UCM / Webcenter Content : Configuring an Admin User for UCM which resides in OID

UseCase :

• The default install of Webcenter Content/UCM results in weblogic as the Default Content Admin which resides in the embedded LDAP.
• In our Webcenter implementations we end up using a variety of LDAP's.
• This post details how to change the Admin user for UCM to a user residing in OID which is easier to manage and the recommended approach instead of using weblogic.

Advantages : 

• This can also be extended to use any LDAP like AD, OUD, ODSEE etc.
• Another reason why this needs to be configured is so that the UCM Console can be logged in using a OHS URL or Virtual IP which has a LDAP configured as its IdentityStore instead of having to log in via the managed server port.

Configuration Steps :

1.Create a new user called ucmadmin in OID with object classes simialr to those present for orcladmin.

2.Create a new group called ucmadmingroup in OID with object classes top and groupOfUniqueNames.

3.Assign ucmadmin as a member of the ucmadmingroup.

4.Make sure the users and groups mentioned here reside in the DN hierarchy defined in the OID Authenticator(e.g. cn=Users,dc=oracle,dc=com)

5.You also need to create the Credential Maps to grant ucmadmingroup as the administrator in UCM. Then, in UCM, we mapp the OID group ucmadmin to UCM internal roles and all accounts priveliges. All the users who belong to the ucmadmin group will be automatically granted the UCM admin roles.

- Login to Content Server as weblogic and configure credential map (http://<host>:16200/cs)
  Administration -> Credential Maps, create a new map (e.g.: called "MyOIDMap")
- Add the following mapping

ucmadmingroup ,                  admin
ucmadmingroup ,                  guest
ucmadmingroup ,                  sysmanager
ucmadmingroup ,                  refineryadmin
ucmadmingroup ,                  rmaadmin
ucmadmingroup ,                  pcmadmin
ucmadmingroup ,                  ermadmin
ucmadmingroup ,                  @#all

6.Edit the provider.hda  and add the credit map "MyOIDMap" which would be at the location -
 <UCM-Domain>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  Here is an example:

<feff><?hda version="11gR1-11.1.1.6.0-idcprod1-111219T111403" jcharset="UTF8" encoding="utf-8"?>
Properties LocalData
DefaultNetworkAccounts=#none
DefaultNetworkRoles=guest
PasswordScope=jpsuserprovider
ProviderClass=idc.provider.jps.JpsUserProvider
ProviderDescription=csJpsUserProviderDescription
ProviderName=JpsUserProvider
ProviderType=jpsuser
SourcePath=jpsuser
ProviderCredentialsMap=MyOIDMap
blDateFormat=M/d{/yy}{ h:mm[:ss]{ a}}!mAM,PM!tAmerica/Los_Angeles
pDescription=csJpsUserProviderDescription
end

7.Restart the UCM Managed Server.
 
8. Repeat the steps for the other machine if its a clustered environment.

9.After that , if you login to Content Server as ucmadmin, in the ucadmin profile, you should see something similar as the following:

 

 In the ucmadminprofile, you should see the "#all" in the Accounts fields. Otherwise, when users accessing documents in Spaces, it will fail the following error:
  User 'ucmadmin' does not have sufficient privileges to access the content account.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454012.1#aref_section310

Oracle Access Manager(OAM) & Oracle Internet Directory(OID)'s restricted use license with WebCenter Portal

A restricted use of Oracle Access Manager(OAM) & Oracle Internet Directory(OID) is allowed with WebCenter Suite Plus licensing which is one of the most common licenses available to Customers implementing a WebCenter Portal.

Thus OAM & OID can be used to provide Single Sign On (SSO) between WebCenter , UCM/Content & IPM without the client having to buy any additional licenses albeit with a few technical limitations.

In addition out of the box features like Impersonation can be leveraged easily.

On a whole this should help customers easily leverage Single-Sign-On using OAM & use Oracle's LDAP - OID when implementing a WebCenter Portal.

Source :

Oracle® Fusion Middleware Licensing Information 11g Release 1 (11.1.1)

"Oracle Access Manager(OAM) for enabling Single-Sign On (SSO) between WebCenter Portal components. Use of Oracle Access Manager to a) enable SSO for any custom services or functions or third party applications;

b) Direct Oracle Access Manager SDK calls; or c) Third party directory integration, is not allowed.

Oracle Internet Directory(OID) - The use of OID is restricted to storing credentials and policies specific to WebCenter Portal and its delivered components."

Limitations :

1) OAM & OID alongwith the WebTier would need to be installed in the same VMs as Webcenter Portal when leveraged as a part of this licensing.

This makes it slightly different from Oracle's recommended deployment Architecture for OAM.

Allowing unauthenticated access to Webcenter Content/UCM public documents via OAM SSO

Recently we had a requirement at a client wherein Public Documents in UCM be accessed via a SSO URL (using the OHS Port) without the user being challenged for credentials.

Sounds pretty straighforward right ? Since anyways using the default managed server port of 16200 of the Content Server , anyways those documents don't popup asking for user credentials.

Well , wasn't that simple really! Took us(myself , Sachin Saxena et al) a few days to exactly figure this out and now we have Oracle's stamp on it as well !

Following were the examples of documents which needed to be publically accessible

1)http://<host>:7778/cs/idcplg?idcService=GET_FILE&dID=1445&dDocName=DEV_COMPLOGO_31364&allowInterrupt=1

(Accessing public document  called 'DEV_COMPLOGO_31364' having Public Security group via IdcService)

2)http://<host>:7778/cs/groups/public/documents/digitalmedia/b2dv/xzmx/~edisp/dev_complogo_31364.jpg

(This has a definite URL Pattern of /cs/groups/public)

3)Also this general service/document search page needs to open up without authentication.

http://<host>:7778/cs/idcplg?IdcService=GET_DOC_PAGE

**Oracle Access Manager (OAM) basically protects URLs or definite URL parameters , it cannot go inside an end-user application and check security assigned to a resource to determine if that should be challenged for credentials.

(Example in this case is that it cannot go and check the authorization / security Group using IdcService URL for the file DEV_COMPLOG_31364)**

Hence we have only two options here -

1)Either the URL pattern /cs/groups/public can be marked as unprotected in OAM Application Domain and hence user won't be challenged when using Pattern 2 as above.

2)Create a mapping folder pattern in UCM , like pretty URL to access even webDav content)

3)You can configure the IdcService url pattern to be public via OAM. (something like http://oamserver.com/cs/idcplg as url and query parameters as IdcService=GET_FILE) .But by exposing that people can still construct url of private documents if they know the dID and bypass OAM as the pattern is public. But once they reach UCM, ucm security will deny them access as they are not authenticated/have required permissions [Courtesy : Shidharth Mishra]

References

1)Oracle SR [Closed]            2) Forums