Creating a UUP EJB

WebLogic Portal includes a UUP service that lets you add and manage users and their properties in a single logical location—even if the user data is stored in external systems, such as an LDAP server. You can add this additional user data to a User’s Profile.

You can configure a UUP in Workshop for WebLogic, the Administration Console, or manually (this method is not recommended). You must choose one method or the other; the methods are not interchangeable. Of the two recommended methods, the one you choose depends where you are in your portal development process:

Whenever possible, configure a UUP in Workshop for WebLogic (rather than manually) because of the following reasons:

Workshop for WebLogic overwrites UUP configurations from the p13n-profile-config.xml file, and stores changes in the deployment plan, separate from the portal application.

Both types of UUPs take precedence over existing UUPs that you configure manually. Existing UUPs that you created manually in previous versions of WebLogic Portal can coexist with new UUPs that you configure in the Administration Console or in Workshop for WebLogic.

In WebLogic Portal 8.1, you could use a text editor to create a UUP EJB and then add the appropriate descriptors to the ejb-jar.xml file and the weblogic-ejb-jar.xml file in the p13n-ejb.jar file. You can still use this manual method in WebLogic Portal 9.2, but it is not recommended because it is difficult to maintain and upgrade. You must unjar the archive file, modify the descriptors in their respective XML files, and then jar the contents of the archive to include the modifications.

Creating a UUP Manually

You should create the UUP in Workshop for WebLogic (rather than manually) whenever possible.

If you decide to manually create a custom UUP to retrieve user data from an external source, you must perform the following tasks:

Create an EntityPropertyManager EJB to represent the external data – You must perform this step first, regardless of the configuration method you use to configure the UUP. The only exception is if you are using the LDAP UUP, which is an EntityPropertyManager EJB that represents external data stored in LDAP. LDAP ships with BEA WebLogic Portal.
Configure the new EntityPropertyManager EJB.

Creating an EntityPropertyManager EJB

The first step in all three methods of configuring a UUP is to create an EntityPropertyManager EJB. You can use Workshop for WebLogic or another development tool to create a stateless session bean that implements the methods of the EntityPropertyManager interface.

To incorporate data from an external source, you must create a stateless session bean that implements the methods of the com.bea.p13n.property.EntityPropertyManager remote interface. EntityPropertyManager is the remote interface for a session bean that handles the persistence of property data and creates and deletes profile records. By default, EntityPropertyManager provides read-only access to external properties.

The stateless session bean should also include a home interface and an implementation class. For example:

Your implementation class can extend the EntityPropertyManagerImpl class. However, the only requirement is that your implementation class is a valid implementation of the MyEntityPropertyManager remote interface. For example:

Using Recommended EJB Guidelines

Your custom EntityPropertyManager is not a default EntityPropertyManager. A default EntityPropertyManager is used to get, set, or remove properties in the portal schema. Your custom EntityPropertyManager can throw a java.lang.UsupportedOperationException message if it does not support the following methods:

The getDynamicProperties() method
The getEntityNames() method
The getHomeName() method
The getPropertyLocator() method
The getUniqueId() method

If you want to use the portal framework and tools to create and remove users in your external data store, you must support the createUniqueId() and removeEntity() methods. However, your custom EntityPropertyManager is not the default EntityPropertyManage, so your createUniqueId() method does not have to return a unique number. The method must create the user entity in your external data store and then it can return any number, such as -1.
The following recommendations apply to the EntityPropertyManager() methods that you must support:

The getProperty() method – Use caching. You should support the getProperties() method to retrieve all properties for a user at once, caching them at the same time. Your getProperty() method should use the getProperties() method.
The setProperty() method – Use caching.
The removeProperties() and removeProperty() methods – After these methods are called, a call to getProperty() should return null for the property. You should also remove properties from the cache.

Your implementations of the getProperty(), setProperty(), removeProperty(), and removeProperties() methods must include any logic necessary to connect to the external system.
If you want to cache property data, the methods must be able to cache profile data appropriately for that system. (See the com.bea.p13n.cache package in the WebLogic Portal Javadoc.)
If the external system contains read-only data, any methods that modify profile data must throw a java.lang.UnsupportedOperationException message. Additionally, if the external data source contains users that are created and deleted by something other than your WebLogic Portal createUniqueId() and removeEntity() methods, you can throw an UnsupportedOperationException message.
To avoid class loader dependency issues, verify that your EJB resides in its own package.
For ease of maintenance, place the compiled classes of your custom EntityPropertyManager bean in your own JAR file (instead of modifying an existing WebLogic Portal JAR file).

Configuring the New EntityPropertyManager EJB

If you use WebLogic Portal 9.2, use the steps in Using Portal 9.2 to Configure the EJB to configure the new EntityPropertyManager EJB. Whenever possible, use these steps to configure a new EJB.

If you use WebLogic Portal 8.1, read Using Portal 8.1 to Configure the EJB to configure the new EntityPropertyManager EJB. Use this method only when you are deploying an existing Weblogic Portal 8.1 EntityPropertyManager EJB.

Using Portal 9.2 to Configure the EJB

The preferred method to configure the EntityPropertyManager EJB is with WebLogic Portal 9.2.

Perform the following steps to configure and deploy the new EntityPropertyManager EJB:

If you have already deployed the application on a WebLogic Portal instance, stop the server.
In the Merged Projects View in Workshop for WebLogic, locate the p13n-profile-config.xml file.
Right-click the p13n-profile-config.xml file and copy it into the /META-INF directory in your EAR project folder. Uncomment or edit the applicable lines in the p13n-profile-config.xml file and save the file.
Deploy the EntityPropertyManager EJB.
You can also access the Administration Console and add or change lines in the p13n-profile-config.xml file. Choose Configuration & Monitoring > Service Administration, and select Unified User Profiles and your UUP in the Resource Tree. After you make changes to the p13n-profile-config.xml file in the Administration Console, redeploy the application.

Using Portal 8.1 to Configure the EJB

To access the data in your new EntityPropertyManager EJB, you must modify the existing ProfileManager deployment configuration. See the WebLogic Portal 8.1 documentation for instructions.

Retrieving User Profile Data from an LDAP Server

WebLogic Portal ships with a default UUP that retrieves properties from an LDAP server. An LDAP can be any directory server that supports the LDAP protocol, such as Sun Directory Server, Microsoft Active Directory, or OpenLDAP.

The LDAP authentication providers (in the Security realm of a portal application) and the LdapPropertyManager UUP that retrieve user properties from LDAP are independent of each other. They do not share configuration information, and there is no requirement to use one with the other. A Security realm has nothing to do with a User Profile. A Security realm provides user and password data, and user and group associations. A User Profile provides user and group properties. A password is not a property.

Configuring an LDAP UUP

Create a datasync project for your EAR project, if you have not already done so. Perform the following steps to implement the LDAP UUP to retrieve properties from your LDAP server:

If you have already deployed the application on a WebLogic Portal instance, stop the server.
In the Merged Project View in Workshop for WebLogic, deploy the sample ldap_uup.jar file as an EJB component of your portal application. To deploy the file, locate the ldap_uup.jar file in the <wl-home>/weblogic92/common/p13n/lib directory and copy it to your EARContent directory in your EAR Project folder.
Locate the application.xml file in the /META-INF directory in your EARContent directory and add the following information to the <module> section:

<module> <ejb>ldap_uup.jar</ejb> </module>

Save the application.xml file.

Copy the p13n-profile-config.xml file from the p13n-app-lib.ear file into the /META-INF directory of your EAR project, and uncomment the <property-adapter> section named LdapUUPAdapter.

Tip: If you already have an existing p13n-profile-config.xml file, open it and copy the updated sections into the p13n-profile-config.xml file in your /META-INF directory in your Portal EAR directory.

In your Portal EAR directory, open your /META-INF/p13n-profile-config.xml file. (If you have not already copied this file from the library module, copy it now.) The file contains a commented block called LdapUUPAdapter. Uncomment and reconfigure this section using the following steps:

In the LdapUUPAdapter block, locate the default settings for your multiple <adapter-property> section shown in Table A-1 and replace the default values with your own. The template file also contains instructions.

Table A-1 Replace the Default Settings
Adapter Property Name	Default Value	New Value
`serverURL`	`ldap://<your ldap server host>:<your ldap server port>` `For example, ldap://SunOneLdapServer: 12341`.	Your LDAP server host:port string
UserPrincipal	`uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot`	Your LDAP server's principal
N/A	Set in the Administration Console. There is no default. Do not configure this property if you do not use a credential to log into your LDAP server.	The `credentialAlias` that can log into your LDAP server
userDN	`ou=People,o=company.com`	Your LDAP server's `UserDN`
groupDN	`ou=Groups,o=company.com`	Your LDAP server's `GroupDN`
uid	`uid`	Your LDAP server's `usernameAttribute` setting in place of `uid`
`cn`	`cn=bea.com`	Your LDAP server's `groupnameAttribute` setting in place of `cn`

Save and close the file.

Create an LDAP cache. The name of the cache is specified by the adapter parameter ldapPropertyCacheName in the p13n-profile-config.xml file. The default value for the cache’s name is ldapPropertyCache. To learn how to create a cache in the Administration Console, see Cache Reference Guide.
If you want the properties from your LDAP server to appear in the Administration Console (so you can define rules for personalization, delegated administration, and visitor entitlement), create a user profile property set called newldap.usr, and create properties in the property set that exactly match the <property-mapping> names of the LDAP properties you want to appear. Place the newldap.usr file in your datasync project directory. The datasync project must reside in your portal EAR project.
Start the server, and clean and redeploy the application. The properties from your LDAP server are now accessible through the WebLogic Portal API, JSP Tags, and Controls.
If your LDAP server requires a username and password during connection, set them up by launching the Administration Console and choosing Configuration & Monitoring > Service Administration. Select Unified User Profile in the Resource tree and then select your LDAP UUP. Enter the username and password that are mapped to the credential alias adapter property. Re-deploy the application again. Verify the change by logging in as an existing LDAP user.

To verify this step, go to the Administration Console and choose Users, Groups, & Roles > User Management to see if a particular user's LDAP properties are shown in the user's profile.

Tip: A credential alias requires a username and password. If you do not want your LDAP server to require a username and password, remove the credential-alias line in the p13n-profile-config.xml file.

Enabling Searches for a User and Group

If your users are located in separate branches with a common root in your LDAP server, you must enable the subtree scope feature. The LdapPropertyManager EJB in the ldap_uup.jar file allows the LDAP schema to be inspected to determine multi-valued versus single-value (or flat) LDAP attributes, allow multiple userDN and groupDN, and allow SUBTREE_SCOPE searches for users and groups in the LDAP server.

Determining multi-value versus single-value LDAP attributes specifies that the LDAP schema should be used to determine if a property is single- or multi-value. Consult your LDAP Server schema for instructions.

In your portal, you can configure these optional settings in the <adapter-property> line to specify the LDAP schema using one of the following methods:

The p13n-profile-config.xml file provides sample settings as a commented block.

This feature also implements changes that allow you to use SUBTREE_SCOPE searches for users and groups. It also allows you to specify multiple base userDN and groupDN. You can use the multiple base DN with SUBTREE_SCOPE searches enabled or disabled.

A SUBTREE_SCOPE search begins at a base userDN (or groupDN) and works down the branches of that base DN until the first user or group is found that matches the user name or group name.

Do not use true for detectSingleValueFromSchema in the p13-profile-config.xml file unless you plan to write rules that use multi-valued LDAP attributes that have a single value. Using /detectSingleValueFromSchema = true adds the overhead of checking the LDAP schema for each attribute instead of the default behavior (/detectSingleValueFromSchema = false), which only stores an attribute as multi-valued (in a collection) if it has more than one value.

Perform the following steps to manually enable SUBTREE-SCOPE for users and groups:

Stop the server.
Set the Boolean objectPropertySubtreeScope adapter-property-value to true in the adapter-property-name element in the p13n-profile-config.xml file for the LDAP UUP adapter.
Set the userDN and groupDN adapter-property-values in the p13n-profile-config.xml file to be equal to the base DNs where you want your SUBTREE_SCOPE searches to begin.

For example, if you have users in ou=PeopleA, ou=People, dc=mycompany, dc=com, and ou=PeopleB, ou=People, dc=mycompany, and dc=com, you could set userDN to ou=People, dc=mycompany, dc=com, and properties for these users would be retrieved from your LDAP server because the user search would start at the ou=People and work its way down the branches (ou=“PeopleA” and ou=“PeopleB”).

Do not create duplicate users in branches below your base userDN (or duplicate groups below your base groupDN) in your LDAP server. For example, your LDAP server will allow you to create a user with the uid=“userA” under PeopleA and your PeopleB branches. The LdapPropertyManager in the ldap_uup.jar.jar file returns property values for the first userA that it finds.

Note: Do not enable this change (by setting objectPropertySubtreeScope to true) unless you need the flexibility offered by SUBTREE_SCOPE searches.

An alternative to SUBTREE_SCOPE searches (with or without multiple base DNs) is to configure multiple base DNs and leave objectPropertySubtreeScope set to false. Each base DN would have to be the DN that contains the users (or groups) because searches would not go any lower than the base DN branches. The search cycles from one base DN to the next until it finds the first matching user or group.

The new p13n-profile-config.xml file is fully commented to explain how to set multiple DNs, multiple usernameAttributes (or groupnameAttributes), and how to set the objectPropertySubtreeScope flag.

Save and close the file.
Start the server and redeploy the application.

Editing a UUP Manually

If you have an 8.1 UUP, you can change the configuration setting or properties for your UUP by modifying the EntityPropertyManager EJB ejb-jar.xml descriptor to represent the external data, editing and redeploying a ProfileManager that can use the new EntityPropertyManager EJB, and modifying a default UUP to serve as an LDAP server.

Upgrading a UUP

When you upgrade a UUP from WebLogic Portal 8.1, the p13n_ejb.jar file is deleted and replaced with a new WebLogic Portal 9.2 version of this file. The new p13n_ejb.jar file is packaged in the library modules that ship with WebLogic Portal 9.2 and 10.0.

Perform the following steps to upgrade a UUP created in WebLogic Portal 8.1 to WebLogic Portal 9.2:

Start Workshop for WebLogic and create a new Workspace.
Create a new portal domain. Do not create a Portal EAR Project. For instructions on creating a new domain, see the Portal Development Guide.
Import your Portal 8.1 UUP application into your new environment by choosing File > Import.
In the Select dialog, select Workshop 8.1 Application and click Next.
In the Application Import dialog, click Browse and locate your 8.1 UUP application. Select the .work file and click Open. Verify that the check boxes for the UUP application are selected and click Next, as shown in Figure A-1.

Figure A-1 Locate the 8.1 UUP Application

Locate the 8.1 UUP Application

In the Source Upgrade dialog, select the Use WebLogic 9.0 J2EE Shared Libraries check box and select the Replace BEA NetUI tags with Apache Beehive tags check box (if desired) and click Finish.
After the upgrade finishes, verify that the following actions occurred:

The p13n-ejb.jar file was removed from the EARContent directory of the UUP application.
The UUP EJB JAR file (for example, UUPExample.jar) exists in the EARContent directory of the UUP application.
The UUP EJB JAR file is referenced in a module entry in the application.xml file in the <UUPApplication>/EARContent/META-INF/ directory.
As an example, the cache entry below was added to the p13n-cache-config.xml file in the <UUPApplication>/EARContent/META-INF/ directory:

<p13n:cache>
     <p13n:name>UUPExampleCache</p13n:name>
     <p13n:description>Cache for UUP Example</p13n:description>
     <p13n:time-to-live>60000</p13n:time-to-live>
     <p13n:max-entries>100</p13n:max-entries>
</p13n:cache>

Verify that the User Profile file (for example, UUPExample.usr) file exists in the data/src/userprofiles/ directory (or where your Datasync folder exists).

Associate your UUP application with your WebLogic Server by selecting the server in the Servers tab, right-clicking the server, and choosing Add and Remove Projects. Select the UUP application from the Available Projects section, click Add, and then click Finish.
Build and publish your application. Verify the application by starting the WebLogic Server Administration Console and clicking Deployments. Verify that the UUP application is active. Then open the UUP application by expanding the tree and verifying that the UUP JAR file appears as an EJB.

For more information about upgrading other non-portal applications from WebLogic Portal 8.1, see the Upgrade Guide.

User Management Guide