1. Administering Oracle User Messaging Service
  2. Configuring Oracle User Messaging Service

4 Configuring Oracle User Messaging Service

This chapter describes how to configure and secure Oracle User Messaging Server (UMS) in your environment.
  • Accessing User Messaging Service Configuration Pages
    You can configure UMS through Oracle Enterprise Manager Fusion Middleware Control.
  • Configuring User Messaging Server
    UMS is deployed as one enterprise archive for the server and one enterprise archive per driver type. The configuration can be defined at the managed server level or cluster level, where cluster level overrides domain level. It is possible to configure the server and drivers using WebLogic Scripting Tool (WLST) and Enterprise Manager (EM).
  • Configuring User Messaging Service Drivers
    UMS supports multiple configurations. This means that, one deployed driver instance can handle more than one configuration. This makes it possible to have one instance of a particular driver configured differently in a domain without having to deploy several instances of that driver. All the drivers support multiple configuration.
  • Configuring User Messaging Service Access to the LDAP User Profile
    As part of the LDAP provider setup in a UMS deployment, you configure the User Name Attribute through the WebLogic Remote Console. If you configure that attribute with a value other than the default cn or if the user's email address is stored in an LDAP attribute which is different from mail, you must make an additional configuration change in Oracle Platform Security Services (OPSS) for UMS to successfully access the user profile to obtain the list of communication channels provisioned in LDAP, such as business email.
  • Using Oracle User Messaging Service for Group Messaging
    In addition to supporting bi-directional mutli-channel messaging through a variety of channels, UMS supports group messaging. This feature includes sending a message to a group of users by sending it to a group URI, or sending a message to LDAP groups (or enterprise roles) and application roles.
  • Configuring Automatic Message Resend
    In 14c, the automatic resend feature can be configured to automate the administrator's resend. This means that when a message send attempt is classified as a complete failure, then the message is automatically scheduled for resend.
  • Securing the Oracle User Messaging Service
    The User Communications Preferences User Interface can be secured at the transport-level using Secure Sockets Layer (SSL). By default, all deployed web services are unsecured. Web Service Security should be enabled for any services that are deployed in a production environment.

Accessing User Messaging Service Configuration Pages

You can configure UMS through Oracle Enterprise Manager Fusion Middleware Control.

For more information, see Administering Oracle Fusion Middleware with Fusion Middleware Control.

Alternatively, you can also use WebLogic Scripting Tool (WLST) to configure UMS. For more information, see WLST Command Reference for Infrastructure Components.

Parent topic: Configuring Oracle User Messaging Service

Configuring User Messaging Server

UMS is deployed as one enterprise archive for the server and one enterprise archive per driver type. The configuration can be defined at the managed server level or cluster level, where cluster level overrides domain level. It is possible to configure the server and drivers using WebLogic Scripting Tool (WLST) and Enterprise Manager (EM).

If the User Messaging Server configuration is defined at the cluster level, then the cluster name along with all the following properties must be specified.

Table 4-1 Properties for Configuring User Messaging Server

Name Description Mandatory

AppReceivingQueuesInfo

The default set of queues from which the application will dequeue received messages.

Y

DuplicateMessageRetryDelay

The delay period for deferring processing of a possible duplicate message.

Y

EngineCommandQueuesInfo

The set of queues from which the engine will dequeue command messages sent by other messaging components.

Y

EnginePendingReceiveQueueInfo

The queue from which the engine will dequeue pending messages. The format for this value is JNDIQueueConnectionFactoryName:JNDIQueueName.

Y

EngineReceivingQueuesInfo

The set of queues from which the engine will dequeue received messages.

Y

EngineSendingQueuesInfo

 The set of queues from which the engine will dequeue sent messages.

Y

JpsContextName

The name of the Java Platform Security (JPS) context to use when getting an Identity Store Service instance. Empty value leads to default JPS context.

Y

ReceivedmessageStatusEnabled

Enable received message status reporting - if false, client library does not return delivery status to engine.

Y

ResendDefault

The default number of automatic resends upon delivery failure. You can override this property programmatically on a per message basis. The upper limit is the value specified in the configuration parameter ResendMax.

Y

ResendDelay

The delay in seconds between automatic resends.

Y

ResendMax

The max number of automatic resends upon delivery failure.

Y

SecurityPrincipal

The default system user used.

Y

SessionTimeout

The duration to wait before a session timeout when the session flag is set by a Driver or Messaging Client Application.

Y

SupportedDeliveryTypes

The set of delivery types supported by this server.

Y

Parent topic: Configuring Oracle User Messaging Service

Configuring User Messaging Service Drivers

UMS supports multiple configurations. This means that, one deployed driver instance can handle more than one configuration. This makes it possible to have one instance of a particular driver configured differently in a domain without having to deploy several instances of that driver. All the drivers support multiple configuration.

You can create multiple configurations of a single deployment of the drivers using a unique name at each configuration. Though possible, it is recommended not to use the same configuration name while creating multiple configurations for a particular driver instance, as this may lead to unintended results.

Since UMS can be deployed in a cluster or a server, the configuration of drivers can be done at the cluster or server level. It is recommended that the configuration be done at the same level as that of the deployment. However, exceptional scenarios might justify creating configuration at a level different from that of the deployment level.

You can configure UMS drivers by using Oracle Enterprise Manager Fusion Middleware Control. Alternatively, you can configure the UMS drivers by using the WLST command configUserMessagingDriver. For more information about this command, see WLST Command Reference for Infrastructure Components.

Note:

UMS drivers can be configured at the cluster level or server level. For more information, see Configuring User Messaging Server to ensure that you select the appropriate configuration level.

Parent topic: Configuring Oracle User Messaging Service

Configuring a Driver

You can navigate to the driver configuration page from any one of the following:

  • Associated Drivers table on the User Messaging Service home page

  • Driver Properties menu for the driver target in the Target Navigation pane

  • Driver Properties menu on the User Messaging Service home page

To configure a driver, perform the following tasks:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control as an administrator.

  2. Navigate to the User Messaging Service home page.

  3. Click usermessagingserver(AdminServer). The Associated Drivers page appears.

  4. Select the Local tab to access the drivers collocated with the UMS server instance. These drivers may or may not be registered with the UMS server depending on whether they are properly configured. The ALL tab lists all drivers that are deployed in the domain and registered to all the UMS server instances.

  5. Choose a driver from the list, and click the corresponding Configure Driver icon.

    The configuration page that lists all the configurations applied to this driver deployment will be displayed, and the administrator can create, edit, or delete a configuration. User Messaging drivers are configured differently in the following scenarios:

    1. For the email driver (only email driver supports multiple configuration in 12.1.3), the configuration depends on whether the driver is deployed in a clustered or a non-clustered environment.

      • If the driver is deployed in a cluster, for instance a_ums_cluster, then all the email configurations for cluster a_ums_cluster and also for the whole domain will be listed. The cluster-level configuration will override the domain-level configuration, if they have the same configuration name.

      • For a driver deployed in a non-clustered managed server, the configuration will be at the server level.

    For information about support for multiple configuration, and the relationship between cluster level and domain level configuration, refer to Configuring User Messaging Server and Configuring User Messaging Service Drivers.

  6. Click Create, or select a driver configuration from the list and click Edit. The Driver Properties page appears. You can create a new configuration or update the existing one.

  7. If needed, expand the Driver-Specific Configuration section and configure the driver parameters. For more information, see Introduction to Driver Properties.

  8. To validate if the configuration properties are in correct format and valid in the deployment environment, you can 'test' the driver configuration parameters that you have entered. Click the Test button on the page. Click OK to continue.

    Note:

    Even if the testing does not succeed, you can still save the configuration.

Parent topic: Configuring User Messaging Service Drivers

Introduction to Driver Properties

UMS drivers share common properties (listed in Table 4-2) that are used by the Messaging Engine when routing outbound messages.

Table 4-2 Common Driver Properties

Name Description Mandatory Property
Capability Sets the driver's capability to send or receive messages. The values are SEND, RECEIVE, and BOTH. Yes
Cost Only used for driver configuration selection between multiple driver configurations of the same type, and only when required by the client application, The cost level of the driver (from 0 - 10). 0 is least expensive; 10 is most expensive. If the value is not in this range, cost is considered to be 0. No
DefaultSenderAddress If the UMS Message has no Sender Address of the specific DeliveryType that the driver supports, then the driver may use the DefaultSenderAddress as the Sender Address. The sample DefaultSenderAddress is EMAIL:alice@example.com. No
SenderAddresses The list of sender addresses that the driver is configured to handle. A driver with specified SenderAdresses will be selected only for an outgoing message that has a matching Sender Address. A driver that has not specified any SenderAdresses is considered to be able to handle any outgoing message regardless of the Sender Address of the message. The list should consist of UMS addresses separated by comma, for example EMAIL:alice@example.com or EMAIL:alice@example.com,EMAIL:bob@example.com. The matching is case insensitive. No
Speed Only used for driver configuration selection between multiple driver configurations of the same type, and only when required by the client application. The speed level of the driver (from 0-10, with 10 being the fastest). No
SupportedCarriers A comma-delimited list of supported carriers. No
Configuration Level Enables driver configuration at the server level or at the cluster level. If Server level is selected, then the server name must be specified. If Cluster level is selected, then the cluster name must be specified. Yes
SupportedContentTypes The content type supported by the driver. Yes
SupportedDeliveryTypes The delivery types supported by the driver. Yes
SupportedProtocols A comma-delimited list of supported protocols. No
SupportedStatusTypes The status types supported by the driver. No
Supported Application Names The application name supported by the driver. No

Parent topic: Configuring a Driver

Securing Passwords

Sensitive driver properties (namely, passwords) can be stored securely in the credential store using Oracle Enterprise Manager Fusion Middleware Control. Properties are marked with the flag Encoded Credential and have a custom entry form field.

To store a sensitive driver property securely, perform the following tasks:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control, and navigate to the driver configuration page of the selected driver.

    The configuration page that lists all the configurations applied to this driver deployment will be displayed, and the administrator can create, edit, or delete a configuration.

  2. Click Create to create a new configuration or select a configuration and click Edit to edit an existing configuration.

    The Driver properties page appears.

  3. In the Driver-Specific Configuration table, locate the properties with the Encoded Credential flag set.

  4. Select the credential type from the Type of Password drop-down list in the adjoining Value column.

  5. Depending on the selected credential type, you are prompted to enter the username and/or password. There are the following three options:

    • Indirect password, create new user (default option): specify the username and real password; the password is stored in the credential store with the username as part of the key. The key and a fixed folder (map name) are stored in the driver deployment's file.

    • Indirect password, use existing user: choose an existing indirect username/key in the credential store (to reference the password you stored previously).

    • User a clear text password: specify the password, and it is stored directly in the driver deployment file.

  6. Click OK to save changes.

  7. Restart the driver application or the container for the changes to take effect.

You can check the password in the driver deployment directory's file. For an indirect password, the format is:

value="->mapName:keyName"    (mapName can be any name of the user's choice, and the key is <parameter_name>.<username>)

Parent topic: Configuring a Driver

Saving Driver Properties

You can save the driver properties in the UMS database.

When the UMS driver appears, the properties stored in the DRIVERPROPERTIES table for specific fields override the values in the file and the driver instance uses those property values from the database to process requests. Given below are the driver property details:

  • Table Name - DRIVERPROPERTIES

  • Columns - DRIVERNAME, PROPERTYNAME, and PROPERTYVALUE

The following MBean is used to save driver properties in the UMS database:

MBean Name

oracle.ucs.messaging:Location=ESS_SOAServer_1,name=UserPrefsAdministration,type=SDPMessagingRuntime ( Note: Any other instance of SOA server can be used to invoke this mbean than ESS_SOAServer_1)

Operation Name

saveDriverProperties

Parameters

  • P1 - driverName
  • P2 - propertyName
  • P3 - propertyValue

Example


mBean = ObjectName("oracle.ucs.messaging:Location=ESS_SOAServer_1,name=UserPrefsAdministration,type=SDPMessagingRuntime")           
set_param = ['usermessagingdriver-apns-HCM', 'Alias', 'apns-prod-server-hcm-12122023']
set_type = ["java.lang.String", "java.lang.String", "java.lang.String"]
mbs.invoke(mBean, "saveDriverProperties", set_param, set_type)

Parent topic: Configuring a Driver

Configuring the Messaging Extension Driver

The extension driver extends the messaging capability of UMS by enabling support for arbitrary administrator-defined channels (protocols) and delivering the notifications for such channels to an administrator-defined web service listener endpoint.

Note:

An instance of this driver is deployed, but not targeted to any servers in the default. To enable this driver instance, it must be targeted to the appropriate servers where UMS (usermessagingserver) is running.
Common Properties

These are common driver properties that are indicative of the capabilities of this driver for use by the messaging engine when routing outbound messages. Some properties are set by the driver developer and do not normally require modification, while others can be modified by the administrator to change the routing behavior. Table 4-3 lists the common properties of the Extension driver. For detailed description of these properties, refer to Table 4-2. For the complete list of available values, see User Messaging Service Java API Reference.

Table 4-3 Extension Driver Common Properties

Name Mandatory Default Value

InstanceName

Yes

Extension-Driver

Capability

Yes

SEND

SupportedDeliveryTypes

Yes

URI

SupportedContentTypes

Yes

text/plain, text/html, text/xml

SupportedStatusTypes

No

DELIVERY_TO_GATEWAY_SUCCESS, DELIVERY_TO_GATEWAY_FAILURE

Cost

No

Speed

No

SupportedCarriers

No

Configuration Level

Yes

Server/Cluster

SupportedProtocols

No

popup

SenderAddresses

No

DefaultSenderAddress

No

Supported Application Names

No

Empty
Custom Properties

Table 4-3 lists properties specific to this driver and generally associated with configuring a remote endpoint at which to deliver extension notifications:

Table 4-4 Extension Driver Custom Properties

Name Description Mandatory

Group Name

The name of this extension endpoint configuration group.

Yes

Endpoint URL

Remote endpoint listener URL.

Yes

Mapped Domain

The extension endpoint used to deliver messages where the domain part of the recipient URI matches this value.

No

Protocol

The extension endpoint used to deliver messages where the protocol (scheme) part of the recipient URI matches this value.

Yes

Security Policies

Comma-separated list of WS-Security policies to apply to this endpoint.

No

Username

Username to propagate through WS-Security headers.

No

Keystore Alias

Keystore alias to use for looking up WS-Security policy public keys.

No

Credential Store Key

Key to use for looking up the WS-Security username and password from the Oracle Web Services Management credential store map.

No
Extension Driver Security

If the remote extension endpoint is secured using WS-Security, then additional configuration of the extension driver is required. There are two typical WS-Security configurations that are supported. The extension driver can either use SAML tokens or username tokens.

To use extension driver security:

  1. To use SAML tokens, the Security Policies configuration property should contain value oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy, and the Keystore Alias configuration property should contain a valid alias for keystore entries that is accepted by the remote extension endpoint.

  2. To use username tokens, the Security Policies configuration property should contain value oracle/wss11_username_token_with_message_protection_client_policy, and the Credential Store Key configuration property should contain a valid alias for a credential store entry that is accepted by the remote extension endpoint.

For more details about using WS-Security policies and configuring OWSM, see Oracle Fusion Middleware Administering Web Services.

Configuring the Email Driver

The email driver both sends and receives messages (that is, its capability property is set to both by default). The email driver sends messages over SMTP and uses either IMAP or POP3 for receiving messages.

Common Properties

Table 4-5 lists common driver properties that are indicative of the capabilities of this driver for use by the messaging engine when routing outbound messages. Some properties are set by the driver developer and do not normally require modification, while others can be modified by the administrator to change the routing behavior. For detailed description of these properties, refer to Table 4-5. For the complete list of available values, see User Messaging Service Java API Reference.

Table 4-5 Common Email Properties

Name Mandatory Default Value

InstanceName

Yes

Email-Driver

Capability

Yes

Both

SupportedDeliveryTypes

Yes

Email

SupportedContentTypes

Yes

text/plain, text/html, multipart/mixed, multipart/alternative, multipart/related

SupportedStatusTypes

No

DELIVERY_TO_GATEWAY_SUCCESS, DELIVERY_TO_GATEWAY_FAILURE, USER_REPLY_ACKNOWLEDGEMENT_SUCCESS, USER_REPLY_ACKNOWLEDGEMENT_FAILURE

Cost

No

N/A

Speed

No

N/A

SupportedCarriers

No

N/A

Configuration Level

Yes

Server/Cluster

Supported Protocols

No

N/A

SenderAddresses

No

N/A

DefaultSenderAddress

No

N/A

Supported Application Names

No

Empty
Email Custom Properties

Table 4-6 lists properties specific to this driver and generally associated with configuring access to the remote gateway and certain protocol or channel-specific behavior.

Table 4-6 Custom Email Properties

Name Description Mandatory Default Value

MailAccessProtocol

Email receiving protocol. The possible values are IMAP and POP3. Required only if email receiving is supported on the driver instance.

No

IMAP

AutoDelete

This value indicates if the driver should mark the messages deleted after they have been processed. The default is Disabled. For the POP3 protocol, the messages are always deleted right after they are processed.

No

Disabled

Debug

This value indicates if the driver is running in Debug mode. When enabled, JavaMail prints out requests and responses between the email driver and the mail server to Fusion Middleware Control. The default is Disabled.

No

Disabled

CheckMailFreq

The frequency with which to retrieve messages from the mail server. The unit is in seconds and the default value is 30 seconds.

No

30

ReceiveFolder

The name of the folder from which the driver is polling messages. The default value is INBOX.

No

INBOX

OutgoingMailServer

The name of the SMTP server. This is mandatory only if email sending is required.

No

N/A

OutgoingMailServerPort

The port number of the SMTP server; typically 25.

No

25

OutgoingMailServerSecurity

The security setting used by the SMTP server. Possible values are None, TLS, and SSL. The default value is None.

No

None

OutgoingDefaultFromAddr

The default FROM address (if one is not provided in the outgoing message).

Note: The OutgoingDefaultFromAddr property is deprecated, use DefaultSenderAddress instead. For more details about the DefaultSenderAddress property, see Table 4-5 .

No

N/A

OutgoingUsername

The username used for SMTP authentication. Required only if SMTP authentication is supported by the SMTP server.

No

N/A

OutgoingPassword

The password used for SMTP authentication. This is required only if SMTP authentication is supported by the SMTP server. This includes Type of Password (choose from Indirect Password/Create New User, Indirect Password/Use Existing User, and Use Cleartext Password) and Password.

No

N/A

IncomingMailServer

The hostname of the incoming mail server. Required only if email receiving is supported on the driver instance.

No

N/A

IncomingMailServerPort

Port number of IMAP4 (that is, 143 or 993) or POP3 (that is, 110 or 995) server.

No

N/A

IncomingMailServerSSL

Indication to enable SSL when connecting to IMAP4 or POP3 server. The default is Disabled.

No

Disabled

IncomingMailIDs

The email addresses corresponding to the user names. Each email address is separated by a comma and must reside in the same position in the list as their corresponding user name appears on the usernames list. Required only if email receiving is supported on the driver instance.

No

N/A

IncomingUserIDs

The list of user names of the mail accounts from which the driver instance is polling. Each name must be separated by a comma, for example, foo,bar. This is required only if email receiving is supported on the driver instance.

No

N/A

IncomingUserPasswords

The list of passwords corresponding to the user names. Each password is separated by a comma and must reside in the same position in the list as their corresponding user name appears on the usernames list. This is required only if email receiving is supported on the driver instance. This includes Type of Password (choose from Indirect Password/Create New User, Indirect Password/Use Existing User, and Use Cleartext Password) and Password.

No

N/A

ProcessingChunkSize

The number of messages processed during each message polling. The default is 100.

No

100

Disconnect After Poll

Whether or not to disconnect from the email server after message poll. Effective only for IMAP, as POP3 always disconnects.

No

False

ImapAuthPlainDisable

Indication to disable or enable plain text authentication (AUTHENTICATE PLAIN command) for IMAP user authentication. The default is Disabled.

No

Disabled. When this property is disabled, that means that plain text is allowed.

Note:

Multiple Incoming Email IDs/User IDs/Passwords will be added through a popup dialog (import from a CSV file or add in table), so that hundreds of ID/Passwords can be added.

For information about saving driver properties, see Saving Driver Properties.

Parent topic: Common Properties

Configuring Email Driver with OAuth

OAuth 2.0 based authentication is provided for Gmail and Microsoft exchange. To configure the Email driver with OAuth, you must have a valid Gmail or Microsoft Exchange email account.

Configuring WebLogic

In environments where OAuth access token generation URLs or Gmail/MS secure IMAP or SMTP ports are inaccessible due to firewall or VPN configurations blocking them, you must update the configuration settings.

Table 4-7 WebLogic Configuration

Issue Workaround WebLogic Configuration Update
JavaMail connection to the secure ports of 993 and 587 fail due to firewall or network issues. Connecting/tunnelling through SOCKS proxy.

  • -Dmail.imaps.proxy.host=<Your SOCKS proxy server>

  • -Dmail.imaps.proxy.port=<Proxy server's port>

  • -Dmail.smtp.proxy.host=<Your SOCKS proxy server>

  • -Dmail.smtp.proxy.port=<Proxy server's port>
JavaMail SSL handshake with the IMAP/SMTP servers fail when connecting to secure ports due to certificate validation errors. Ignoring the certificates or disabling certificate validation.

  • -Dweblogic.security.SSL.ignoreHostnameVerification=true

  • -Dmail.imaps.ssl.trust=imap.gmail.com

  • -Dmail.smtp.ssl.trust=smtp.gmail.com

For MS OAuth, you must configure outlook.office365.com and smtp.office365.com.

Failure in connecting to the OAuth access token generation URLs as follows:

https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token

https://oauth2.googleapis.com/token

 Connecting/tunnelling through HTTP proxy.

  • -Dhttps.proxyHost=<Your https proxy>

  • -Dhttps.proxyPort=<https proxy port>
Updating Common Properties

You must update the usermessagingconfig.xml file with common properties.

Table 4-8 Common Properties

Property Name Value Procedure
ImapAuthUseOAuth2

True

Set the value to true to use OAuth for all IMAP mail accesses.
SMTPAuthUseOAuth2

True

Set the value to true to use OAuth for sending messages through SMTP.
OutgoingUsername

Your UMS OAuth mail ID for outgoing e-mails.

Enter your UMS OAuth mail ID. For example, umsoauth@gmail.com.

OutgoingPassword

<Empty>

Do not set the password, as the communication with servers take place using the OAuth access and refresh tokens.
IncomingMailIDs

Your UMS OAuth mail ID for incoming e-mails.

Enter your UMS OAuth mail ID. For example, umsoauth@gmail.com.

IncomingUserIDs

Your UMS OAuth mail ID for incoming e-mails.

Enter your UMS OAuth mail ID. For example, umsoauth@gmail.com.

IncomingUserPasswords

<Empty>

Do not set the password, as the communication with servers take place using the OAuth access and refresh tokens.

Example 4-1 Common Properties


<ns1:Property name="IncomingMailIDs" value="umsoauth@gmail.com"/>
<ns1:Property name="IncomingUserIDs" value="umsoauth@gmail.com"/>
<ns1:Property name="IncomingUserPasswords" value=" "/>
<ns1:Property name="OutgoingUsername" value="umsoauth@gmail.com"/>
<ns1:Property name="OutgoingPassword" value=""/>
<ns1:Property name="SMTPAuthUseOAuth2" value="true"/>
<ns1:Property name="ImapAuthUseOAuth2" value="true"/>
Enabling OAuth for Gmail Accounts

This section describes how to enable OAuth 2.0 based authentication for Gmail accounts and includes the following topics:

Prerequisites

You must perform the following prerequisite tasks:

  1. Ensure that you have a valid Gmail or Microsoft email account.
  2. Install Python.
Updating Configuration Properties

You must update the usermessagingconfig.xml file with configuration properties.

Table 4-9 Configuration Properties

Property Name Value Other Details
IncomingMailServer imap.gmail.com Gmail IMAP server
IncomingMailServerPort 993 Gmail’s IMAP port
IncomingMailServerSSL False Constant value
OutgoingMailServer smtp.gmail.com Gmail SMTP server
OutgoingMailServerPort 587 Use SMTP server’s port
OAuth2AccessTokenSupplierFactory oracle.sdpinternal.messaging. oauth.ums.google.UMSGmail AccessTokenSupplierFactory Constant value. Set this value whenever you are using gmail ID.
GoogleOAuthClientID <Cliend id of the form xxx-xxx.apps.googleusercontent.com> For more information about how to get the value, see Creating OAuth Client ID.
GoogleOAuthClientSecret Encoded secret value For more information about how to get the value, see Creating OAuth Client ID.
GoogleOAuthRefreshToken Encoded and valid refresh token For more information about how to get the value, see Generating Tokens.

Example 4-2 Configuration Properties

     
<ns1:Property name="IncomingMailServer" value="imap.gmail.com"/>     
<ns1:Property name="IncomingMailServerPort" value="993"/>     
<ns1:Property name="IncomingMailServerSSL" value="false"/>     
<ns1:Property name="OutgoingMailServer" value="smtp.gmail.com"/>     
<ns1:Property name="OutgoingMailServerPort" value="587"/>     
<ns1:Property name="OAuth2AccessTokenSupplierFactory"
value="oracle.sdpinternal.messaging.oauth.ums.google.UMSGmailAccessTokenSupplierFactory"/>     
<ns1:Property name="GoogleOAuthClientID" value="GoogleOAuthClientID.apps.googleusercontent.com"/>     
<ns1:Property name="GoogleOAuthClientSecret"
value="GoogleOAuthClientSecret"/>     
<ns1:Property name="GoogleOAuthRefreshToken"
value="GoogleOAuthRefreshToken"/>

Sample UMS Configuration File


<?xml version="1.0" encoding="UTF-8"?>
<ns1:MessagingConfiguration xmlns:ns0="http://www.oracle.com/ucs/messaging/configtemplate" xmlns:ns1="http://www.oracle.com/ucs/messaging/config" version="12.2.1.3.0">
   <ns1:Driver name="Test1" type="email" server="AdminServer" enabled="true">
      <ns1:Property name="SupportedDeliveryTypes" value="EMAIL"/>
      <ns1:Property name="SupportedContentTypes" value="*"/>
      <ns1:Property name="Capability" value="BOTH"/>
      <ns1:Property name="Cost" value=""/>
      <ns1:Property name="Speed" value=""/>
      <ns1:Property name="SupportedCarriers" value=""/>
      <ns1:Property name="SupportedProtocols" value="SMTP"/>
      <ns1:Property name="SupportsCancel" value="false"/>
      <ns1:Property name="SupportsReplace" value="false"/>
      <ns1:Property name="SupportsStatusPolling" value="false"/>
      <ns1:Property name="SupportsTracking" value="false"/>
      <ns1:Property name="SupportedStatusTypes" value="DELIVERY_TO_GATEWAY_SUCCESS, DELIVERY_TO_GATEWAY_FAILURE, USER_REPLY_ACKNOWLEDGEMENT_SUCCESS, USER_REPLY_ACKNOWLEDGEMENT_FAILURE"/>
      <ns1:Property name="SenderAddresses" value=""/>
      <ns1:Property name="SupportedApplicationNames" value=""/>
      <ns1:Property name="DefaultSenderAddress" value=""/>
      <ns1:Property name="SendingQueuesInfo" value="OraSDPM/QueueConnectionFactory:OraSDPM/Queues/OraSDPMDriverDefSndQ1"/>
      <ns1:Property name="MailAccessProtocol" value="IMAP"/>
      <ns1:Property name="AutoDelete" value="false"/>
      <ns1:Property name="Debug" value="true"/>
      <ns1:Property name="CheckMailFreq" value="30"/>
      <ns1:Property name="DisconnectAfterPoll" value="false"/>
      <ns1:Property name="ReceiveFolder" value="INBOX"/>
      <ns1:Property name="OutgoingMailServer" value="smtp.gmail.com"/>
      <ns1:Property name="OutgoingMailServerPort" value="587"/>
      <ns1:Property name="OutgoingMailServerSecurity" value="None"/>
      <ns1:Property name="OutgoingDefaultFromAddr" value=""/>
      <ns1:Property name="OutgoingUsername" value="umstest@gmail.com"/>
      <ns1:Property name="OutgoingPassword" value=""/>
      <ns1:Property name="IncomingMailServer" value="imap.gmail.com"/>
      <ns1:Property name="IncomingMailServerPort" value="993"/>
      <ns1:Property name="IncomingMailServerSSL" value="false"/>
      <ns1:Property name="IncomingMailIDs" value="umstest@gmail.com"/>
      <ns1:Property name="IncomingUserIDs" value="umstest@gmail.com"/>
      <ns1:Property name="IncomingUserPasswords" value="welcome"/>
      <ns1:Property name="ProcessingChunkSize" value="100"/>
      <ns1:Property name="ImapAuthPlainDisable" value="false"/>
      <ns1:Property name="CNSMode" value="false"/>
      <ns1:Property name="SMTPAuthUseOAuth2" value="true"/>
      <ns1:Property name="ImapAuthUseOAuth2" value="true"/>
      <ns1:Property name="OAuth2AccessTokenSupplierFactory" value="oracle.sdpinternal.messaging.oauth.ums.google.UMSGmailAccessTokenSupplierFactory"/>
      <ns1:Property name="GoogleOAuthClientID" value="GoogleOAuthClientID.apps.googleusercontent.com"/>
      <ns1:Property name="GoogleOAuthClientSecret" value="GoogleOAuthClientSecret"/>
      <ns1:Property name="GoogleOAuthRefreshToken" value="GoogleOAuthRefreshToken"/>
   </ns1:Driver>
</ns1:MessagingConfiguration>
Creating OAuth Client ID

Perform the following steps to create the OAuth Client ID:

  1. Open Google Cloud Console using the following URL:
  2. Enter your Gmail account credentials.
    You can create a project or use any of the existing projects.
  3. Select the newly created project from the Dashboard option.
  4. Select Credentials option.
  5. Click Create Credentials and select OAuth client ID.
  6. Configure the OAuth consent screen when prompted as follows:
    1. Under User Type, select External.
    2. Click Create.
    3. In the Edit app registration page, provide details in the following fields:
      • App name
      • User support email
      • Developer contact information

    You can skip the other fields as they are optional.

  7. In the Create OAuth client ID page, select Desktop app from the Application type drop-down list.
  8. In the Name field, enter My UMS OAuth Client1.
  9. Click Create.
    The OAuth client created dialog box appears.
  10. Copy Your Client ID and Your Client Secret from the dialog box.
  11. Click OK.
    The Your Client ID and Your Client Secret details are also visible in the OAuth 2.0 Client IDs table in the Credentials section and can also be copied from here when required.
Generating Tokens
Perform the following steps to generate access and refresh tokens:
  1. Download oauth2.py python script from GitHub.
  2. Run the script with the following four parameters:
    
--user=<your UMS OAuth gmail id>
--client_id=<your client id>
--client_secret=<your client secret>
--generate_oauth2_token

    Note:

    Ensure you follow all the instructions and authorize the app when prompted.
  3. After you receive the verification code, enter the details in the python script to get the refresh token and access token.
Verifying Tokens

You must verify the validity of the refresh token. You must send a POST request to Google OAuth token generation URL to generate a new access token. The verification is complete once you receive the access token. You must set the same refresh token value in usermessagingconfig.xml.

You must send a POST request using curl or POSTMAN or any suitable client to the URL given below:

URL

https://oauth2.googleapis.com/token

Parameters

The following is a list of the POST request parameters.


client_id: <your client id>
client_secret: <your client secret>
refresh_token: <refresh token value>
grant_type: refresh_token

Curl Command

The following example shows how to verify the validity of the refresh token using curl:


curl --location --request POST 'https://oauth2.googleapis.com/token' \
                        --header 'Content-Type: application/x-www-form-urlencoded' \
                        --data-urlencode 'client_id=734918285672-hij60r3464hd4gt8ejt9vbpgh11ndhj2.apps.googleusercontent.com' \
                        --data-urlencode 'client_secret=t9JYc9QcwLQzZTI4BEkfW4-M' \
                        --data-urlencode 'refresh_token=1//0guaq1jSMUQO8CgYIARAAGBASNwF-L9IrFMCFjCIVtYLCR73Dyh84adQDA8fBouxSP8du9Zje7Z9VkE3wV2mJ3oNUzSVDx-vNFjc' \
                        --data-urlencode 'grant_type=refresh_token'

Response

The following example shows the details of the access token in the Response body:


{
    "access_token": "ya29.a0ARrdaM9ToRMTmg6ghpP3GboRg3JrtDN-dbqEUAq0PjhyKauR4_olpHiMK2OdR-sHm45C6wmrNkJ-LubZlgd7sxFKaiP65kt3migGJcjAK-WwbbXkxitr2igqzD441kP2OB1M-BVEyR9RU-uUjELEnOmdhx-kYOk",
    "expires_in": 3599,
    "scope": "https://mail.google.com/",
    "token_type": "Bearer"
}
Configuring SendAs

For information about how to configure SendAs feature after the OAuth integration, see How to Send Mail on Behalf of Another Person in Google Mail.

Enabling OAuth for Microsoft 365 Accounts

UMS provides OAuth 2.0 based authentication support in the following two approaches to connect Microsoft IMAP and SMTP:

  • Authorization Code Flow - UMS is configured using O365OAuthClientID, O365OAuthTenantID, O365OAuthRefreshToken, and O365OAuthRefreshTokenScope tokens. UMS internally generates "Access token" which is used to connect the IMAP and SMTP for both inbound and outbound emails.
  • Client Credentials Flow - UMS is configured using O365OAuthClientID, O365OAuthTenantID, O365OAuthClientSecret, and O365OAuthClientSecretScope tokens. UMS internally generates "Access token" which is used to connect the IMAP and SMTP for both inbound and outbound emails.
Prerequisites

You must perform the following prerequisite tasks:

  1. Ensure you have a valid Gmail or Microsoft email account.
  2. Install Python.
  3. Obtain the following certificate to create trusted connections with MS hosts while using WebLogic in secured mode:

    DigiCertSHA2SecureServerCA-2.crt

Updating Configuration Properties

You must update the usermessagingconfig.xml file with configuration properties.

Table 4-10 Configuration Properties

Property Name Value Other Details
IncomingMailServer outlook.office365.com MS IMAP server
IncomingMailServerPort 993 MS server’s IMAP port
IncomingMailServerSSL False Constant value
OutgoingMailServer smtp.office365.com MS SMTP server
OutgoingMailServerPort 587 SMTP server’s port
OAuth2AccessTokenSupplierFactory oracle.sdpinternal.messaging. oauth.ums.ms.UMSO365Access TokenSupplierFactory Constant value. You must set this value when you use MS O365 mail ID.
O365OAuthClientID <Cliend id (UUID format)> For more information about how to get the value, see Initiation an App Registration section.
O365OAuthTenantID <Tenant id (UUID format)> For more information about how to get the value, see Initiation an App Registration section.
O365OAuthRefreshToken Encoded and valid refresh token For more information about how to get the value, see Generating Tokens section.

Example 4-3 Configuration Properties


      <ns1:Property name="IncomingMailServer" value="outlook.office365.com"/>
      <ns1:Property name="IncomingMailServerPort" value="993"/>
      <ns1:Property name="IncomingMailServerSSL" value="false"/>
      <ns1:Property name="OutgoingMailServer" value="smtp.office365.com"/>
      <ns1:Property name="OutgoingMailServerPort" value="587"/>
      <ns1:Property name="OAuth2AccessTokenSupplierFactory" value="oracle.sdpinternal.messaging.oauth.ums.ms.UMSO365AccessTokenSupplierFactory"/>
      <ns1:Property name="O365OAuthClientID" value="O365OAuthClientID"/>
      <ns1:Property name="O365OAuthTenantID" value="O365OAuthTenantID"/>
      <ns1:Property name="O365OAuthRefreshToken" value="O365OAuthRefreshToken"/>

Sample UMS Configuration File


<?xml version="1.0" encoding="UTF-8"?>
<ns1:MessagingConfiguration xmlns:ns0="http://www.oracle.com/ucs/messaging/configtemplate" xmlns:ns1="http://www.oracle.com/ucs/messaging/config" version="12.2.1.3.0">
   <ns1:Driver name="Test1" type="email" server="AdminServer" enabled="true">
      <ns1:Property name="SupportedDeliveryTypes" value="EMAIL"/>
      <ns1:Property name="SupportedContentTypes" value="*"/>
      <ns1:Property name="Capability" value="BOTH"/>
      <ns1:Property name="Cost" value=""/>
      <ns1:Property name="Speed" value=""/>
      <ns1:Property name="SupportedCarriers" value=""/>
      <ns1:Property name="SupportedProtocols" value="SMTP"/>
      <ns1:Property name="SupportsCancel" value="false"/>
      <ns1:Property name="SupportsReplace" value="false"/>
      <ns1:Property name="SupportsStatusPolling" value="false"/>
      <ns1:Property name="SupportsTracking" value="false"/>
      <ns1:Property name="SupportedStatusTypes" value="DELIVERY_TO_GATEWAY_SUCCESS, DELIVERY_TO_GATEWAY_FAILURE, USER_REPLY_ACKNOWLEDGEMENT_SUCCESS, USER_REPLY_ACKNOWLEDGEMENT_FAILURE"/>
      <ns1:Property name="SenderAddresses" value=""/>
      <ns1:Property name="SupportedApplicationNames" value=""/>
      <ns1:Property name="DefaultSenderAddress" value=""/>
      <ns1:Property name="SendingQueuesInfo" value="OraSDPM/QueueConnectionFactory:OraSDPM/Queues/OraSDPMDriverDefSndQ1"/>
      <ns1:Property name="MailAccessProtocol" value="IMAP"/>
      <ns1:Property name="AutoDelete" value="false"/>
      <ns1:Property name="Debug" value="true"/>
      <ns1:Property name="CheckMailFreq" value="30"/>
      <ns1:Property name="DisconnectAfterPoll" value="false"/>
      <ns1:Property name="ReceiveFolder" value="INBOX"/>
      <ns1:Property name="OutgoingMailServer" value="smtp.office365.com"/>
      <ns1:Property name="OutgoingMailServerPort" value="587"/>
      <ns1:Property name="OutgoingMailServerSecurity" value="None"/>
      <ns1:Property name="OutgoingDefaultFromAddr" value=""/>
      <ns1:Property name="OutgoingUsername" value="umstest@myumsoauth.onmicrosoft.com"/>
      <ns1:Property name="OutgoingPassword" value=""/>
      <ns1:Property name="IncomingMailServer" value="outlook.office365.com"/>
      <ns1:Property name="IncomingMailServerPort" value="993"/>
      <ns1:Property name="IncomingMailServerSSL" value="false"/>
      <ns1:Property name="IncomingMailIDs" value="umstest@myumsoauth.onmicrosoft.com"/>
      <ns1:Property name="IncomingUserIDs" value="umstest@myumsoauth.onmicrosoft.com"/>
      <ns1:Property name="IncomingUserPasswords" value=""/>
      <ns1:Property name="ProcessingChunkSize" value="100"/>
      <ns1:Property name="ImapAuthPlainDisable" value="false"/>
      <ns1:Property name="CNSMode" value="false"/>
      <ns1:Property name="SMTPAuthUseOAuth2" value="true"/>
      <ns1:Property name="ImapAuthUseOAuth2" value="true"/>
      <ns1:Property name="OAuth2AccessTokenSupplierFactory" value="oracle.sdpinternal.messaging.oauth.ums.ms.UMSO365AccessTokenSupplierFactory"/>
      <ns1:Property name="O365OAuthClientID" value="O365OAuthClientID"/>
      <ns1:Property name="O365OAuthTenantID" value="O365OAuthTenantID"/>
      <ns1:Property name="O365OAuthRefreshTokenScope" value="https://graph.microsoft.com/IMAP.AccessAsUser.All https://graph.microsoft.com/SMTP.Send"/>
      <ns1:Property name="O365OAuthRefreshToken" value="O365OAuthRefreshToken"/>
   </ns1:Driver>
</ns1:MessagingConfiguration>
Generating Tokens Using Authorization Code Flow

This section includes the following topics:

Initiating an App Registration
  1. Log into Microsoft Azure using the following URL:
    https://portal.azure.com/
  2. Enter your MS O365 account credentials.
  3. Click the hamburger menu on top.
  4. Navigate to Azure Active Directory.

Creating Tenant

  1. Click Create a Tenant.

    Note:

    You must create a tenant if no tenant is present in your list.
  2. In the Configuration page, provide details in the following fields:
    • Organization name
    • Initial domain name
    • Country/Region
  3. Click Review + Create.
  4. In the Azure Active Directory page, select App registrations from the left side navigation menu.
  5. Click New registration.
  6. In the Register an application page, provide details in the Name field.
  7. Under Supported account types, select Accounts in this organizational directory only (myumsoauth only - Single tenant).
  8. Click Register.
  9. In the left side navigation menu, select Authentication.
  10. Click Add a platform.
  11. Under Configure platforms, select Mobile and desktop applications.
  12. In Configure Desktop + devices page, select https://login.microsoftonline.com/common/oauth2/nativeclient under Redirect URIs.

Defining API Permissions

  1. In the left side navigation menu, select API permissions.
  2. Click Add a permission.
  3. In Request API permission page, select Delegated permissions.
  4. In Select permissions field, enter the following:
    • IMAP.AccessAsUser.All
    • SMTP.Send
  5. Select IMAP.AccessAsUser.All and SMTP.Send listed under Permission.

Generating Client Secret

  1. In the left side navigation menu, select Certificates & Secrets.
  2. Click New client secret.
  3. In the Add a client secret, provide details in the following fields:
    • Description
    • Expires
  4. Click Add.
Generating Tokens

Perform the following steps to generate access and refresh tokens:

  1. Open Microsoft URL with the following details:
    https://login.microsoftonline.com/<your tenant id>/ oauth2/v2.0/authorize?client_id=<your client id>&scope=IMAP.AccessAsUser.All SMTP.Send&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
    Example:
    https://login.microsoftonline.com/887c9fe4-c2e4-4b73-96e7-3f034cde3332/oauth2/v2.0/authorize?client_id=ce347d51-92a8-47ec-85a8-b71a903affc4&scope=IMAP.AccessAsUser.All SMTP.Send&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
  2. Enter your MSO 365 account credentials when prompted.
  3. Select Consent on behalf of your organisation and click Accept.
    You will be redirected to a URL with the following details:
    https://login.microsoftonline.com/common/oauth2/nativeclient?code=<code>& session_state=<session state>
    Example
    https://login.microsoftonline.com/common/oauth2/nativeclient?code=0.AVYA5J98iOTCc0uW5z8DTN4zMlF9NM6okuxHhai3GpA6_8RWAM8.AQABAAIAAAD--DLA3VO7QrddgJg7WevrBzhwQ-VnAhparfeQA3VEDSXbYwDZ87LvKWkmPUWNZZOTOSa1Ja2rJOuizFnqqnDfFWj4UwryPjBNMeIAeHAgJ_RzhZTPCepmlcV_q9-93V6n0ASfjPbKwzN7A9XGRsZ8HJSJ-vMwGOAZvG3O8ywkMj6m_kOYSkCHEaiRMhSJRrIokpL0b70STHBxeaTXM4u71Mv0C3z-PdJqa4Rqwoboo77CF7hhLMHhtil9tJxSlA6Gvh6JVj0qXH27WvFQO7ZIUqrJZrDae2uCTVwyo70hJJ41trZsm6px8diWUf_zgnxuHAt4YCHNmj5TO-laj-02CKsHWpgzDSk7dduhl9KPnYerxLeE1T8EXjodG289sbsoz939yZe-mMbjyKOIzM-eM7B_WUrpt2zFKYQne0wETbi_o2RAxieMHmV-w2TFv54QeGAyXZ7ECkZuiyVuPPIaYnSRrV67Ps_Rj4LfcJJI2kj3QaRCGAvnUJRoJUb-0m2Bv23DtqPpn0o6tRPSUxiuLOHSWpxLhK7IW5nSfyeRiwzTC9-4YUpAfqf4N0u2yHMEAqrbTKOocJKm7KkadhHb1jyJ_rUYJD-0qHugqEtF0aqFvmvEDB-pOAsPXbtO6rycIjexEZgs26mSKeKv65yZ2lBLtN1XmUXa3Rvoec_GejvYwUeFINICkRa1NCrxMukgAA&session_state=fb6c0bf9-c9ea-43c0-ab07-7523d99e491c
  4. Copy the code parameter value from the above URL.
  5. Send a POST request with required parameters as described below:
    URL
    https://login.microsoftonline.com/<your tenant id>/oauth2/v2.0/token
    Parameters

    The following is a list of the POST request parameters.

    
client_id: <your client application id>
scope: IMAP.AccessAsUser.All SMTP.Send offline_access
grant_type: authorization_code
code: The code you got from Step #2
redirect_uri: https://login.microsoftonline.com/common/oauth2/nativeclient
    Curl Command

    The following example shows how to generate access and refresh tokens using curl:

    
curl --location --request POST 'https://login.microsoftonline.com/887c9fe4-
c2e4-4b73-96e7-3f034cde3332/oauth2/v2.0/token' \

                        --header 'Content-Type: application/x-www-form-
urlencoded' \
                        --data-urlencode 'client_id=ce347d51-92a8-47ec-
85a8-b71a903affc4' \
                        --data-urlencode 'scope=IMAP.AccessAsUser.All 
SMTP.Send offline_access' \
                        --data-urlencode 'grant_type=authorization_code' \

                        --data-urlencode 
'code=0.AVYA5J98iOTCc0uW5z8DTN4zMlF9NM6okuxHhai3GpA6_8RWAM8.AQABAAIAAAD--
DLA3VO7QrddgJg7WevrBzhwQ-
VnAhparfeQA3VEDSXbYwDZ87LvKWkmPUWNZZOTOSa1Ja2rJOuizFnqqnDfFWj4UwryPjBNMeIAe
HAgJ_RzhZTPCepmlcV_q9-93V6n0ASfjPbKwzN7A9XGRsZ8HJSJ-
vMwGOAZvG3O8ywkMj6m_kOYSkCHEaiRMhSJRrIokpL0b70STHBxeaTXM4u71Mv0C3z-
PdJqa4Rqwoboo77CF7hhLMHhtil9tJxSlA6Gvh6JVj0qXH27WvFQO7ZIUqrJZrDae2uCTVwyo70
hJJ41trZsm6px8diWUf_zgnxuHAt4YCHNmj5TO-laj-
02CKsHWpgzDSk7dduhl9KPnYerxLeE1T8EXjodG289sbsoz939yZe-mMbjyKOIzM-
eM7B_WUrpt2zFKYQne0wETbi_o2RAxieMHmV-
w2TFv54QeGAyXZ7ECkZuiyVuPPIaYnSRrV67Ps_Rj4LfcJJI2kj3QaRCGAvnUJRoJUb-
0m2Bv23DtqPpn0o6tRPSUxiuLOHSWpxLhK7IW5nSfyeRiwzTC9-
4YUpAfqf4N0u2yHMEAqrbTKOocJKm7KkadhHb1jyJ_rUYJD-0qHugqEtF0aqFvmvEDB-
pOAsPXbtO6rycIjexEZgs26mSKeKv65yZ2lBLtN1XmUXa3Rvoec_GejvYwUeFINICkRa1NCrxMu
kgAA' \
                        --data-urlencode 
'redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient'
    The access and refresh token details will be in the response.
Verifying Tokens

You must verify the validity of the refresh token.You must send a POST request to MS OAuth token generation URL to generate a new access token. The verification is complete once you receive the access token.You must set the same refresh token value in usermessagingconfig.xml.

You must send a POST request using curl or POSTMAN or any suitable client to the URL given below:

URL

https://login.microsoftonline.com/<your tenant id>/oauth2/v2.0/token

Parameters

The following is a list of the POST request parameters.


client_id: <your client application id>
scope: IMAP.AccessAsUser.All SMTP.Send offline_access
grant_type: refresh_token
refresh_token: The refresh token that you just obtained
redirect_uri: https://login.microsoftonline.com/common/oauth2/nativeclient

Curl Command

The following example shows how to verify the validity of the refresh token using curl:


curl --location --request POST 'https://login.microsoftonline.com/887c9fe4-c2e4-
4b73-96e7-3f034cde3332/oauth2/v2.0/token' \
                        --header 'Content-Type: application/x-www-form-urlencoded' 
\
                       
        --data-urlencode 'client_id=eba0d084-3a6b-4520-83b2-
52ed27a15b7b' \
                       
        --data-urlencode 'scope=https://outlook.office.com/IMAP.AccessAsUser.All
        https://outlook.office.com/SMTP.Send offline_access' \                       
        --data-urlencode 'grant_type=refresh_token' \        
        --data-urlencode 
'refresh_token=0.AVYA5J98iOTCc0uW5z8DTN4zMoTQoOtrOiBFg7JS7SehW3tWAM8.AgABAAEAAAD--
DLA3VO7QrddgJg7WevrAgDs_wQA9P-m1OnkkabmlTMmSH_G5cOl_6_1Cr-
_NoAjwozM1QItkpuWGtxkLiSmAm-o5jg5zTHhFdcxwknuDwCtQ9bNxT32a8xGmeei-
fo5GycV7V6QqApR0jcZqhoGQx1168WeCHBDk7HcTR9RZagoPIgpYCgArdKwSypBOU5s37s2gJG3e9m_flC9
GK0VxycmnQHWmCnFr91-QYeQNSsWA-nMQmhpkmFKBBlIm6BhWz5XCJA1m0J7-ZukuJp_D14OsFhwzzNszH-
wAd9_XEBq62NjTeADkvZ28-
2Ppqiky4hlPi0Go4JtpPh0zsDcOIUJrdJPTIY8GlEy2yJOslksctz4gh_Dg1eq35m_s1EeV8HVPOd3vXZcu
unHWKgrfPIZE7MslS_iu9xeslBcGvEpJNtpC4kdB8uTHLo2g8U8W7nZgyjrc8r09yt0bv27eVWBIRcUKuJe
yAs_mOIUij6eYpwMEAbuiPRd6efA9T-
arwB5iDbOrAfHt1FCnpJNXP166A22KcSx83CmLBrIsJu8wOpxfitj27fKo0sIOeE5e06GvDaZMLI6r02kRW
xJuYdUVSnjosuryREwqdSio735YhM9K0wINMPm6yJTmBL85SuZONN5Nd8DgJCNDfCK_1FGyXeqQvy5TjHRd
W3IBy0SjjAj2VPqtQ2IyuNXrpHxFWsgyqSpESrwkE6LZp6cXTc5DxNz6arilBojlOTKwX9q4KRnnyzcSBX7
pgyziNWACxMgIK4_s-l7WJyjk-oNiwZMGnJgDNYaeLdffvIqtly6vmI' \

                       
        --data-urlencode
'redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient' \

Response

The following example shows the details of the access and refresh tokens in the Response body:


{
    "token_type": "Bearer",
    "scope": "EWS.AccessAsUser.All IMAP.AccessAsUser.All Mail.ReadWrite.All SMTP.Send User.Read profile openid email",
    "expires_in": 5397,
    "ext_expires_in": 5397,
    "access_token": 
	"eyJ0eXAiOiJKV1QiLCJub25jZSI6IkpieWVRMkVFbXFMQklhWmk3cXhBdmhxX2I2d3RUTzBpWWlNRnI1Mz
	RzTGMiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpZCI6I
	mpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyJ9.eyJhdWQiOiIwMDAwMDAwMy0wMDAwLTAwMDAtYzAwMC0
	wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84ODdjOWZlNC1jMmU0LTRiNz
	MtOTZlNy0zZjAzNGNkZTMzMzIvIiwiaWF0IjoxNjU0NzQwMTUwLCJuYmYiOjE2NTQ3NDAxNTAsImV4cCI6M
	TY1NDc0NTg0OCwiYWNjdCI6MCwiYWNyIjoiMSIsImFpbyI6IkUyWmdZUGhXMVpiR1kvYkkySVF6MnMvaTdt
	WlBEL1h5ODF5aW5KZCt4Q3Y4TDJUOTR3d0EiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6IlR
	lc3QgT0F1dGgiLCJhcHBpZCI6ImViYTBkMDg0LTNhNmItNDUyMC04M2IyLTUyZWQyN2ExNWI3YiIsImFwcG
	lkYWNyIjoiMCIsImZhbWlseV9uYW1lIjoiQmFidSIsImdpdmVuX25hbWUiOiJWZW5rYXRlc2giLCJpZHR5c
	CI6InVzZXIiLCJpcGFkZHIiOiIxMjIuMTY3LjIyNi4yNiIsIm5hbWUiOiJWZW5rYXRlc2ggQmFidSIsIm9p
	ZCI6IjAwYWM5M2JlLTY1MGQtNGRhNy1iNDI2LTE3YzJiODI0ZGI5MiIsInBsYXRmIjoiMyIsInB1aWQiOiI
	xMDAzMjAwMEU1NTE2MThGIiwicHdkX2V4cCI6IjAiLCJwd2RfdXJsIjoiaHR0cHM6Ly9wb3J0YWwubWljcm
	9zb2Z0b25saW5lLmNvbS9DaGFuZ2VQYXNzd29yZC5hc3B4IiwicmgiOiIwLkFWWUE1Sjk4aU9UQ2MwdVc1e
	jhEVE40ek1nTUFBQUFBQUFBQXdBQUFBQUFBQUFCV0FNOC4iLCJzY3AiOiJFV1MuQWNjZXNzQXNVc2VyLkFs
	bCBJTUFQLkFjY2Vzc0FzVXNlci5BbGwgTWFpbC5SZWFkV3JpdGUuQWxsIFNNVFAuU2VuZCBVc2VyLlJlYWQ
	gcHJvZmlsZSBvcGVuaWQgZW1haWwiLCJzaWduaW5fc3RhdGUiOlsia21zaSJdLCJzdWIiOiJGSUdjcnNzQU
	ZTYnNTdW9VNy1KdlFySDlkRzNxbkpLcXpuMnV0dU9VdlpFIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkFTI
	iwidGlkIjoiODg3YzlmZTQtYzJlNC00YjczLTk2ZTctM2YwMzRjZGUzMzMyIiwidW5pcXVlX25hbWUiOiJ2
	ZW5rYXRiYWJ1a3JAbXl1bXNvYXV0aC5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJ2ZW5rYXRiYWJ1a3JAbXl
	1bXNvYXV0aC5vbm1pY3Jvc29mdC5jb20iLCJ1dGkiOiJVUG9wS2xWLXVVT1B2X3FWVTB0RUFBIiwidmVyIj
	oiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiLCJiNzlmYmY0Z
	C0zZWY5LTQ2ODktODE0My03NmIxOTRlODU1MDkiXSwieG1zX3N0Ijp7InN1YiI6IlVZWTFXS2hQaGlRUDlf
	bkdNcXJDcU8zVmVfZC1tZzlReVhZSEQ2alNOb1EifSwieG1zX3RjZHQiOjE2MDA2Njk1Mjh9.DT9fHa8_IF
	8bZt6sAUt43ep0slEEKh3ZslSHvLee6cIgbP4ACns_XK6-Xv-f1zqsHHj-2uPU3pLwP0_-
	0sOqILiv4dBEDKqUElzb54EqHQix2-yXqomKCZBspF245kpDX-
	dSbu3hJ3lh_qSTPpTG7jAXvWJdEyST1o1X0mTCt1pn1HAu2GxWhWFf2daVVcmlfuLtjyW82T-
	xKY5NlZvlzx5dxn8-M4Txkg-
	GInwYtcRgrsxHG9HyIY1dNfjoRv5k4uU1tRzQeTrNOa62E6hk26LIdZi9zGgrAV0KVGDbsxnkrmKZy-
	7JkvhGmczTg1PCnpbCdmFnNy1UGf3SjmEOKQ",
	
    "refresh_token": 
	"0.AVYA5J98iOTCc0uW5z8DTN4zMoTQoOtrOiBFg7JS7SehW3tWAM8.AgABAAEAAAD--
	DLA3VO7QrddgJg7WevrAgDs_wQA9P-m1OnkkabmlTMmSH_G5cOl_6_1Cr-
	_NoAjwozM1QItkpuWGtxkLiSmAm-o5jg5zTHhFdcxwknuDwCtQ9bNxT32a8xGmeei-
	fo5GycV7V6QqApR0jcZqhoGQx1168WeCHBDk7HcTR9RZagoPIgpYCgArdKwSypBOU5s37s2gJG3e9m_flC9
	GK0VxycmnQHWmCnFr91-QYeQNSsWA-nMQmhpkmFKBBlIm6BhWz5XCJA1m0J7-ZukuJp_D14OsFhwzzNszH-
	wAd9_XEBq62NjTeADkvZ28-
	2Ppqiky4hlPi0Go4JtpPh0zsDcOIUJrdJPTIY8GlEy2yJOslksctz4gh_Dg1eq35m_s1EeV8HVPOd3vXZcu
	unHWKgrfPIZE7MslS_iu9xeslBcGvEpJNtpC4kdB8uTHLo2g8U8W7nZgyjrc8r09yt0bv27eVWBIRcUKuJe
	yAs_mOIUij6eYpwMEAbuiPRd6efA9T-
	arwB5iDbOrAfHt1FCnpJNXP166A22KcSx83CmLBrIsJu8wOpxfitj27fKo0sIOeE5e06GvDaZMLI6r02kRW
	xJuYdUVSnjosuryREwqdSio735YhM9K0wINMPm6yJTmBL85SuZONN5Nd8DgJCNDfCK_1FGyXeqQvy5TjHRd
	W3IBy0SjjAj2VPqtQ2IyuNXrpHxFWsgyqSpESrwkE6LZp6cXTc5DxNz6arilBojlOTKwX9q4KRnnyzcSBX7
	pgyziNWACxMgIK4_s-l7WJyjk-oNiwZMGnJgDNYaeLdffvIqtly6vmI"
}
Generating Tokens Using Client Credentials Flow
If O365OAuthClientSecret and O365OAuthClientSecretScope are provided in usermessagingconfig.xml file, the UMS uses these two values to generate the access token internally.
Perform the following steps to generate access tokens using O365OAuthClientSecret and O365OAuthClientSecretScope values:
  1. Create a new account and configure it.
    For more information about configuring the account, see Updating UMS Configuration File.
  2. Add the following new permissions:
    • IMAP.AccessAsApp
    • POP.AccessAsApp
    • SMTP.SendAsApp
  3. Create a new client secret and copy it.

    Note:

    The new client secret is visible only once (once you leave the page the secret will not be visible) so you must copy the new secret value and save it.
  4. Connect PowerShell and add mailbox permissions as described below:
    1. Install and Import ExchangeOnlineManagement
      Run the following two commands:
      Install-Module -Name ExchangeOnlineManagement -allowprerelease
      Import-module ExchangeOnlineManagement

      Note:

      If you are connecting for the first time, you must run the two commands.
    2. Connect Exchange Online
      Run the following command:
      Connect-ExchangeOnline -Organization <Tenant id>
      Example:
      Connect-ExchangeOnline -Organization 887c9fe4-c2e4-4b73-96e7-3f034cde3332

      Note:

      The Azure portal login window appears. You must log into the portal and close it.
    3. Add Mailbox Permission
      Run the following commands:
      New-ServicePrincipal -AppId <> -ObjectId <>
      Example:
      New-ServicePrincipal -AppId eba0d084-3a6b-4520-83b2-52ed27a15b7b -ObjectId 31cb91f7-84fd-40e6-bb30-7b41371b95a7
      Add-MailboxPermission -Identity <user_mail_id> -User <ObjectId> -AccessRights FullAccess
      Example:
      Add-MailboxPermission -Identity venkatbabukr@myumsoauth.onmicrosoft.com -User 31cb91f7-84fd-40e6-bb30-7b41371b95a7 -AccessRights FullAccess
  5. Enter client secret in the usermessagingcofnig.xml file.
  6. Restart the SOA servers.

    Note:

    If the O365OAuthClientSecret and O365OAuthClientSecretScope values are not provided then the system uses refresh token to generate access token.
Enabling SMTP AUTH
The Microsoft 365 admin center or Exchange Online PowerShell provides pre-mailbox setting to enable and disable SMTP AUTH.
Perform the following steps to enable SMTP AUTH on specific mailboxes:
  1. Open the Microsoft 365 admin center using the following URL:
  2. Enter your domain admin email ID and password.
  3. In the left side navigation menu, click Users.
  4. Select Active Users.
  5. Click your user display name.
    A flyout appears with user details.
  6. Select Mail.
  7. Under Email apps, select Manage email apps.
  8. In Manage email apps page, select the option Authenticated SMTP.
  9. Click Save changes.
Configuring SendAsDenied
You must configure SendAsDenied in the Microsoft admin portal.
Perform the following steps to configure SendAsDenied in the Microsoft admin portal:
  1. Open the Microsoft 365 admin center using the following URL:
  2. Enter your domain admin email ID and password.
  3. In the left side navigation menu, click Users.
  4. Select Active Users.
  5. Click your user display name to view the user details.
  6. Select Mail.
  7. Under Mailbox Permissions, click Send on behalf of permissions.
  8. Select Add permission.
  9. Select the OAuth user email.
  10. Restart the SOA service.
    You must wait for one hour to get the cache updated on the Microsoft side if it does not work instantly.
Configuring Multiple Inbound Email IDs
You can configure multiple inbound email IDs and give permission to the OAuth user.
Perform the following steps to configure an inbound email ID:
  1. Open the Microsoft 365 admin center using the following URL:
  2. Enter your domain admin email ID and password.
  3. In the left side navigation menu, click Users.
  4. Select Active Users.
  5. Select the user that needs to be configured for UMS inbound flow.
    For example, inbounduser1@domain.com.
  6. Select Mail.
  7. Under Mailbox Permissions, click Send on behalf of permissions.
  8. Select Add permission.
  9. Select the user that needs to be configured as the OAuth is UMS email.
    For example, oauthuser1@domain.com.
  10. Click Add.

    Note:

    You must ensure no password is saved in usermessagingconfig.xml for IncomingUserPasswords.
Configuring the SMPP Driver

Short Message Peer-to-Peer (SMPP) is a popular GSM SMS protocols. UMS includes a prebuilt implementation of the SMPP protocol as a driver that can send and receive short messages. If the sending feature is enabled, the SMPP driver opens one TCP connection to the Short Message Service Center (SMS-C) as a transmitter for sending messages. If the driver's receiving feature is enabled, it opens another connection to the SMS-C as a receiver for receiving messages. Only two TCP connections (both initiated by the driver) are needed for all communication between the driver and the SMS-C.

Note:

The SMPP Driver implements version 3.4 of the SMPP protocol and only supports connections to an SMS-C or an SMS gateway that supports this version.
Common Properties

Table 4-11 lists common driver properties that are indicative of the capabilities of this driver for use by the messaging engine when routing outbound messages. Some properties are set by the driver developer and do not normally require modification, while others can be modified by the administrator to change the routing behavior. For detailed description of these properties, refer to Table 4-2. For the complete list of available values, see User Messaging Service Java API Reference.

Table 4-11 Common SMPP Properties

Name Mandatory Default Value

InstanceName

Yes

SMPP-Driver

Capability

Yes

Both

SupportedDeliveryTypes

Yes

SMS

SupportedContentTypes

Yes

text/plain

SupportedStatusTypes

No

DELIVERY_TO_GATEWAY_SUCCESS, DELIVERY_TO_GATEWAY_FAILURE

Cost

No

N/A

Speed

No

N/A

SupportedCarriers

No

N/A

Configuration Level

Yes

Server/Cluster

Supported Protocols

No

N/A

SenderAddresses

No

N/A

DefaultSenderAddress

No

N/A

Supported Application Names

No

Empty
SMPP Custom Properties

Table 4-12 lists properties specific to this driver and generally associated with configuring access to the remote gateway and certain protocol or channel-specific behavior.

Table 4-12 Custom SMPP Properties

Name Description Mandatory Default Value

SmsAccountId

This value indicates the addresses that the SMPP driver is requesting messages for from the server. The value is specified as a UNIX Regular Expression. For example, "555" would specify a single address, and "^123|^789" would indicate all addresses starting with 123 or 789.

Yes

N/A

SmsServerHost

The name (or IP address) of the SMS-C server.

Yes

N/A

TransmitterSystemId

The account ID that is used to send messages.

Yes

N/A

ReceiverSystemId

The account ID that is used to receive messages.

Yes

N/A

TransmitterSystemType

The type of transmitter system. The default is Logica.

Yes

The default value is Logica.

ReceiverSystemType

The type of receiver system. The default is Logica.

Yes

The default value is Logica.

TransmitterSystemPassword

The password of the transmitter system. This includes Type of Password (choose from Indirect Password/Create New User, Indirect Password/Use Existing User, and Use Cleartext Password) and Password.

Yes

N/A

ReceiverSystemPassword

The password for the receiver system. This includes Type of Password (choose from Indirect Password/Create New User, Indirect Password/Use Existing User, and Use Cleartext Password) and Password.

Yes

N/A

ServerTransmitterPort

The TCP port number of the transmitter server.

Yes

N/A

ServerReceiverPort

The TCP port number of the receiver server.

Yes

N/A

DefaultEncoding

Used for incoming messages. If the SMS-C specifies the encoding to SMSC Default Alphabet, then this is the encoding that SMPP driver will assume.

Choose from the drop-down list among the following: IA5, UCS2, GSM_DEFAULT, ISO-8859-1

No

IA5

PreferredEncoding

Used for outgoing messages. If set, the text will be encoded according to the PreferredEncoding parameter. If the encoding fails (i.e. a character cannot be encoded using the specified encoder) then the driver uses the 16-bit encoding UCS2.

If not set, the driver will attempt to derive an encoding from the UMS Message Content-Type header.

Choose from the drop-down list among the following: IA5, UCS2, GSM_DEFAULT, ISO-8859-1

No

IA5

LocalSendingPort

The local TCP port used by the SMPP driver to send messages to the SMS-C.

No

N/A

LocalReceivingPort

The local TCP port used by the SMPP driver to receive messages from the SMS-C.

No

N/A

LocalAddress

The hostname (or IP address) of the server that hosts the SMPP driver.

No

N/A

WindowSize

The window size for SMS. This value must be a positive number. Default is 1.

No

1

EnquireInterval

The interval, in seconds, to send an enquire message to the SMS-C. The default is 30 seconds.

No

30

ThrottleDelay

The delay, in seconds, between throttles. The default is 30.

No

30

BindRetryDelay

The minimum delay, in seconds, between bind entry attempts. Default is 30.

No

30

ResponseTimer

Time lapse allowed between SMPP request and response, in seconds. The default is 30.

No

30

RegisteredDeliveryMask

The registered delivery bit mask. The default is 0xFF, which does not change the delivery flag value.

No

0xFF

RangeSetNull

Set to true to set the address range field of BIND_RECEIVER to null. Set to false (the default value) to set the address range field to SmsSystemId. The default is Disabled.

No

Disabled

PriorityAllowed

The highest priority the SMPP Driver will set on a message to the SMS-C. The UMS Message priority set by the client application is translated into SMPP priority, but limited by PriorityAllowed. The range is 0 (normal) to 3 (highest). The default is 0.

No

0

BulkSending

Set this value to enabled (the default) to enable sending messages in bulk to the SMS-C.

No.

Enabled

PayloadSending

If you enable this property, the SMPP driver always uses the message_payload parameter that is defined in the SMPP specification, while sending a message to the SMS-C. The default is Disabled.

No

Disabled

SourceTon

The type of number (TON) for ESME address(es) served through SMPP receiver session. The default is 0.

No

0

SourceNpi

The numbering plan indicator (NPI) for ESME address(es) served through the SMPP receiver session. The default is 0.

No

0

DestinationTon

The TON for destination. The default is 0.

No

0

DestinationNpi

The NPI for destination. The default is 0.

No

0

MaxChunks

The maximum SMS chunks for a message. The default is -1 (no maximum).

No

-1 (no maximum)

ChunkSize

The maximum size of each SMS message chunk. Default is 160.

No

160

LongMessageSending

Supports sending long messages by setting the optional SMPP parameters sar_msg_ref_num, sar_total_segments and sar_segment_seqnum for fragmented messages. The default value is Enabled.

No

Enabled

DatagramMessageMode

Supports datagram message mode. The default is Disabled.

No

Disabled

Optional Params

Supports passing of additional parameters (TLVs) along with SMS.

No

Empty

Parent topic: Common Properties

Configuring the XMPP Driver

The XMPP Driver provides unidirectional or bidirectional access from Oracle Fusion Middleware to end users for real-time IM through the Extensible Messaging and Presence Protocol (XMPP). This driver enables end users to receive alert notifications or interactively chat with applications through their IM client of choice.

Perform the following tasks to configure the XMPP Driver.

Task 1: Setting Up Ejabberd

XMPP driver must be set up with Ejabberd which is an XMPP server (Jabber server), MQTT broker, and SIP gateway built to create real time services such as massive chat and instant communication.

For information about how to set up Ejabberd, see Installing ejabberd.

The admin account details that include SERVERNAME, USERNAME, and PASSWORD are configured to set up the driver.

To disable the SSL, the configuration file for Ejabberd ejabberd.yml in /opt/ejabberd/conf/ must be modified: 


listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: false

Task 2: Configure XMPP Driver in UMS

If you use EM to configure the driver in UMS, you must create or update the driver properties.

Perform the following steps to update the Drivers Properties:

  1. Log into EM.
  2. Click EM, select User Messaging Service, click usermessagingdriver-xmpp, select Driver Properties, and then click Create.
  3. In the Driver Properties page, update the following fields:

    Table 4-13 Driver Properties

    Field Update

    Name

    APPNAME

    IM Server Host

    SERVERNAME

    IM Server Port

    5222

    IM Server Username

    USERNAME@SERVERNAME

    IM Server Password

    IM Server Password section.
    Type of Password Use Cleartext Password.
    Password Enter the password configured in Ejabberd.
    Security Mode None
    Enable SASL Authentication Disabled

If you are not using EM to configure the driver in UMS, add the XMPP driver configuration to the configuration file as follows:


<ns1:Property name="IMServerHost" value="SERVERNAME"/>
<ns1:Property name="IMServerPort" value="5222"/>
<ns1:Property name="IMServerUsername" value="USERNAME@SERVERNAME"/>
<ns1:Property name="IMServerPassword" value="PASSWORD"/>
<ns1:Property name="SecurityMode" value="None"/>
<ns1:Property name="SASLAuthenticationEnabled" value="false"/>

Task 3: Validate and Test the Driver

You must validate the driver to ensure the configuration is correct. After validating, test the driver using the Ejabberd supported clients such as Coccinella.

Common Properties

Table 4-14 lists the common driver properties that are indicative of the capabilities of this driver for use by the messaging engine when routing outbound messages. Some properties are set by the driver developer and do not normally require modification, while others can be modified by the administrator to change the routing behavior. For detailed description of these properties, see Table 4-2. For the complete list of available values, see User Messaging Service Java API Reference.

Table 4-14 Common XMPP Properties

Name Mandatory Default Value

InstanceName

Yes

usermessagingdriver-xmpp

Capability

Yes

SEND, RECEIVE

SupportedDeliveryTypes

Yes

IM

SupportedContentTypes

Yes

text/plain

SupportedStatusTypes

No

DELIVERY_TO_GATEWAY_SUCCESS, DELIVERY_TO_GATEWAY_FAILURE

Cost

No

N/A

Speed

No

N/A

SupportedCarriers

No

N/A

Configuration Level

Yes

Server/Cluster

Supported Protocols

No

XMPP
Supported Application Names No Empty
Driver Type Yes User Messaging XMPP Driver

SenderAddresses

No

N/A

DefaultSenderAddress

No

N/A
XMPP Custom Properties

Table 4-15.lists the custom properties included in the XMPP Driver.

Table 4-15 Custom XMPP Properties

Name Description Mandatory Default Values

IM Server Host

Jabber/XMPP server hostname.

Yes

  

IM Server Port

Corresponding Jabber/XMPP server port.

Yes

5222

IM Server Username

Enter Jabber/XMPP user name to log in. You can also enter a complete Jabber ID if its domain name is different from the Jabber/XMPP server hostname.

Yes

  

IM Server Password

Corresponding password for the username.

No

Indirect Password, Create New User

SecurityMode
Security mode to use when establishing connection to the server. Available options include the following:
  • None (Security is disabled and only un-encrypted connections are used)
  • TLS (Security via TLS encryption is used whenever it is available)
  • SSL (Security via SSL encryption is used)

No

TLS

Enable SASL Authentication

Whether or not to use SASL authentication when logging into the server. If SASL authentication fails, then the driver uses non-SASL authentication.

No

Enabled

Parent topic: Common Properties

Configuring the APNS Driver

The Apple Push Notification Service (APNS) driver is a UMS driver that communicates with the APNS API server. The certificates that you get from Apple for your application needs to be saved in the WLS server, in the OPSS subsystem. For more information on pre-requisites for configuring the APNS driver, see Prerequisites for Configuring APNS Driver.

Prerequisites for Configuring APNS Driver

To send push notification using the APNS driver, the driver needs access to the iOS application-specific certificates. The certificates (public and private keys) are obtained from Apple's developer portal.

Task 1: Installing a Trust Certificate from the Entrust

You must obtain the APNS keys (.p12) and certificate for the app from the mobile app team. To carry out any development tasks, use the sandbox keys and certificate provided for UMS.

Task 2: Importing the Certificate in the Domain

Run the following command to extract the alias name for the certificate:

keytool -list -v -keystore ent1_ums_demo.p12 -storetype PKCS12

The certificates are packaged in a PKCS #12 file (file extension p12 or pfx). Before the certificates can be imported into the Keystore service, the archive must be converted to a JavaKeyStore file (file extension jks).

Run the following command to convert the archive using the keytool command (which is part of the JDK):

keytool -importkeystore -destkeystore apns-prod-server-testapns-21112023.jks -srckeystore ent1_ums_demo.p12 -srcstoretype PKCS12 -destalias apns-prod-server-testapns-21112023 -deststorepass welcome1 -destkeypass welcome1 -alias ent1_ums_demo

UMS comes with a predefined keystore called apns must be used for the imported certificates.

The following sample describes how the certificate can be imported into the Keystore service using WSLT:

getOpssService(name='KeyStoreService').importKeyStore(appStripe='ums', name='apns', password='welcome1', aliases='apns-prod-server-testapns-21112023', keypasswords='welcome1', type='JKS', permission=true, filepath="/scratch/anegupta/keysncerts/apns-prod-server-testapns-21112023.jks")

Note:

The value aliases parameter (in the above command) must match both the alias property in the APNS driver configuration and the keystore name.

If a different keystore than apns is used, then UMS must be granted additional permission using the same appstripe value used to create the new keystore.

The UMS shared library oracle.sdp.client must be granted the oracle.security.jps.service.keystore.KeyStoreAccessPermission permission using the very same appstripe.

Run the following command to import the apns certificate to WebLogic’s configured keystore (select the keystore configured in the environment):

keytool -importcert -keystore "..fmwhome12/wlserver/server/lib/DemoTrust.jks" -storepass DemoTrustKeyStorePassPhrase -file apns.cer -alias "apns.cer"

Task 3: Update the New Alias in UMS DB in the Table driverproperties:

Updating driver properties in UMS can be done using MBean as described below:

MBean Name

oracle.ucs.messaging:Location=ESS_SOAServer_1,name=UserPrefsAdministration,type=SDPMessagingRuntime

Note:

Any instance of SOA server can be used to invoke this MBean other than ESS_SOAServer_1.

Operation Name

saveDriverProperties

Parameters

P1 - driverName

P2 - propertyName

P3 - propertyValue

For example, saveDriverProperties ("usermessagingdriver-apns-HCM", "Alias","apns-prod-server-hcm-12122023").

Example


mBean = ObjectName("oracle.ucs.messaging:Location=ESS_SOAServer_1,name=UserPrefsAdministration,type=SDPMessagingRuntime")           
set_param = ['usermessagingdriver-apns-HCM', 'Alias', 'apns-prod-server-hcm-12122023']
set_type = ["java.lang.String", "java.lang.String", "java.lang.String"]
mbs.invoke(mBean, "saveDriverProperties", set_param, set_type)

Task 4: Import AAA Certificate for APNS Remote Notification Server

Establish a trusted connection with APNs to set up a remote notification server. To create a trusted connection, you must install the AAA Certificate Services root certificate on each server.

Download the certificate from the following link:

Setting up a remote notification server

After downloading the certificate, run the following command to import the certificate to the WebLogic configured keystore:

keytool -importcert -keystore "../fmwhome12/wlserver/server/lib/DemoTrust.jks" -storepass DemoTrustKeyStorePassPhrase -file AAACertificateServices.crt -alias "AAACertificateServices.crt"

Note:

Select the keystore configured in the environment.

Task 5: Configure APNS Driver in UMS

If you use EM to configure the driver in UMS, you must create or update the driver properties.

Perform the following steps to update the Drivers Properties:

  1. Log into EM.
  2. Click EM, select User Messaging Service, click usermessagingdriver-xmpp, select Driver Properties, and then click Create.
  3. In the Drivers Properties page, update the following fields:

    Table 4-16 Driver Properties

    Field Value
    Name APPNAME
    Sender Address URI:APNS:UMS_SENDERNAME
    Service Mode Sandbox
    Keystore Name apns
    Alias apns-sand-server
    Mobile App Topic com.oraclecorp.ums.demo

If you are not using EM to configure the driver in UMS, you must add the following APNS driver configuration to the configuration file:


<ns1:Property name="SenderAddresses" value="URI:APNS:UMS_SENDERNAME"/>
<ns1:Property name="ServiceMode" value="sandbox"/>
<ns1:Property name="KeyStoreName" value="apns"/>

#This Alias should be the same which is provided while importing CRM keys to the weblogic’s keystore
<ns1:Property name="Alias" value="apns-sand-server"/>

#Name of the mobile app topic to which push notification will be send. APNs uses the app's bundle ID as the default topic, e.g. 
'com.oraclecorp.example.myapp'.
<ns1:Property name="AppTopic" value="com.oraclecorp.ums.demo"/>

Task 6: Validate and Test the Driver

You must validate the driver to ensure the configuration is correct. After completing validation, the driver must be tested.

For information about saving driver properties, see Saving Driver Properties.

Common Properties

Table 4-17 shows common driver properties that are indicative of the capabilities of this driver for use by the messaging engine when routing outbound messages. Some properties are set by the driver developer and do not normally require modification, while others can be modified by the administrator to change the routing behavior. For detailed description of these properties, refer to Table 4-2. For the complete list of available values, see User Messaging Service Java API Reference.

Table 4-17 Common Properties of the APNS Driver

Name Mandatory Default Values

InstanceName

Yes

usermessagingdriver-apns

Capability

Yes

SEND, RECEIVE

SupportedDeliveryTypes

Yes

URI

SupportedContentTypes

Yes

text/plain, application/json

SupportedStatusTypes

Yes

DELIVERY_TO_GATEWAY_FAILURE,DELIVERY_TO_GATEWAY_SUCCESS,DELIVERY_TO_DEVICE_FAILURE

Cost

No

N/A

Speed

No

N/A

SupportedCarriers

Yes

N/A

Configuration Level

Yes

Server/Cluster

Supported Protocols

No

apns

Supported Application Names

No

Empty

Driver Type

No

User Messaging APNS Driver

SenderAddresses

No

N/A

DefaultSenderAddress

No

N/A
APNS Custom Properties

Table 4-18 lists configurable properties specific to the APNS driver.

Table 4-18 Custom Properties of the APNS Driver

Name Description Mandatory Default Values

Service Mode

Determines the APNs production environment

Yes

Keystore Name

Name of the keystore in KSS which holds the private key and certificated used for communication with APNs. UMS must be granted read permission to the keystore if a non-default keystore is used.

Yes

apns

Alias

Alias for the private key certificate pair in the keystore.

Yes

Mobile App Topic

Name of the mobile app topic (or apple mobile app ID) to which push notification is sent. APNs uses the app's bundle ID as the default topic.

Yes

Configuring GCM Driver

Google Cloud Messaging (GCM) driver is a UMS driver for mobile push notification service. It can send mobile push notifications to Android applications.

You must perform the following tasks to configure the GCM Driver.

Task 1: Obtaining Private Key File for App Service Account

GCM driver must be set up with the service account which is done by obtaining a private key file (JSON file). Perform the following steps to obtain the private key file:

  1. Open Firebase Console using the following URL:

    https://console.firebase.google.com

  2. Click the Project Settings icon.

    The Project Settings page is displayed.

  3. Select Service Accounts.
  4. In the Firebase Admin SDK dialog box, click Generate new private key.

    A JSON file is generated with details of the private key.

  5. Save the JSON file.

Task 2: Configuring GCM Driver in UMS

If you use EM to configure the driver in UMS, you must create or update the driver properties.

Perform the following steps to update the Drivers Properties:

  1. Navigate to the Drivers Properties page as shown below:

    EM, and then User Messaging Service, and then usermessagingdriver-apns, and then Driver Properties, and then Create

  2. In the Drivers Properties page, update the following fields:

    Table 4-19 Driver Properties

    Field Update
    Name GCM_APPNAME
    Sender Address URI:GCM:APPNAME
    Service Mode Production
    FCM Service Account JSON  
    Type of Password Indirect Password, Create new User
    Indirect Username/Key APPNAMEKEY
    Password Enter details of the Private key file (JSON file) obtained in Task 1. The file is added to WebLogic’s credential store.

If you are not using EM to configure the driver in UMS, you must add the private key to the credential store.

Run the following WLST command to add the private key to the credential store:

createCred(map="UCS", key="UMSDriver.GCM_APPNAME.ApiKey.APPNAMEKEY", user="UMSDriver.GCM_APPNAME.ApiKey.APPNAMEKEY", password="<content of private key file obtained in Task 1>", desc="")

For more information, see OPSS Security Store WLST Commands.

Add the GCM driver configuration to the configuration file to configure the driver in UMS as follows:


<ns1:Property name="SenderAddresses" value="URI:GCM:APPNAME"/>
<ns1:Property name="ApiKey" value="->UCS:UMSDriver.GCM_APPNAME.ApiKey.APPNAMEKEY"/>
<ns1:Property name="ServiceMode" value="production"/>

Task 3: Validate and Test the Driver

You must validate the driver to ensure the configuration is correct. After completing validation, the driver must be tested.

Common Properties

Table 4-20 lists common driver properties that are indicative of the capabilities of this driver for use by the messaging engine when routing outbound messages. Some properties are set by the driver developer and do not normally require modification, while others can be modified by the administrator to change the routing behavior. For detailed description of these properties, refer to Table 4-2. For the complete list of available values, see User Messaging Service Java API Reference.

Table 4-20 Common Properties GCM Driver

Name Mandatory Default Values

InstanceName

Yes

usermessagingdriver-gcm

Capability

Yes

SEND

SupportedDeliveryTypes

Yes

URI

SupportedContentTypes

Yes

text/plain

SupportedStatusTypes

Yes

DELIVERY_TO_GATEWAY_FAILURE,DELIVERY_TO_GATEWAY_SUCCESS,DELIVERY_TO_DEVICE_FAILURE

Cost

No

N/A

Speed

No

N/A

SupportedCarriers

Yes

N/A

Configuration Level

Yes

Server/Cluster

Supported Protocols

No

gcm

Supported Application Names

No

Empty

Driver Type

No

User Messaging GCM Driver

SenderAddresses

No

N/A

DefaultSenderAddress

No

N/A
GCM Custom Properties

Table 4-21 lists properties specific to this driver and generally associated with configuring access to the remote gateway and certain protocol or channel-specific behavior.

Table 4-21 Custom Properties GCM Driver

Name Description Mandatory Default Values

FCM Service Account JSON

Firebase service account JSON is used to authenticate Google Firebase API. This provides the driver authorized access to Google Firebase services.

Yes

Indirect Password, Create New User

Service Mode

Determines which environment the GCM driver sends notifications. Production means that notifications are sent to the URL Google’s Firebase API. Local means that notifications are sent to the URL specified in parameter LocalEndpointURL.

Yes

Production

Local Endpoint URL

URL for the GCM service. It is used only if the Service Mode is set to the value local. The parameter is mandatory when the Service Mode is set to local.

No

  

Parent topic: Common Properties

Configuring User Messaging Service Access to the LDAP User Profile

As part of the LDAP provider setup in a UMS deployment, you configure the User Name Attribute through the WebLogic Remote Console. If you configure that attribute with a value other than the default cn or if the user's email address is stored in an LDAP attribute which is different from mail, you must make an additional configuration change in Oracle Platform Security Services (OPSS) for UMS to successfully access the user profile to obtain the list of communication channels provisioned in LDAP, such as business email.

For more information about Oracle Platform Security Services (OPSS), see Securing Applications with Oracle Platform Security Services.

To configure access to the LDAP user profile:

  1. Configure the Identity Store to use LDAP by following instructions in Fusion Middleware Enterprise Deployment Guide for Oracle Business Intelligence.

    Note:

    You may have other properties defined in the Backing Up Configuration Files section.

  2. To use the value of the User Name Attribute while searching the back-end LDAP server for user profile, add the following element:

    <property name="username.attr" value="username_attribute_value"/>

    where username_attribute_value is the value of the User Name Attribute property in the LDAP provider configuration. For instance, if the value of the User Name Attribute is mail, add the following line: 

    <property name="username.attr" value="mail"/>

    The following sample code shows the above line inserted in the jps-config.xml file: 

    <!-- JPS WLS LDAP Identity Store Service Instance --> 
  
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> 
 
  <property name="idstore.config.provider"
value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvide
r"/> 

  <property name="CONNECTION_POOL_CLASS" 
value="oracle.security.idm.providers.stdldap.JNDIPool"/> 
 
  <property name="username.attr" value="mail"/> 
 
</serviceInstance>

    If the LDAP attribute containing the user's business email addresses is something other than the mail attribute, add the following element: 

    <property name="PROPERTY_ATTRIBUTE_MAPPING" value="BUSINESS_EMAIL=attr_containing_email"/>

    where attr_containing_email is the attribute name in the LDAP provider that contains the user's email address. For instance, if the user attribute containing the email address is externalEmail, add the following line: 

    <property name="PROPERTY_ATTRIBUTE_MAPPING" value="BUSINESS_EMAIL=externalEmail"/>

    The following sample code shows the above line inserted in the jps-config.xml file: 

    <!-- JPS WLS LDAP Identity Store Service Instance --> 
  
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">  
 
  <property name="idstore.config.provider"
value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvide
r"/>  

  <property name="CONNECTION_POOL_CLASS"
 value="oracle.security.idm.providers.stdldap.JNDIPool"/>  
 
  <property name="PROPERTY_ATTRIBUTE_MAPPING" value="BUSINESS_
EMAIL=externalEmail"/> 
 
</serviceInstance>

  3. Restart your domain.

Parent topic: Configuring Oracle User Messaging Service

Using Oracle User Messaging Service for Group Messaging

In addition to supporting bi-directional mutli-channel messaging through a variety of channels, UMS supports group messaging. This feature includes sending a message to a group of users by sending it to a group URI, or sending a message to LDAP groups (or enterprise roles) and application roles.

The group messaging feature enhances the capability of UMS by providing support for the following:

  • Sending messages to a group

  • Sending messages to a group through a specific channel

  • Sending messages to an application role

  • Sending messages to an application role through a specific channel

For more information about sending messages to groups and application roles, see "Sending Group Messages" in Developing Applications with Oracle User Messaging Service.

The group messaging feature does not require any new configuration of UMS. It reuses the UMS utility to access the User Role API. Since the User Role API configuration is not possible in UMS, any such configuration is done outside UMS. The User Role API is automatically configured to use the first Oracle WebLogic Server authenticator and does not require any special configuration.

Note:

For UMS to be able to resolve an application role, specific security grants are required. The application deployer must configure these security grants using WLST commands as shown in the following example:
connect('weblogic','welcome1','t3://host.example.com:7601')
 
grantPermission(codeBaseURL="file:MW_HOME/user_projects/domains/DOMAIN_NAME/servers/SERVER_NAME/tmp/_WL_user/usermessagingserver/-",permClass="oracle.security.jps.service.policystore.PolicyStoreAccessPermission",permTarget="context=APPLICATION,name=<appStripe>",permActions="getApplicationPolicy"
)

For more information about the security commands, see Infrastructure Security WLST Command Reference.

Parent topic: Configuring Oracle User Messaging Service

Configuring Automatic Message Resend

In 14c, the automatic resend feature can be configured to automate the administrator's resend. This means that when a message send attempt is classified as a complete failure, then the message is automatically scheduled for resend.

This is repeated until the message is successfully sent or the configured number of resends is achieved. The delay time and the maximum number of resends can be configured. Functionally, this is the same as an administrator manually resending the messages when the delay time has expired. The purpose of the automatic resend is to resolve temporary network problems or temporary unavailability of backend services.

The UMS server configuration parameters, ResendDefault, ResendDelay, and ResendMax have been introduced for configuring this feature. For more information about these parameters, see Table 4-1.

The number of resend attempts is configured for the server, but may be overridden programmatically per message by the client. The client can specify the number of resends to be used per message to override the ResendDefault server configuration parameter. Note that although overridden, it is limited by the ResendMax configuration parameter.

For more information about setting the number of resend attempts programmatically, see sections "Using UMS Java API to Specify Message Resends" and "Using UMS Web Service API to Specify Message Resends" in Developing Applications with Oracle User Messaging Service.

Note:

If message resend fails even after automatically trying to resend the message the maximum number of times, then the administrator can send it manually from the Enterprise Manager. The resend counter will be reset. If the maximum number of resends is configured to 0, then the behaviour will be identical to that in 12c, that is an administrator will have to manually select the failed message and resend it using the Enterprise Manager.

Parent topic: Configuring Oracle User Messaging Service

Securing the Oracle User Messaging Service

The User Communications Preferences User Interface can be secured at the transport-level using Secure Sockets Layer (SSL). By default, all deployed web services are unsecured. Web Service Security should be enabled for any services that are deployed in a production environment.

To enable SSL in the Oracle WebLogic Server, see "Configure SSL for Oracle WebLogic Server" in the Administering Oracle Fusion Middleware. This step is sufficient to secure the User Communication Preferences User Interface.

UMS supports the use of Oracle Web Services Manager WS-Security policies to protect UMS web services. For more information about Oracle Web Services Manager, see "Using Oracle Web Services Manager Security Policies", in Securing WebLogic Web Services for Oracle WebLogic Server.

The recommended security configuration for web services uses Security Assertion Markup Language (SAML) tokens to pass identities between web service clients and UMS. With SAML tokens, instead of the web service client passing a username and password to UMS, a trust relationship is established between the client and UMS because of exchanging certificates. Once this keystore configuration is in place, the web service client passes only the user identity, and vouches for the fact that it has authenticated the user appropriately.

The recommended policies to use for UMS web services are:

  • oracle/wss11_saml_token_with_message_protection_service_policy (server-side)

  • oracle/wss11_saml_token_with_message_protection_client_policy (client-side)

  • oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy (client-side)

    Note:

    The choice of client-side policy depends on the security context in which your application is executing.

    • If the thread that is making the web service call has the intended Subject associated with it (for example, from a web application that performs user authentication, or a Jakarta EE module with a run-as identity defined), then use the policy oracle/wss11_saml_token_with_message_protection_client_policy.

      The current thread Subject is passed through using the SAML Policy WS-Security headers. In this case you should not specify the parameter javax.xml.ws.BindingProvider.USERNAME_PROPERTY when creating your web service client instance.

    • If the thread that is making the web service call has an undefined Subject associated with it, or if you must programmatically supply a different identity, then use the policy oracle/wss11_saml_token_identity_switch_with_message_protection_client_policy, and specify the parameter javax.xml.ws.BindingProvider.USERNAME_PROPERTY when creating your web service client instance. If you want to perform dynamic identity switching, you must grant additional code permissions to your application. For more information, see Administering Web Services.

Parent topic: Configuring Oracle User Messaging Service

Web Service Security on Notification

The different web services include corresponding notification web services (MessageNotification) that run on the client side and receive notifications (message delivery status, message receipt, presence status change) when the appropriate event occurs.

Parent topic: Securing the Oracle User Messaging Service

Enabling UMS Web Service Security

To enable a policy for a UMS web service, see Securing WebLogic Web Services for Oracle WebLogic Server. You must select policy oracle/wss11_saml_token_with_message_protection_service_policy. This configuration must be repeated for each service that you want to secure.

Parent topic: Securing the Oracle User Messaging Service

Enabling Client Security

Web service client security must be enabled programmatically. When using the client libraries described in Developing Applications with Oracle User Messaging Service, WS-Security policy configuration is provided when a client object is constructed. The client constructors take an argument of type Map<String, Object>. In general when using SAML authentication, the key/value pairs () should be added to the configuration map in addition to other required properties such as the endpoint address.

Table 4-22 Client Security Keys

Key Typical Value 
oracle.ucs.messaging.ws.ClientConstants.POLICIES
 
oracle/wss11_saml_token_
with_message_protection_
client_policy
 
javax.xml.ws.BindingProvider.ENDPOINT_ADDRESS_PROPERTY
 Endpoint URL for the remote UMS WS. This is typically "http://<host>:<port>/ucs/messaging/webservice". 
javax.xml.ws.BindingProvider.USERNAME_PROPERTY
 (Optional) <valid username> Note: Do not specify this key while using oracle/wss11_saml_token_with_message_protection_client_policy. 
oracle.wsm.security.util.SecurityConstants.Conf
ig.KEYSTORE_RECIPIENT_ALIAS_PROPERTY
 (optional) keystore alias for target service. See Client Aliases. 
oracle.wsm.security.util.SecurityConstants.ClientConstants.WSS_CSF_KEY
 Used for OWSM policy attachment. Specifies a credential store key to use for looking up remote username/password information from the Oracle Web Services Management credential store map.

Example 4-4 Web Service Client Security

HashMap<String, Object> config = new HashMap<String, Object>();
config.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
 "http://example.com:8001/ucs/messaging/webservice");
config.put(oracle.ucs.messaging.ws.ClientConstants.POLICIES, new String[]
 {"oracle/wss11_saml_token_with_message_protection_client_policy"});
 
mClient = new MessagingClient(config);

Parent topic: Securing the Oracle User Messaging Service

Keystore Configuration

To use the recommended WS-Security policy, you must configure a keystore containing the public and private key information required by OWSM. Refer to "Configuring the Credential Store" in Securing Web Services and Managing Policies with Oracle Web Services Manager for information on how to configure the keystore and corresponding credential store entries.

  • If both your web service client and UMS server are in the same domain, then they share a keystore and credential store.

  • If your web service client and UMS server are in different domains, then you must import the UMS public key into your client domain's keystore, and must import your client domain's public key into the UMS keystore.

Parent topic: Securing the Oracle User Messaging Service

Client Aliases

When using certain WS-Security policies such as the SAML policy recommended here, the client must use the server's public key to encrypt the web service request. However, there is generally only one keystore configured per domain. Therefore, if you have a domain in which there are web service clients that communicate with web services in multiple other domains, then you may be required to override the default keystore entry used by OWSM.

For example, if you have a domain in which application "A" is a web service client to a UMS web service, and application "B" is a web service client to a web service in another domain, then A's requests must be encrypted using the public key of the UMS domain, and B's requests must be encrypted using the public key of the other domain. You can accomplish this goal by overriding the keystore alias used by OWSM for each request:

  • Import (for example) the UMS public key with alias "ums_public_key", and the other public key with alias "other_public_key".

  • When creating an UMS Web Service client, specify the recipient keystore alias parameter, setting the key to oracle.wsm.security.util.SecurityConstants.Config.KEYSTORE_RECIPIENT_ALIAS_PROPERTY and the value to "ums_public_key" as shown in Example 4-5.

  • The other web service client similarly must override the keystore alias, but the exact mechanism may differ. For example if using a JAX-WS client stub directly, then you can add the override property to the JAX-WS request context. See "Overriding the Policy Configuration for the Web Service Client" in Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server for more details.

Example 4-5 Client Aliases

HashMap<String, Object> config = new HashMap<String, Object>();
config.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
 "http://example.com:8001/ucs/messaging/webservice");
config.put(ClientConstants.POLICIES, new String[] {"oracle/wss11_saml_token_
identity_switch_with_message_protection_client_policy"});
config.put(BindingProvider.USERNAME_PROPERTY, "user1");
config.put(oracle.wsm.security.util.SecurityConstants.Config.CLIENT_CREDS_
LOCATION, oracle.wsm.security.util.SecurityConstants.Config.CLIENT_CREDS_LOC_
SUBJECT);
config.put(oracle.wsm.security.util.SecurityConstants.Config.KEYSTORE_RECIPIENT_
ALIAS_PROPERTY, "ums_public_key");
config.put(MessagingConstants.APPLICATION_NAME, "MyUMSWSApp");
mClient = new MessagingClient(config);

Parent topic: Securing the Oracle User Messaging Service

Securing JMS Resources

This (optional) procedure enables administrators to restrict access to the UMS' JMS resources (such as queues) for enhanced security.

To secure the JMS system resources, lock all JMS sub-deployments that start with the name UMSJMSSystemResource (there may be multiple automatically-created resources for UMS in a multi-server or cluster deployment) with the role OracleSystemRole. Do this using the WebLogic Remote Console, or you may run a WLST script (available at MIDDLEWARE_HOME/oracle_common/communications/bin/secure_jms_system_resource.py) as follows: 

MIDDLEWARE_HOME/oracle_common/common/bin/wlst.sh
./secure_jms_system_resource.py
-userConfigFile=<UserConfigFile>, -userKeyFile=<UserKeyFile> 
-url=<AdminServer_t3_url> -jmsSystemResource=<JMSSystemResourceName> -role=<SecurityRoleToUse>

The UserConfigFile shall contain encrypted username and password for the AdminUser. The key for the encrypted data shall be in UserKeyFile.

By default, the UMS system runs as the user OracleSystemUser for accessing JMS resources. If the user OracleSystemUser does not exist, or you secure the UMS JMS resources with any other role that some other user has been granted, you must override the default user identity used by the UMS system by specifying an alternate username.

Parent topic: Securing the Oracle User Messaging Service