Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
Previous |
Next |
This chapter discusses configuring OC4J to use the Oracle Internet Directory (OID) LDAP-based provider. It contains the following sections:
Some LDAP properties affect the entire OC4J instance; these properties are discussed in "Specifying OracleAS JAAS Provider Settings" .
You normally associate OC4J with infrastructure at the time of installation.However, you can also associate OC4J with infrastructure using Oracle Enterprise Manager 10g Application Server Control Console. See the Oracle Enterprise Manager 10g help topic "Application Server Infrastructure Page".
When you associate an OC4J instance with an Oracle Application Server Infrastructure (including the Oracle Internet Directory), your application can leverage the LDAP-based provider for central management of users.
Before using the LDAP-based provider, you must set up certain users, groups, and permissions in Oracle Delegated Administration Services, and then grant these users and groups the appropriate permissions.
If you specify the LDAP-based provider globally in the ORACLE_HOME
/j2ee/
instance_name
/config/application.xml
configuration file, then you must also create an anonymous user, as discussed in "Creating an anonymous User Using ldapmodify". Under normal conditions, you do not need to modify application.xml
. The principal reason to do so is to configure the default application in an OC4J instance to use the LDAP-based provider as the user manager. The default application is a system application created by OC4J for internal use. (See the deployment and configuration overview in the Oracle Application Server Containers for J2EE Servlet Developer's Guide for information about the OC4J default application.)
You can set up the appropriate groups and users by using the tool oracle.security.jazn.util.LoadOidData
, which is part of the jazncore
library supplied in the ORACLE_HOME
directory. You run the tool with the command line:
java -cp ./jazncore.jar oracle.security.jazn.util.LoadOidData
The syntax for this tool is:
LoadOidData [-h ldaphost] [-p ldapport] [-D binddn] [-w passwd] [-f filename [-oc4jAdminPwd passwd] [-ignoreError true|false]
The supported options are:
-h
ldaphost
for the LDAP host name
-p
ldapport
for the port of the LDAP server
-D
binddn
for the distinguished name for the Oracle Internet Directory administrator
-w
password
for the password of the Oracle Internet Directory administrator
-f
filename
for the file containing the entries to be loaded, which is the following:
ORACLE_HOME/j2ee/instance_name/jazn/install/oidConfigForOc4j.sbs
-oc4jAdminPwd
password
for the password that will be assigned to OC4J administrator
-ignoreError
boolean
to specify whether the tool continues after reporting an error (if true
) or stops as soon as it encounters an error (if false
).
For example, assume the password for the Oracle database administrator is welcome1
and the password for the OC4J administrative user is welcome2
. The command line (assuming $J2EE_HOME
is ORACLE_HOME
/j2ee/home
) would be:
java -cp $J2EE_HOME/jazncore.jar oracle.security.jazn.util.LoadOidData -h oidhost -p oidport -D cn=orcladmin -w welcome1 -f $J2EE_HOME/jazn/install/oidConfigForOc4j.sbs -oc4jAdminPwd welcome2
After you run this tool, your default Oracle Identity Management realm will contain the following:
An administrators
group
An administrative user that is a member of the administrators
group
The administrators
group will have the following permissions:
oracle.j2ee.server.AdministrationPermission ("administration")
oracle.j2ee.server.rmi.RMIPermission("login")
Finally, you must set the ldap.user
property to admin
and the ldap.password
property to the appropriate password, as discussed in "Configuring LDAP SSL Properties".
You create an anonymous user by creating an LDIF (lightweight directory interchange format) file, then supplying the LDIF file as an input to the ldapmodify
tool. An appropriate LDIF file is shown in Example 7-1. Note that you must replace yourDistinguishedName by the distinguished name of the default identity management realm.
Example 7-1 An anony.ldif file to Create anonymous User
dn: cn=anonymous, cn=Users, yourDistinguishedName
changetype: add
uid: anonymous
givenName: anonymous
cn: anonymous
sn: anonymous
description: This entry is used as the identification for unauthenticated users.
orclisenabled: disabled
objectClass: top
objectclass: person
objectclass: organizationalPerson
objectClass: inetorgperson
objectClass: orcluser
objectClass: orcluserV2
After you have created your anony.ldif
file, use the ldapmodify
command to add the anonymous user. The syntax for this command is:
ORACLE_HOME/bin/ldapmodify -D cn=orcladmin -w password -h hostname -p port \ -f anony.ldif
When you issue this command, replace password, hostname, and port with the password, host name, and port for your installation.
Note: Theanonymous account is a special user account created in the Oracle Internet Directory server for OC4J server usage purpose only. Because this account is created without a password, this account cannot be used by an end user to log in to the applications
|
Before beginning development, you must ensure that the operating-system-specific environment variable controlling loading of dynamic libraries (for example, LD_LIBRARY_PATH
in Solaris) is set appropriately. See Table 2-5, "Dynamic Library Path Settings" for details.
When you manage OC4J with Oracle Enterprise Manager, it sets this variable automatically.
To create users and groups when using the LDAP-based provider, you use the Oracle Delegated Administration Services tools. For details, see Oracle Identity Management Guide to Delegated Administration.