider-specific information about the authentication provider, check the Use Retrieved User Name as Principal check box, and click Save.

    Table 18-1 lists information you must specify.

    Table 18-1 Provider Specific Authentication Server Settings
    Field      Description

    Host
         

    The host name or IP address on which the authenticator server is running.

    Port
         

    The port number on which the authenticator server is running.

    Principal
         

    The Distinguished Name (DN) of the authenticator server user that Oracle WebLogic Server should use when connecting to the server.

    Credential
         

    The credential (usually a password) used to connect to the authenticator server.

    User Base DN
         

    The base Distinguished Name (DN) of the tree in the LDAP directory that contains users.

    Group Base DN
         

    The base Distinguished Name (DN) of the tree in the LDAP directory that contains groups.

    Use Retrieved User Name as Principal
         

    Specifies whether to use the user name retrieved from the LDAP server as the principal in the subject.

    Use the default setting for the rest of the fields.
    10.

    Click Security Realms > Providers > Authentication to return to the list of authentication providers.
    11.

    Click Reorder.

    The Reorder Authentication Providers page appears.

    Figure 18-4 Reorder Authentication Providers
    Description of Figure 18-4 follows
    Description of "Figure 18-4 Reorder Authentication Providers"

    12.

    Select the new authentication provider, click the Up arrow to move the provider to the top of the list, and click OK.

    After reordering, the DefaultAuthenticator should appear at the bottom of the list. This action enables the system to handle logins as weblogic that are not typically in an LDAP directory, but still must be authenticated to start the server.

    Note that if multiple authentication providers are configured, authentication falls through the list of authenticators according to the control flags set. But the Java Portlet Specification (JPS) provides authorization against only the first entry in the list of providers.

    18.6.2 Creating Users and Groups in the Authentication Provider

    You can create users and groups in the authentication provider using either Oracle WebLogic Server Administration Console or Oracle Directory Services Manager.
    18.6.2.1 Creating Users and Groups Using WebLogic Console

    You can create users and groups for a specific provider, and define user and group membership, using the Oracle WebLogic Server Administration Console.

    To create a user using WebLogic Console:

    1.

    Log in to the Oracle WebLogic Console.
    2.

    Click Security Realms in the Domain Structure pane, and click the name of a realm in the list (myrealm, for example).
    3.

    Click Users and Groups > Users.

    The Users page appears.

    Figure 18-5 WebLogic Console Users and Groups
    Description of Figure 18-5 follows
    Description of "Figure 18-5 WebLogic Console Users and Groups"

    4.

    Click New to add a new user. The Create a New User page appears.
    5.

    Enter the required information about the user, and click OK.

    Table 18-2 lists information you must specify.

    Table 18-2 User Properties
    Field      Description

    Name
         

    (Required) The name of the new user.

    Description
         

    A description of the new user.

    Provider
         

    The provider for the user.

    Password
         

    The password associated with the login name for the new user.

    Confirm Password
         

    Confirmation of the password.

    The system creates the new user in the specified provider and shows the Users page. You can configure group membership for the user, as required.
    6.

    To specify group membership for the user, click the newly-created user in the list. The settings for the new user page appear.
    7.

    Click Groups to specify group membership for the user.
    8.

    Select a group in the Available list and click the right arrow to move it to the Chosen list.

    You can press Ctrl-Click to select multiple groups to move.
    9.

    Click Save.

    To create a group using WebLogic Console:

    1.

    Click Users and Groups > Groups.

    The Groups page appears.

    Figure 18-6 WebLogic Console Groups
    Description of Figure 18-6 follows
    Description of "Figure 18-6 WebLogic Console Groups"

    2.

    Click New to add a new group. The Create a New Group page appears.
    3.

    Enter the required information about the group, and click OK.

    Table 18-3 lists information you must specify.

    Table 18-3 Group Properties
    Field      Description

    Name
         

    (Required) The name of the new group.

    Description
         

    A description of the new group.

    Provider
         

    The provider for the group.

    The system creates the new group in the specified provider and shows the Groups page. You can configure group membership for the group, as required.
    4.

    To specify group membership for the group (specify parent groups), click the newly-created group in the list. The settings for the new group page appear.
    5.

    Click Membership to add the group to other groups.
    6.

    Select a parent group in the Available list and click the right arrow to move it to the Chosen list.

    You can press Ctrl-Click to select multiple groups to move.
    7.

    Click Save.

    18.6.2.2 Creating Users and Groups Using Oracle Internet Directory

    You can create users and groups using Oracle Internet Directory through the Oracle Directory Services Manager.

    To connect to Oracle Internet Directory from the Oracle Directory Services Manager:

    1.

    Launch the Oracle Directory Services Manager by navigating to the following URL using a Web browser:

    http://host_name:port/odsm/faces/odsm.jspx

    where host_name and port are the host name and the managed server port number on which Oracle Internet Directory is running.
    2.

    Click the Connect to a directory link and choose Create a New Connection in the drop-down menu. The New Connection dialog appears.
    3.

    Select OID as the directory type, enter values in the required fields, and click Connect.

    Table 18-4 lists information you can specify.

    Table 18-4 Group Properties
    Field      Description

    Name
         

    The name of the connection.

    Server
         

    (Required) The host name or IP address of the system on which Oracle Internet Directory is running.

    Port
         

    (Required) The port number on the system on which Oracle Internet Directory is running.

    SSL Enabled
         

    Select to enable a Secure Sockets Layer (SSL) communication.

    User Name
         

    (Required) The user name used to log in to Oracle Internet Directory.

    Password
         

    (Required) The password associated with the user name.

    Start Page
         

    The start page after logging into Oracle Internet Directory.

    The Oracle Directory Services Manager Home tab appears.
    4.

    Click the Data Browser tab. You can use this tab to create and remove entries.

    To create a domain:

    1.

    Click the Create a new entry button in the Data Tree pane. The Entry Properties page of the Create New Entry wizard appears.
    2.

    Click the Add button to add the required object class for the domain. The Add Object Class dialog box appears.
    3.

    Type the name of the object class. When the correct object class appears in the Name list, select it, and click OK.
    4.

    Repeat Steps 2 and 3 to add all the required object classes for the domain. Generally, top, domain, and orclContainer are the object classes required for a domain.
    5.

    Click Browse to choose the parent of the domain. The Select Distinguished Name (DN) Path dialog box appears.

    Figure 18-7 Select Distinguished Name (DN) Path (Domain)
    Description of Figure 18-7 follows
    Description of "Figure 18-7 Select Distinguished Name (DN) Path (Domain)"

    6.

    Select the parent of the domain and click Select. You can create a hierarchy of entries by selecting the appropriate parent domains.
    7.

    Click Next in the Create New Entry dialog box. The Mandatory Properties page of the Create New Entry wizard appears.
    8.

    Type and select values for the required fields, and click Next.

    Table 18-5 lists information you can specify.

    Table 18-5 Mandatory Properties (Domain)
    Field      Description

    dc
         

    (Required) The domain component.

    Relative Distinguished Name
         

    (Required) The relative distinguished name of the user.

    The Status page of the Create New Entry wizard appears.
    9.

    Verify the status of the new domain, and click Finish to create the new domain.

    To create a user:

    1.

    Click the Create a new entry button in the Data Tree pane. The Entry Properties page of the Create New Entry wizard appears.
    2.

    Click the Add button to add the required object class for the user. The Add Object Class dialog box appears.
    3.

    Type the name of the object class. When the correct object class appears in the Name list, select it, and click OK.
    4.

    Repeat Steps 2 and 3 to add all the required object classes for the user. Generally, top, person, inetorgperson, organizationalPerson, and orcluser are the object classes required for a user.
    5.

    Click Browse to choose the parent of the user. The Select Distinguished Name (DN) Path dialog box appears.

    Figure 18-8 Select Distinguished Name (DN) Path (User)
    Description of Figure 18-8 follows
    Description of "Figure 18-8 Select Distinguished Name (DN) Path (User)"

    6.

    Select the parent of the user and click Select.
    7.

    Click Next in the Create New Entry dialog box. The Mandatory Properties page of the Create New Entry wizard appears.
    8.

    Type and select values for the required fields, and click Next.

    Table 18-6 lists information you can specify.

    Table 18-6 Mandatory Properties (User)
    Field      Description

    cn
         

    (Required) The common name.

    sn
         

    (Required) The surname (last name).

    Relative Distinguished Name
         

    (Required) The relative distinguished name of the user.

    The Status page of the Create New Entry wizard appears.
    9.

    Verify the status of the new user, and click Finish to create the new user.
    10.

    Click the entry for the newly-created user in the Data Tree pane. The Person tab for the user appears.

    Figure 18-9 User Information: Person Tab
    Description of Figure 18-9 follows
    Description of "Figure 18-9 User Information: Person Tab"

    11.

    Enter details about the user, and click Apply.

    To create a group:

    1.

    Click the Create a new entry button in the Data Tree pane. The Entry Properties page of the Create New Entry wizard appears.
    2.

    Click the Add button to add the required object class for the group. The Add Object Class dialog box appears.
    3.

    Type the name of the object class. When the correct object class appears in the Name list, select it, and click OK.
    4.

    Repeat Steps 2 and 3 to add all the required object classes for the group. Generally, top, groupOfUniqueNames, and orclGroup are the object classes required for a group.
    5.

    Click Browse to choose the parent of the group. The Select Distinguished Name (DN) Path dialog box appears.

    Figure 18-10 Select Distinguished Name (DN) Path (Group)
    Description of Figure 18-10 follows
    Description of "Figure 18-10 Select Distinguished Name (DN) Path (Group)"

    6.

    Select the parent of the group and click Select.
    7.

    Click Next in the Create New Entry dialog box. The Mandatory Properties page of the Create New Entry wizard appears.
    8.

    Type and select values for the required fields, and click Next.

    Table 18-7 lists information you can specify.

    Table 18-7 Mandatory Properties
    Field      Description

    cn
         

    (Required) The common name.

    Relative Distinguished Name
         

    (Required) The relative distinguished name of the group.

    The Status page of the Create New Entry wizard appears.
    9.

    Verify the status of the new group, and click Finish to create the new group.
    10.

    Click the entry for the newly-created group in the Data Tree pane. The Group tab for the group appears.

    Figure 18-11 Group Information: Group Tab
    Description of Figure 18-11 follows
    Description of "Figure 18-11 Group Information: Group Tab"

    11.

    Specify details about the group, and click Apply.

    To delete an entry:

    1.

    Select an entry in the Data Tree pane.
    2.

    Click the Delete this entry button in the Data Tree pane.

    18.6.3 Configuring the Directory Service

    When using Oracle Internet Directory as the authentication provider, you must set the orclsslinteropmode attribute to 0 (zero) using Oracle Directory Services Manager.

    To configure the directory service:

    1.

    Launch Oracle Directory Services Manager and choose an Oracle Internet Directory connection using the drop-down list.
    2.

    Click the Data Browser tab.
    3.

    Expand the cn=subconfigsubentry > cn=osdldapd > cn=oid1 nodes.

    Figure 18-12 Oracle Directory Services Manager Data Browser
    Description of Figure 18-12 follows
    Description of "Figure 18-12 Oracle Directory Services Manager Data Browser"

    4.

    In the Attributes tab, set the orclsslinteropmode attribute to 0.
    5.

    Click the Apply button.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points