6 Billing Care Postinstallation Tasks

Learn about postinstallation tasks, such as importing security policies into OPSS, that you perform after installing the Oracle Communications Billing Care software.

Topics in this document:

Postinstallation Tasks

After installing a Billing Care test or production installation, do the following on each domain host where Billing Care is deployed:

  1. If your BRM installation uses Oracle Analytics Publisher to view invoices, encrypt and add the Oracle Analytics Publisher credentials for accessing Oracle Analytics Publisher in the Infranet.properties file on each domain host where Billing Care is deployed. See "Encrypting and Adding Oracle Analytics Publisher Connection Information in the Wallet".

  2. Adjust your BRM connection pool settings and enable logging in the Infranet.properties file for your Billing Care environment. You can customize the Billing Care connection pool settings by adding additional entries in the Billing Care Infranet.properties configuration file. See "Configuring Additional Settings in the Infranet.properties File".

    Note:

    During installation, the Billing Care installer copies the Billing Care Infranet.properties configuration file to the domain administrative user's home directory on each domain server where Billing Care is deployed. You can update the Infranet.properties file in this location.

    You can also copy the Infranet.properties file in the domain administrative user's home directory to the domain_home directory if required. In this case, the Infranet.properties file in the domain_home directory takes precedence over the Infranet.properties file in the domain administrative user's home directory.

For production installations, also do the following:

  1. Import the Billing Care OPSS Administration Server policy configuration. The Billing Care SDK includes a default policy configuration file that must be imported into your OPSS Administration Server.

  2. If you are using OUD, configure the Billing Care OPSS JRF-enabled domain to connect to the LDAP directory used by Oracle Identity Management (IDM) to store Billing Care users. See "Configuring OPSS JRF-Enabled Domain LDAP Server Connection".

  3. If you are using Security Assertion Markup Language (SAML) for single sign-on (SSO), configure SAML. See "Configuring SAML 2.0 for SSO Using a Service Provider".

About Encryption

Encrypting your BRM and Oracle Analytics Publisher passwords and using SSL increases the security of your Billing Care deployment. See "Billing Care Security" in BRM Security Guide for more information about securing your Billing Care environment.

Encrypting and Adding Oracle Analytics Publisher Connection Information in the Wallet

You must configure the connection details for your Oracle Analytics Publisher server in each domain server hosting a Billing Care deployment, if Oracle Analytics Publisher is used in your environment.

Note:

Billing Care application supports multiple BRM servers. When a user login to Billing Care application, the application uses the Billing Care wallet and the Infranet.properties file from the available BRM servers.

To encrypt your Oracle Analytics Publisher password and store connection credentials in the Billing Care wallet:

  1. Log in to your domain server using a secure shell or console terminal session.

  2. Use the WebLogic Server encrypt Java utility to encrypt your Oracle Analytics Publisher user's password.

    See "encrypt" in Command Reference for Oracle WebLogic Server for information about encrypting passwords.

  3. Store the following information listed in Table 6-1 in the Billing Care wallet.

    See "Storing Configuration Entries in the Billing Care Wallet" in BRM Security Guide for more information.

    Table 6-1 Oracle Analytics Publisher Connection Information

    Field Description

    BIP_USERID

    Oracle Analytics Publisher user with web access

    BIP_PASSWORD

    Encrypted Oracle Analytics Publisher user's password

    BIP_URL

    URL address to access the Oracle Analytics Publisher instance

  4. For production installations, if not already done, enable SSL for the OPSS JRF-enabled domain where Billing Care is deployed.

  5. Restart the domain where Billing Care is deployed.

Configuring Additional Settings in the Infranet.properties File

Billing Care uses the default connection pool settings for your BRM instance. You can customize Billing Care connection pool settings by adding additional entries in the Billing Care Infranet.properties configuration file. You can also enable logging by adding optional entries or changing the BRM connection details in the Billing Care Infranet.properties file.

Note:

You can update the BRM connection details in the Billing Care Infranet.properties file or in the Billing Care wallet. However, it is recommended to update sensitive information (such as BRM user password) only by using the Billing Care wallet.

See "About Connection Pooling" in BRM System Administrator's Guide for more information about changing the default connection pool.

See "Optional Entries in the Infranet.properties File" in BRM Developer's Guide for more information about enabling logging for Billing Care connections to BRM.

Importing the Billing Care Security Policies to OPSS

The Billing Care SDK includes the system-jazn-data.xml file, which contains default policies, resource types, resources, and actions. You must import this file into your OPSS Administration Server to set up the initial Billing Care OPSS configuration.

The system-jazn-data.xml file is located in the Middleware_home/BillingCare_SDK/reference/AuthorizationDataModel directory created during the Billing Care SDK installation, where Middleware_home is the WebLogic Middleware home directory containing the OPSS JRF-enabled domain on which Billing Care is deployed.

To migrate the system-jazn-data.xml file into your OPSS Administration Server:

  1. Open a secure shell or terminal session on the server where you installed the Billing Care SDK.

  2. Go to the Middleware_home/BillingCare_SDK/reference/AuthorizationDataModel directory.

  3. Open the jps-config.xml file and modify the following parameters:

    • sourceContext. Specify the location of the system-jazn-data.xml file, which contains the policies to be migrated to the database. The system-jazn-data.xml file is in the same location as the jps-config.xml file. 

      <serviceInstance name="src.xml" provider="policystore.xml.provider" location="location of the system-jazn-data.xml file">
   <description>File-Based Policy Store Service Instance</description>
</serviceInstance>

    • destinationContext. Enter the credentials for the Oracle Platform Security Services (OPSS) database schema.

      Note:

      Add the property name entries (shown in bold) if you enabled one-way or two-way SSL authentication for connections with the OPSS database schema. 

      <serviceInstance name="policystore.db.destination" provider="policystore.provider">
   <description>DB Based Policy Store Service Instance</description>
   <property name="policystore.type" value="DB_ORACLE"/>
   <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
   <property name="security.principal" value="OPSS_SchemaName"/>
   <property name="security.credential" value="OPSS_SchemaPassword"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=opssroot"/>
   <property name="oracle.security.jps.farm.name" value="cn=opssSecurityStore"/>

   <!--Add this property if SSL is NOT enabled for connections with the OPSS database schema-->
   <property name="jdbc.url" value="jdbc:oracle:thin:@dbhost:dbport:SID"/>

   <!--Add the following properties for both one-way and two-way SSL authentication-->
   <property name="javax.net.ssl.trustStore" value="walletFileNameAndPath"/>
   <property name="javax.net.ssl.trustStoreType" value="SSO_or_PKCS12"/>
   <property name="javax.net.ssl.trustStorePassword" value="passwordForPKCS12_Only"/>
   <property name="security.providers.3" value="oracle.security.pki.OraclePKIProvider"/>
   <property name="jdbc.url" value="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=dbhost)(PORT=dbport))(CONNECT_DATA=(SERVICE_NAME=SID)))"/>

   <!--Also add the following properties for two-way SSL authentication-->
   <property name="javax.net.ssl.keyStore" value="walletFileNameAndPath"/>
   <property name="javax.net.ssl.keyStoreType" value="SSO_or_PKCS12"/>
   <property name="javax.net.ssl.keyStorePassword" value="passwordForPKCS12_Only"/>
</serviceInstance>

    • jpsContext. Specify the source context and the destination context. 

      <jpsContext name="sourceContext">
   <serviceInstanceRef ref="src.xml"/>
</jpsContext>
<jpsContext name="destinationContext">
   <serviceInstanceRef ref="policystore.db.destination"/>
</jpsContext>

  4. Save the file.

  5. Run the migrateSecurityStore utility to migrate the Billing Care policy into your OPSS Administration Server.

  6. Restart the OPSS JRF-enabled domain.

See Oracle Fusion Middleware Administrator's Guide for detailed information on how to import the Billing Care system-jazn-data.xml file into your OPSS Administration Server.

Configuring OPSS JRF-Enabled Domain LDAP Server Connection

If you are using OUD or third-party LDAP directory server products, each OPSS JRF-enabled domain must be configured with connection details to OUD, as the LDAP identity store, in the jps-config.xml file so that Billing Care can retrieve users from the directory.

Note:

Additional LDAP servers, including Oracle Internet Directory and third-party LDAP directory server products, can be configured for use with Billing Care using the process described below. See "Configuring the Identity Store" in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services Guide for more information on using other LDAP servers.

To configure Billing Care's connection to OUD, on each OPSS JRF-enabled domain server where Billing Care is deployed:

  1. Open a secure shell or terminal session on the server where the OPSS JRF-enabled domain is located.

  2. Go to the Domain_home/config/fmwconfig/jps-config.xml directory.

  3. In the <servicesInstances> section of the jps-config.xml file, add the following identity store service entry containing your OUD server connection information. 

    <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
   <description>LDAP Identity Store Service Instance</description>
   <property name="idstore.type" value="IPLANET"/>
   <property name="subscriber.name" value="subscriber.name"/>            
   <property name="cleartext.ldap.credentials" value="ldap_credentials"/>
   <property name="ldap.url" value="ldap:ldap_url:port"/>
</serviceInstance>

    where:

    • idstore.ldap is the name of your LDAP authenticator.

    • subscriber.name includes the LDAP domain components for Billing Care users. For example: 

      dc=billingcare, dc=com

    • ldap_credentials is an authentication string in clear text containing the required principal and password for accessing the LDAP server. For example: 

      cn=Directory Manager,cn=Root DNs,cn=config:password

      where password is a valid credential for the common name user accessing the LDAP server.

    • ldap_url:port is the LDAP server URL and port number.

  4. In the <jpsContext name="default"> section of the jps_config.xml file, add the following entry to reference the identity store instance configured in the previous step: 

    <serviceInstanceRef ref="idstore.ldap"/>

    where idstore.ldap is the serviceInstance name you configured in the step above.

  5. Save the file.

Enabling Logging and Configuring the WebLogic Server Deployment

Billing Care writes log messages using the Java Logging API. See Oracle Fusion Middleware Configuring Log Files and Filtering Log Messages for Oracle WebLogic Server for more information about enabling Billing Care logging.

Since Billing Care is a web application that is deployed on WebLogic Server, refer to the WebLogic Server documentation for information about overriding timeouts, cookie attributes, and so on. See "web.xml Deployment Descriptor Elements" and "weblogic.xml Deployment Descriptor Elements" in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server for more information about these configurations.

Configuring SAML 2.0 for SSO Using a Service Provider

You can use SAML 2.0 for enabling SSO in Billing Care. SSO allows you to log in to applications using a single user name and password combination.

You can configure SAML authentication in a Billing Care domain using an Oracle Access Management service provider or an Oracle Identity Cloud Service (IDCS) service provider.

To configure SAML for SSO:

  1. Create a SAML2 assertion provider. See "Creating a SAML2 Assertion Provider".

  2. Create a SAML2 web single sign-on identity provider partner. See "Creating a SAML2 Web Single Sign-On Identity Provider Partner"

  3. Create a SAML2 authenticator. See "Creating a SAML2 Authenticator".

  4. Configure SAML2 on the administration server. See "Configuring SAML2 on the Administration Server".

  5. Configure a SP metadata.xml file for the identity provider. See "Configuring the SP metadata.xml file for the Identity Provider"

  6. Create a SAML2 application in IDCS or Oracle Access Management.

  7. Update your deployment plan to define the cookie name and path. See "Updating the Deployment Plan of Billing Care".

  8. In your Billing Care Infranet.properties file, set the SSO_SIGNOUT_URL parameter: 

    SSO_SIGNOUT_URL= IDP's Single logout URL

Creating a SAML2 Assertion Provider

To create a SAML2 assertion provider:

  1. Log in to WebLogic Server Remote Console.

  2. Click Edit Tree, then Security, and then Realms.

    The Summary of Security Realms page appears.

  3. Click the myrealm link.

    The myrealm configuration page appears.

  4. Click Authentication Providers at the tree on the left side.

    A page with an Authentication Providers table appears.

  5. Click New.

    The Create a New Authentication Provider page appears.

  6. In the Name field, enter samlBCAsserter.

  7. From the Type list, select SAML2IdentityAsserter.

  8. Click Create.

  9. Restart WebLogic Server.

Creating a SAML2 Web Single Sign-On Identity Provider Partner

To create a SAML2 web single sign-on identity provider partner:

  1. Log in to WebLogic Server Remote Console.

  2. Click Security Data Tree and then Realms.

    The Summary of Security Realms page appears.

  3. Click the myrealm link.

    The myrealm configuration page appears.

  4. Click Authentication Providers at the tree on the left side.

    A page with an Authentication Providers table appears.

  5. In the table, select samlBCAsserter.

    The configuration page for samlBCAsserter appears.

  6. Click Partners in the tree on the left side.

  7. Click New.

    The Create a new Identity Provider Partner page appears.

  8. In the Name field, enter WebSSO-IdP-Partner-0.

  9. From the Type list, select Web Single Sign-On Identity Partner.

  10. In the Meta Data File Name field, enter the name and the path to the XML file that contains the identity provider’s metadata.

  11. Click Create.

  12. Click WebSSO-IdP-Partner-0 at the tree on the left side.

  13. Click the General tab.

  14. In the General tab, turn on Enabled, Virtual User, and Process Attributes.

  15. In the Redirect URIs field, enter /bc/*.

  16. Click Save.

Creating a SAML2 Authenticator

To create a SAML2 authenticator:

  1. Log in to WebLogic Server Remote Console.

  2. Click Edit Tree, then Security, and then Realms.

    The Summary of Security Realms page appears.

  3. Click the myrealm link.

    The myrealm configuration page appears.

  4. Click Authentication Providers at the tree on the left side.

    A page with an Authentication Providers table appears.

  5. Click New.

  6. In the Name field, enter samlBCAuthenticator.

  7. From the Type list, select SAMLAuthenticator.

  8. From the Control Flag list, select SUFFICIENT.

  9. Click Create.

  10. In the Authentication Provider table, arrange the providers in the following order using the Move Down and Move Up buttons.

    • Trust Service Identity Asserter

    • samlBCAuthenticator

    • samlBCAsserter

    • DefaultAuthenticator

    • DefaultIdentityAsserter

  11. Restart the Weblogic Server.

Configuring SAML2 on the Administration Server

To configure SAML 2.0 on the Administration Server:

  1. Log in to WebLogic Server Remote Console.

  2. Click Edit Tree, then Environment, and then Servers.

    The Summary of Servers page appears.

  3. In the Servers table, click the administration server.

    A page containing settings for the administration server appears.

  4. Click the Security subtab, and then the SAML 2.0 General subtab.

  5. In the Published Site URL field, enter http://BillingCare_hostname:port/saml2.

    where:

    • BillingCare_hostname is either the Billing Care application host name or the load balancer host name.

    • port is the port on which Billing Care is listening on.

  6. In the Entity ID field, enter samlBCAsserter.

  7. Click Save.

  8. Click the SAML 2.0 Service Provider subtab.

  9. Turn on Enabled.

  10. Turn on POST Binding Enabled.

  11. From the Preferred Binding list, select HTTP/POST.

  12. In the Default URL field, enter http://BillingCare_hostname:port/bc/login.html.

    where:

    • BillingCare_hostname is the Billing Care application host name or load balancer name.

    • port is the port on which Billing Care is listening on.

  13. Click Save.

  14. Restart WebLogic Server.

Configuring the SP metadata.xml file for the Identity Provider

To configure SP metadata.xml file for identity provider:

  1. Log in to WebLogic Server Remote Console.

  2. Click Monitoring Tree, then Environment, and then Servers.

    The Summary of Servers page appears.

  3. In the Servers table, click the administration server.

    A page containing settings for the administration server appears.

  4. Click SAML 2.0 subtab.

  5. Click Publish metadata.

  6. In the File Name field, enter the full path and the name of the file.

  7. Click Done.

Updating the Deployment Plan of Billing Care

To update the deployment plan:

  1. Merge the following contents with your existing Billing Care deployment plan:

    <?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan
http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"
global-variables="false">
   <application-name>BillingCare.war</application-name>
   <variable-definition> 
      <variable>
         <name>cookie-name</name>
         <value>JSESSIONID</value>
      </variable>
      <variable>            
         <name>cookie-path</name>            
         <value>/bc</value>         
      </variable>
   </variable-definition>
   <module-override>
      <module-name>BillingCare.war</module-name>
      <module-type>war</module-type>
      <module-descriptor external="true">
         <root-element>weblogic-web-app</root-element>
         <uri>WEB-INF/weblogic.xml</uri>
         <variable-assignment>
            <name>cookie-name</name>
            <xpath>/weblogic-web-app/session-descriptor/cookie-name</xpath>
            <operation>replace</operation>
         </variable-assignment>
         <variable-assignment>
            <name>cookie-path</name>
            <xpath>/weblogic-web-app/session-descriptor/cookie-path</xpath>
            <operation>remove</operation>
         </variable-assignment>
      </module-descriptor>
   </module-override>
</deployment-plan>

  2. Log in to WebLogic Server Remote Console.

  3. Click Monitoring Tree, then Deployments, and then Application Management.

    A page with a list of installed Java EE applications and standalone application modules appears.

  4. In the table, select bc#1.0.

  5. Click Update/Redeploy and do one of the following:

    • If your updated deployment plan is located on the server containing WebLogic Server, select Update Deployment Plan on Server and enter the location of the file in the Plan Path field.

    • If your updated deployment plan is located on your local machine, select Update Deployment Plan on Local Machine and click Choose File Choose File Icon to browse to the file or enter the file name in the Plan field.

  6. Click Done.