Configuring Human Workflow Service Components and Engines

Configuring Human Workflow Notification Properties

You can configure human workflow notification properties, such as setting the notification mode for messages and setting actionable addresses. These properties are used to notify users of changes to the state of a task.

Workflow notifications can use three types of addresses:

From Address for sending notifications.
Actionable Address for receiving actionable responses.
Reply To Address for receiving reply notifications.

To configure human workflow notification properties:

Log in to Oracle Enterprise Manager Fusion Middleware Control.

Access the Workflow Notification Properties page in one of the following ways:

From the SOA Infrastructure Menu...	From the SOA Folder in the Navigator...
Select SOA Administration > Workflow Properties > Mailer tab.	Right-click soa-infra. Select SOA Administration > Workflow Properties > Mailer tab.

Description of workflow-notification-props.png follows

Description of the illustration workflow-notification-props.png

Select the Notification Mode:
- All: The email, short message service (SMS), and instant message (IM) channels are configured and notification is sent through any channel that you use.
- None: No channel is configured for sending notification messages. This is the default setting.
- Email: Only the email channel is configured for sending notification messages.

Specify notification channel values:

Field Description Example

Field	Description	Example
Email: From Address	Enter the outgoing email address from which end users receive notifications. The address you specify must match the sender addresses and the default sender address that you specify on the Email Driver Properties page of the Oracle User Messaging Service. Note: You can only receive error messages when the outgoing email address is also configured to receive incoming messages. This ensures that error messages from incorrect or nonexistent email addresses are captured by the server. Even if you configure a separate incoming account in the Email: Reply To Address field, error messages do not appear in the server logs. It is best practice to have From Address pointing to outgoing email address in the Email Driver Properties page.	`workflow.notifications@mycompany.com`
Email: Actionable Address	Enter the incoming email address for performing task actions. The actionable email account is the account in which task action-related emails are received and processed by human workflow. The address you specify must match the receiver addresses that you specify on the Email Driver Properties page of the Oracle User Messaging Service.	`workflow.actions@mycompany.com`
Email: Reply To Address	Enter the address to display in emails sent out from Oracle SOA Suite. It can be a dummy address such as `no.reply@mycompany.com` or a valid address. If a valid address is provided, and configured in the Messaging Driver page, then if a user replies to actionable email address, human workflow sends an automated email indicating the correct usage. This is another incoming email account. It is best practice to have this email account set to something other than Actionable email address on the Email Driver Properties page. (If it is set same as Actionable email address then auto reply or any reply to email notifications will be processed by workflow engine and at times will be responded back to as unsolicited email).	`workflow.no.reply@mycompany.com`

Email: From Address

Enter the outgoing email address from which end users receive notifications.

The address you specify must match the sender addresses and the default sender address that you specify on the Email Driver Properties page of the Oracle User Messaging Service.

Note: You can only receive error messages when the outgoing email address is also configured to receive incoming messages. This ensures that error messages from incorrect or nonexistent email addresses are captured by the server. Even if you configure a separate incoming account in the Email: Reply To Address field, error messages do not appear in the server logs.

It is best practice to have From Address pointing to outgoing email address in the Email Driver Properties page.

workflow.notifications@mycompany.com

Email: Actionable Address

Enter the incoming email address for performing task actions. The actionable email account is the account in which task action-related emails are received and processed by human workflow.

The address you specify must match the receiver addresses that you specify on the Email Driver Properties page of the Oracle User Messaging Service.

workflow.actions@mycompany.com

Email: Reply To Address

Enter the address to display in emails sent out from Oracle SOA Suite. It can be a dummy address such as no.reply@mycompany.com or a valid address. If a valid address is provided, and configured in the Messaging Driver page, then if a user replies to actionable email address, human workflow sends an automated email indicating the correct usage. This is another incoming email account.

It is best practice to have this email account set to something other than Actionable email address on the Email Driver Properties page. (If it is set same as Actionable email address then auto reply or any reply to email notifications will be processed by workflow engine and at times will be responded back to as unsolicited email).

workflow.no.reply@mycompany.com

Click Apply.
To configure advanced notification properties in the System MBean Browser, click More Workflow Notification Configuration Properties. Properties that are displayed include, but are not limited to, the following:
- ASNSDriverIMAddress: The address at which to receive incoming instant messages (IMs).
- CustomNSDriverPropertyNames: Returns custom notification services property names.
- FaxCoverPageCount: The return number of configured fax cover pages.
- RetryNotificationMessageThrottle: The number of email notification messages that can be processed during notification retry cycles. For more information, see Configuring the Number of Email Notification Messages.
Make changes appropriate to your environment.

Note:

If your IM message contains content that appears to be actionable, then acting upon the task from within the message does not cause any action to be taken. For example, acting upon the task in the following IM message does not cause any action to occur.

Help desk request for wfaulk  Task Help desk request for wfaulk
requires your attention.  NOTE: You can act on the task by
copy-pasting one of following  lines as your response.

RESOLVED : [[NID]] : 
Pt12uRUu9H+Xem4NYS2o7dKDtqNLs42d4YIs8ySO8Gn0ZVYFsb1SQVenRukRE+ 
IcE7c4XDb+tPazvP v9T2iA0qylDg0bTaVxX13HhsrCYAg= : [[NID]] 
UNRESOLVED : [[NID]] : 
xT9l06rbaGRAey+BtgQyJIXk62mkFtCe7ocKxwNLIsPzyE5/7AnGwXlBodEgQxr6 
jorvsw2F54k/C1 r5mvyAJpAp4I4IekOHi4qhQ3eSbBHdzET1IL4F3qV/KZ/BAUsq : 
[[NID]]

For information about managing incoming and outgoing notifications through email in human workflow, including testing that outgoing messages are arriving at the correct destination, see Managing Outgoing Notifications and Incoming Email Notifications.

Configuring the Notification Service to Send Notifications to a Test Address

You can configure the Oracle Human Workflow Notification Service to send all notifications to a test address instead of to a production address.

Use the System MBean Browser in Oracle Enterprise Manager to configure the Notification Service.

To configure the Notification Service to send notifications to a test address:

Log in to Oracle Enterprise Manager Fusion Middleware Control.

Navigate to the System MBean Browser in one of the following ways:

From the SOA Infrastructure Menu...	From the SOA Folder in the Navigator...
Select Administration > System MBean Browser.	Right-click soa-infra. Select Administration > System MBean Browser.

Search for the HWFMailerConfig Mbean by clicking the Find icon in the System MBean Browser navigator pane. From the Find list, select MBean Name, and, in the text box to the right of the list, enter HWFMailerConfig. Click the Find arrow.

The corresponding information appears in the right pane.
Select the Operations page. To set a test address:
1. In the Operations page, select addTestNotificationAddress. The Operation: addTestNotificationAddress page appears.
2. In the Parameters table, in the Channel row, in the Value column, specify the channel through which to send notifications. For example, Email, SMS, IM.
3. In the Parameters table, in the testNotificationAddress row, in the Value column, enter the address of the test recipient, for example, testAddress@yourDomain.com.
4. Click Invoke.
5. Shut down and restart the SOA server in order for the change to take effect.
Note that in the Enterprise Manager notification management screen, the original email address is still displayed as the To address.

The test user can respond to any actionable emails. Ensure that the test email address belongs to a user in the Identity store so that it is verified as part of response email processing.

When the notification service is initialized with a test address and the recipient address is switched with the test address, a Warning is written to the log. This can be useful to identify an incorrect configuration of the test notification address.

Removing a Test Address

To remove a test address:

In the Operations page, select removeTestNotificationAddress. The Operation: removeTestNotificationAddress page appears in the right pane.
In the Parameters table, in the Channel row, in the Value column, specify the channel you want to remove for the notification. For example, Email, SMS, IM.
Click Invoke.

Configuring Human Workflow Task Service Properties

You can assign the actionable email account name, specify workflow session timeout and custom class path URL properties values, configure dynamic assignment and task escalation functions of the assignment service, and set additional human workflow properties.

Dynamic assignment functions select a particular user, group, or application role from a group or application role, or a list of users, groups, or application roles. The selection is made according to criteria specific to the particular dynamic assignment function.

To configure human workflow task service properties:

Log in to Oracle Enterprise Manager Fusion Middleware Control.

Access the Workflow Task Service Properties in one of the following ways:

From the SOA Infrastructure Menu...	From the SOA Folder in the Navigator...
Select SOA Administration > Workflow Properties > Task tab.	Right-click soa-infra. Select SOA Administration > Workflow Properties > Task tab.

The upper part of the Workflow Task Service Properties page displays the field for the actionable email account and the pre-defined dynamic assignment functions.

Description of workflow-notification-task.png follows

Description of the illustration workflow-notification-task.png

Enter the following details.

Function Description

Function	Description
Actionable Email Account	Enter the incoming, actionable email account to use. The default account name is Default, which is the account configured in Configuring Human Workflow Notification Properties. If a different account name is specified in this field, then create and configure the account as described in Configuring Multiple Send Addresses.
Workflow Service Session Timeout (in minutes)	Enter the length of time that users logged in to Oracle BPM Worklist can remain inactive before their session expires, and they are required to log in again. This also applies to authenticated sessions created through one of the `TaskQueryService` authentication methods.
Workflow Custom Classpath URL	Enter the URL class path. This is the class path used by workflow services to look up classes implementing custom dynamic assignment and task escalation functions, custom callbacks, and customized instances of the system resource bundle, `WorkflowLabels.properties`. This can be any valid URL (either a local file path or remote URL). The class path can specify either a directory or a JAR file. The URL must include the protocol; for a class path on the local filesystem, the file protocol must be specified, such as 'file:///example/directory/'.If the URL specifies a directory, it must include a trailing slash ('`/`') character. The classpath can consist of more than one URL; each URL in the classpath can be delimited with a comma character (',').

Actionable Email Account

Enter the incoming, actionable email account to use.

The default account name is Default, which is the account configured in Configuring Human Workflow Notification Properties. If a different account name is specified in this field, then create and configure the account as described in Configuring Multiple Send Addresses.

Workflow Service Session Timeout (in minutes)

Enter the length of time that users logged in to Oracle BPM Worklist can remain inactive before their session expires, and they are required to log in again. This also applies to authenticated sessions created through one of the TaskQueryService authentication methods.

Workflow Custom Classpath URL

Enter the URL class path. This is the class path used by workflow services to look up classes implementing custom dynamic assignment and task escalation functions, custom callbacks, and customized instances of the system resource bundle, WorkflowLabels.properties.

This can be any valid URL (either a local file path or remote URL). The class path can specify either a directory or a JAR file. The URL must include the protocol; for a class path on the local filesystem, the file protocol must be specified, such as 'file:///example/directory/'.If the URL specifies a directory, it must include a trailing slash ('/') character.

The classpath can consist of more than one URL; each URL in the classpath can be delimited with a comma character (',').

Go to the Dynamic Assignment and Task Escalation Functions section.

The dynamic assignment functions are defined in the following table. You can also create your own functions and register them with the workflow service.

Function	Type	Description
MANAGERS_MANAGER	Task escalation	This function picks the manager's manager for the task.
ROUND_ROBIN	Dynamic assignment	This function picks each user, group, or application role in turn. This function uses the initialization parameter `MAX_MAP_SIZE`. This parameter specifies the maximum number of sets of users, groups, or roles for which the function can maintain `ROUND_ROBIN` counts. The dynamic assignment function holds a list of participants in memory for each group, role (or list of users, groups or roles) on which it is asked to execute the `ROUND_ROBIN` function.
LEAST_BUSY	Dynamic assignment	This function picks the user, group or role with the least number of tasks currently assigned to it.
MOST_PRODUCTIVE	Dynamic assignment	This function picks the user, group, or role that has completed the most tasks over a certain time period (by default, the last seven days). This function uses the initialization parameter `DEFAULT_TIME_PERIOD`. This parameter specifies the length of time (in days) over which to calculate the productivity. This value can be overridden when calling the `MOST_PRODUCTIVE` dynamic assignment function.

Click a function to display its parameters and values in the Parameters section.
Click Add to add a function. You are prompted to specify the following:
- Function name
- Class path
- Function parameter name
- Function parameter value
Click OK.
To update the value of a parameter in a function, select the function in the Dynamic Assignment and Task Escalation Functions table.

The parameter value is displayed for editing.
Update the value.

Expand the Advanced section.

The Advanced section displays the following properties:

Description of soaadmin_hwf_taskservpropl.png follows

Description of the illustration soaadmin_hwf_taskservpropl.png

These properties are defined in the following table.

Properties	Description
Worklist Application URL	In the emails that are sent for tasks, the link to Oracle BPM Worklist is read from this property. This element identifies the URL. Configuring this is useful if the custom Oracle BPM Worklist is built. The tag `PC_HW_TASK_ID_TAG` in this URL is replaced with the task ID when constructing the URL for the email.
Pushback Assignee	A task can be pushed back to the previous approver or previous initial assignees. The original assignees may not be the approver because they may have reassigned the task, escalated the task, and so on. The possible values for this element are INITIAL_ASSIGNEES and APPROVER.
Portal Realm Mapping	This property is used when authenticating a user from an HTTP servlet request through the task query service method `createContext` (for example, when Oracle BPM Worklist runs in a single sign-on (SSO) environment). The HTTP servlet request does not carry information about the identity service realm to which the remote user belongs; this parameter is used to configure which realm to use to authenticate the user in an HTTP servlet request remote user. Note: This property is no longer used and therefore, must not be altered.
Task Auto Release Configuration	When a task is assigned to a group, application role, or multiple users, a user must first acquire the task before working on it. After the task is acquired, other users cannot work on the task. If a user acquires a task, but does not act on it, the task is eventually automatically released, allowing other users to acquire the task. This prevents a user from acquiring tasks, then forgetting to work on them. This prevents others from working on them. Task automatic release enables you to configure the time period that elapses after a user acquires a task and before the system automatically releases the task and makes it available again to other users. The automatic release durations can be configured as a default duration and as a percentage of the expiration duration of a given task. The automatic release durations can also be configured differently for tasks of different priority. For example, assume the task automatic release duration for priority 2 tasks is set to 50%, with a default duration of 12 hours. If a priority 2 task is set to expire in two days, the task is automatically released after one day (which is 50% of the expiration duration). If no expiration date is set for the task, then the task is automatically released after 12 hours (which is the default automatic release duration).

Make changes appropriate to your environment.
Click Apply.
To configure advanced task service properties in the System MBean Browser, click More Workflow Taskservice Configuration Properties. See Configuring Human Workflow Notification Properties for a list of some advanced properties that are displayed.
Make changes appropriate to your environment.

For more information about the task service and assignment service, see Developing SOA Applications with Oracle SOA Suite.

Configuring Oracle HTTP Server for Task Form Attachments

When adding an attachment to the task form through Oracle HTTP Server (OHS), include the location, /ADFAttachmenthelper, in the OHS configuration.

For example, add the following to the mod_wl_ohs.config file of OHS, under instance_home/config/OHS/ohs_instance:

<Location /ADFAttachmentHelper>
       SetHandler weblogic-handler
       PathTrim /weblogic
        ErrorPage  http:/WEBLOGIC_HOME:WEBLOGIC_PORT/
</Location>

Configuring Oracle Advanced Queuing for Oracle Human Workflow Notifications

Understand how to configure Oracle Advanced Queuing for Oracle Human Workflow Notifications.

To configure Oracle Advanced Queuing for Oracle Human Workflow notifications, set the managed bean property UseAQ under the HWFMailer configuration in Oracle Enterprise Manager Fusion Middleware Control to TRUE. Restart the SOA server.

After the server restarts, new notification messages are enqueued onto Oracle Advanced Queuing. Pending messages in the JMS queue are enqueued onto Oracle Advanced Queuing by the notification retry thread.

Configuring the Pluggable Notification Service

You can plug in and use custom notification service implementations instead of the default notification service providers.

You can plug in a custom notification service for all channels or selectively for specific channels. For example, the notification service provides the ability to plug in an existing SMS implementation instead of the default SMS notification service.

Pluggable Notification Service Implementation

To plug in a notification service, perform one of the following tasks:

Implement interface oracle.bpel.services.notification.ICustomNotificationService
Extend the abstract class oracle.bpel.services.notification.AbstractCustomNotificationServiceImpl.

This interface has methods for the following channels:

Email
SMS
IM

The plugged-in notification service can override the default providers for one or more channels. When the custom notification service is overriding the default implementation for a subset of channels, the methods corresponding to the other channels (channels that are not overridden) are not called by the notification service. Those methods can just return a null value. Alternatively, the implementation can extend the following abstract class:

oracle.bpel.services.notification.AbstractCustomNotificationServiceImpl

This class provides empty implementations for each of the channels. In that case, the implementation can just extend the methods for the appropriate channels.

The implementation and its dependent classes must be available in the class path of Oracle WebLogic Server.

Pluggable Notification Service Registration

After the implementation is available, you register it in the System MBean Browser.

To register the pluggable notification service:

Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the Navigator, expand the SOA folder.
Right-click soa-infra, and select Administration > System Mbean Browser.

The System MBean Browser is displayed on the right side of the page.
Expand Application Defined MBeans > oracle.as.soainfra.config > Server: server_name > HWFMailerConfig > human-workflow.
Click the CustomNSDriverPropertyNames property on the right side of the page.
Record the values displayed by CustomNSDriverPropertyNames for the All, Email, Fax, Pager, SMS, and IM properties.
Click Return.
Click the Operations tab.
Click setCustomNSDriverPropertyValue.

Description of the illustration hwf_plugnotif.png
In the Value field for propertyName, enter one of the values you noted down for the All, Email, Fax, Pager, SMS, and IM properties on the CustomNSDriverPropertyNames page. Note the following details:
- If you are overriding the default implementation for only the email channel, use the Email value in the Value field for propertyName and the complete class name of your implementation in the Value field for propertyValue.
- The override for other channels is configured the same way as the email channel.
- Using the value of the All property in the Value field for propertyName refers to an implementation for all specified channels.
In the Value field for propertyValue, provide the complete class name of your implementation.
Click Invoke.
Restart Oracle WebLogic Server.

Globally Disabling the Automatic Release Timers for Oracle BPM Worklist Tasks

If automatic release timers are enabled for all Oracle BPM Worklist tasks and this is creating overhead for the database and JVM, you can globally disable the timers.

To globally disable the automatic release timers for Oracle BPM Worklist tasks:

Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the Navigator, expand the SOA folder.
Right-click soa-infra, and select Administration > System Mbean Browser.

The System MBean Browser is displayed on the right side of the page.
Expand Application Defined MBeans > oracle.as.soainfra.config > Server: server_name > WorkflowConfig > human-workflow > WorkflowConfig.TaskAutoReleaseConfiguration.
Select the task priority to modify. Each task instance has a priority.
- Priority[1]
- Priority[2]
- Priority[3]
- Priority[4]
- Priority[5]
In the Attributes tab, click DefaultDuration.
In the Value field, enter P0D to indicate zero days. The default value is P1D (one day).
Click Apply.
Perform Steps 5 through 8 for any remaining priorities for which you want to disable automatic release.

When complete, the automatic release timers for newly created task instances with the priority you modified are disabled.

Configuring the Number of Email Notification Messages

You can control the number of email notification messages that can be processed during notification retry cycles with the System MBean Browser RetryNotificationMessageThrottle property. This property prevents the overloading of messages in the queue and reduces the memory size of the notification message payload.

To configure the number of email notification messages:

Log in to Oracle Enterprise Manager Fusion Middleware Control.

Access the Workflow Notification Properties page in one of the following ways:

From the SOA Infrastructure Menu...	From the SOA Folder in the Navigator...
Select SOA Administration > Workflow Properties > Mailer tab.	Right-click soa-infra. Select SOA Administration > Workflow Properties > Mailer tab.

Description of the illustration workflow-notification-props.png

Click More Workflow Notification Configuration Properties.
Click RetryNotificationMessageThrottle.
In the Value field, enter a value. The default is 200000 messages.
Click Apply.

Configuring Multiple Send Addresses

It may be necessary in some processes to distinguish email notification based on the from address of the email. For example, a human resources BPEL process sends emails with the from address set as HR@yourcompany.com, while a finance BPEL process sends emails with the from address set as finance@yourcompany.com.

To configure multiple send addresses:

Log in to Oracle Enterprise Manager Fusion Middleware Control.
In the Navigator, expand the SOA folder.
Right-click soa-infra, and select Administration > System Mbean Browser.

The System MBean Browser is displayed on the right side of the page.
Expand Application Defined MBeans > oracle.as.soainfra.config > Server: server_name > HWFMailerConfig > human-workflow.
Under the Attributes tab, record the value of the ASNSDrivers attribute. By default, only the Default value is available.
Click Return.
Click the Operations tab.
Click setASNSDriver.
For propertyName, enter a value (for this example, EmailFromAddress).
For propertyValue, enter a value (for this example, HR@yourcompany.com).
For driverName, enter a value (for this example, HR).
Click Invoke.
Add as many accounts as the number of from addresses needed:
- For propertyName, enter a value (for this example, EmailFromAddress).
- For propertyValue, enter a value (for this example, finance@yourdomain.com).
- For driverName, enter a value (for this example, Finance).
Click Invoke.

The ASNSDriver attribute now shows all the accounts created in the previous steps and the getASNSDriverAddresses operation now shows the addresses being used for each of the drivers. For more information, see Section "Configuring Oracle User Messaging Service" of Administering Oracle User Messaging Service.
Using Oracle WebLogic Remote Console, install multiple Oracle User Messaging Service email drivers, one for each from address.
Configure the email drivers to use the required from address for sending outgoing emails.
In Oracle JDeveloper during design time, use HR as the account name to configure an email activity for an HR BPEL process and Finance as the account name to configure an email activity for the finance BPEL process.

Configuring Notification Retries

Oracle SOA Suite provides support for reliable notifications.

The outbound notification creates a notification message with a unique notification ID and stores the message and unique ID in the dehydration store. It then enqueues this unique ID in the JMS queue and commits the transaction.

A message-driven bean (MDB) listening on this queue dequeues the message and sends a notification to the user. If there is any notification failure, the notification retries three times. If the retries all fail, it marks this notification as being in error.

Configuring the Identity Service

By default, the identity service uses the embedded LDAP server in Oracle WebLogic Server as the default authentication provider. You can, however, configure Oracle WebLogic to use an alternative authentication provider, such as Oracle Internet Directory, Microsoft Active Directory, or Oracle iPlanet, along with the default authenticator.

Learn how to add an authentication provider and create users and groups in the authentication provider using either Oracle WebLogic Remote Console or Oracle Directory Services Manager.

For more information on configuring multiple LDAP authentication providers, see Configuring the Identity Store Service in Securing Applications with Oracle Platform Security Services.

For information about installing and using the organizational hierarchy of users and groups known as the demo user community, see Installing the Demo User Community in the Database.

Note:

Oracle Fusion Middleware supports providers that enable the User and Role API to interact with custom identity stores.

Adding an Authentication Provider

You can add an authentication provider to a security realm using the Oracle Weblogic Remote Console.

To add an authentication provider:

Log in to the Oracle Weblogic Remote Console.
Go to Edit Tree.
Select Security > Realms > Authentication Providers.

The Authentication Providers page appears.

Description of the illustration wlconsole_providers_auth.png
Click New to add a new authentication provider.

The Create a New Authentication Provider page appears.

Description of the illustration wlconsole_providers_create.png
In the Name field, type a name for the provider, choose the authenticator type using the Type drop-down list, and click OK.
For example, you can type OIDAuthenticator as the name and choose OracleInternetDirectoryAuthenticator as the type for a provider that authenticates users using the Oracle Internet Directory.
Similarly, you can type a name and choose any of the following type for a provider from the list to specify the corresponding authenticator.
- Active Directory Authenticator
- Cloud Security Agent Identity Asserter
- Oracle Cross Tenant Authenticator
- Custom DBMS Authenticator
- Default Authenticator
- Default Identity Asserter
- LDAP Authenticator
- LDAP X509 Identity Asserter
- Negotiate Identity Asserter
- Oracle Access Manager Authenticator
- Oracle Access Manager Identity Asserter
- WebLogic OpenID Connect Identity Asserter
- Open LDAP Authenticator
- Oracle Identity Cloud Integrator
- Oracle Internet Directory Authenticator
- Oracle Unified Directory Authenticator
- Read Only SQL Authenticator
- SAML Authenticator
- SAML Identity Asserter V2
- SAML2 Identity Asserter
- SQL Authenticator
- Trust Service Identity Asserter
- Virtual User Authenticator
Note:

When using Oracle Internet Directory as the authentication provider, you must set the orclsslinteropmode attribute to 0 (zero) using Oracle Directory Services Manager. See Configuring the Directory Service for more information.
Navigate to Security > Realms > Authentication Providers and select the authenticator created.

The settings for the authentication provider appears.

Description of the illustration wlconsole_providers_set.png
From the Control Flag drop-down list, choose SUFFICIENT, and click Save.

This specifies that if a user is authenticated successfully using this authenticator, WebLogic should accept the authentication and not continue to invoke any additional authenticators. If the authentication fails, Oracle WebLogic Server attempts to authenticate the user using the next authenticator in the list.

If you set the Control Flag to SUFFICIENT, ensure that all subsequent authenticators also have the Control Flag set to SUFFICIENT. Likewise, ensure that the Control Flag of the default authenticator is set to SUFFICIENT as well.
Click Provider Specific to enter the details for the authenticator server.

Enter the provider-specific information about the authentication provider, enable the Use Retrieved User Name as Principal option, and click Save.

You must specify the following information. Use the default setting for the rest of the fields.

Field	Description
Host	The hostname or IP address on which the authenticator server is running.
Port	The port number on which the authenticator server is running.
Principal	The Distinguished Name (DN) of the authenticator server user that Oracle WebLogic Server should use when connecting to the server.
Credential	The credential (usually a password) used to connect to the authenticator server.
User Base DN	The base Distinguished Name (DN) of the tree in the LDAP directory that contains users.
Group Base DN	The base Distinguished Name (DN) of the tree in the LDAP directory that contains groups.
Use Retrieved User Name as Principal	Specifies whether to use the user name retrieved from the LDAP server as the principal in the subject.
User Name Attribute	The attribute of an LDAP user object class that specifies the name of the user (for example, `UID`, `CN`, `MAIL`).

Note:

The same user name attribute must be used for the fields: All User Filter, User from Name Filter and User Name Attribute.

Click Security Realms > Providers > Authentication to return to the list of authentication providers.
Click Reorder.

The Reorder Authentication Providers page appears.

Description of the illustration wlconsole_providers_reorder.png
Select the new authentication provider, click the Up arrow to move the provider to the top of the list, and click OK.

After reordering, the DefaultAuthenticator should appear at the bottom of the list. This action enables the system to handle logins as weblogic that are not typically in an LDAP directory, but still must be authenticated to start the server.

If multiple authentication providers are configured, authentication falls through the list of authenticators according to the control flags set. But the Java Portlet Specification (JPS) provides authorization against only the first entry in the list of providers.

Updating the User Attribute

You can modify the settings of the authentication provider in Oracle Weblogic Remote Console to use your email address as your login user (user attribute). You must perform the following steps:

Log in to Oracle Weblogic Remote Console.
Navigate to Security Data Tree.
Under Realms, click the name of the realm you want to modify.
Select Authentication Providers and then select DefaultAuthenticator.
Under DefaultAuthenticator, select Users and then select the user you want to modify. Further, select Attributes tab.
In the Attributes tab, you can set or modify values for the attributes of the selected user.
Click Save.

Configuring Multiple Authentication Providers

Starting with 11.1.1.4, you can authorize users and groups from multiple authenticators. Add the following property to the idstore instance in the $DOMAIN_HOME/config/fmwconfig/jps-config.xml file:

<serviceInstance name="idstore.ldap"
  provider="idstore.ldap.provider">
   ............................
   <property name="virtualize" value="true"/>
   ..............................
</serviceInstance>

Creating Users and Groups in the Authentication Provider

You can create users and groups in the authentication provider using either Oracle WebLogic Remote Console or Oracle Directory Services Manager.

Creating Users Using WebLogic Remote Console

You can create users for a specific provider, and define user membership, using the Oracle WebLogic Remote Console.

To create a user using WebLogic Remote Console:

Log in to the Oracle WebLogic Remote Console.
In the Security Data Tree, go to Realms, realm, then Authentication Providers, then DefaultAuthenticator, then Users.
Click New.
Enter a Name, Description, and Password for the user.
User names must be unique in the security realm and passwords must be eight characters or longer.
Click Create.

To add a user to a group, select the Membership tab and move a group under Available over to Chosen.

Creating Groups Using WebLogic Remote Console

You can create groups for a specific provider, and define group membership, using the Oracle WebLogic Remote Console.

To create a group using WebLogic Remote Console:

In the Security Data Tree, go to Realms, realm, then Authentication Providers, then DefaultAuthenticator, then Groups.
Click New.
Enter a Name (and optionally, a Description) for the group.
Group names must be unique in the security realm.
Click Create.

You can nest a group under another so it inherits policies. Under the Membership tab, move groups from Available over to Chosen and the current group will be nested under the Chosen groups.

Creating Users and Groups Using Oracle Internet Directory

You can create users and groups using Oracle Internet Directory through the Oracle Directory Services Manager.

To connect to Oracle Internet Directory from the Oracle Directory Services Manager:

Launch the Oracle Directory Services Manager by navigating to the following URL using a web browser:
```
http://host_name:port/odsm/faces/odsm.jspx
```
where host_name and port are the hostname and the managed server port number on which Oracle Internet Directory is running.
Click the Connect to a directory link and choose Create a New Connection in the drop-down menu. The New Connection dialog appears.

Select OID as the directory type, enter values in the required fields, and click Connect.

You can specify the following information.

Field	Description
Name	The name of the connection.
Server	(Required) The hostname or IP address of the system on which Oracle Internet Directory is running.
Port	(Required) The port number on the system on which Oracle Internet Directory is running.
SSL Enabled	Select to enable Secure Sockets Layer (SSL) communication.
User Name	(Required) The user name used to log in to Oracle Internet Directory.
Password	(Required) The password associated with the user name.
Start Page	The start page after logging into Oracle Internet Directory.

The Oracle Directory Services Manager Home page appears.

Click the Data Browser tab. You can use this page to create and remove entries.

How to Create a Domain

To create a domain:

Click the Create a new entry button in the Data Tree pane. The Entry Properties page of the Create New Entry wizard appears.
Click the Add button to add the required object class for the domain. The Add Object Class dialog appears.
Enter the name of the object class. When the correct object class appears in the Name list, select it, and click OK.
Repeat Steps 2 and 3 to add all the required object classes for the domain. Generally, top, domain, and orclContainer are the object classes required for a domain.

Note:

LDAP operations from Oracle SOA Suite can take a long time to complete if you do not index the correct LDAP attributes. The recommended searchable attribute list for indexing is cn, sn, givenName, uid, manager, title, mail, and telephoneNumber.
Click Browse to choose the parent of the domain. The Select Distinguished Name (DN) Path dialog appears.

Description of the illustration odsm_select_dnpath_domain.gif
Select the parent of the domain and click Select. You can create a hierarchy of entries by selecting the appropriate parent domains.
Click Next in the Create New Entry dialog. The Mandatory Properties page of the Create New Entry wizard appears.

Enter and select values for the required fields, and click Next.

You can specify the following information.

Field	Description
dc	(Required) The domain component.
Relative Distinguished Name	(Required) The relative distinguished name of the user.

The Status page of the Create New Entry wizard appears.

Verify the status of the new domain, and click Finish to create the new domain.

How to Create a User

To create a user:

Click the Create a new entry button in the Data Tree pane. The Entry Properties page of the Create New Entry wizard appears.
Click the Add button to add the required object class for the user. The Add Object Class dialog appears.
Enter the name of the object class. When the correct object class appears in the Name list, select it, and click OK.
Repeat Steps 2 and 3 to add all the required object classes for the user. Generally, top, person, inetorgperson, organizationalPerson, and orcluser are the object classes required for a user.
Click Browse to choose the parent of the user. The Select Distinguished Name (DN) Path dialog appears.

Description of the illustration odsm_select_dnpath_user.gif
Select the parent of the user and click Select.
Click Next in the Create New Entry dialog. The Mandatory Properties page of the Create New Entry wizard appears.

Enter and select values for the required fields, and click Next.

Specify the following information.

Field	Description
cn	(Required) The common name.
sn	(Required) The surname (last name).
Relative Distinguished Name	(Required) The relative distinguished name of the user.

The Status page of the Create New Entry wizard appears.

Verify the status of the new user, and click Finish to create the new user.
Click the entry for the newly-created user in the Data Tree pane. The Person page for the user appears.

Description of the illustration odsm_select_person_tab.gif
Enter details about the user, and click Apply.

How to Create a Group

To create a group:

Click the Create a new entry button in the Data Tree pane. The Entry Properties page of the Create New Entry wizard appears.
Click the Add button to add the required object class for the group. The Add Object Class dialog appears.
Enter the name of the object class. When the correct object class appears in the Name list, select it, and click OK.
Repeat Steps 2 and 3 to add all the required object classes for the group. Generally, top, groupOfUniqueNames, and orclGroup are the object classes required for a group.
Click Browse to choose the parent of the group. The Select Distinguished Name (DN) Path dialog appears.

Description of the illustration odsm_select_dnpath_group.gif
Select the parent of the group and click Select.
Click Next in the Create New Entry dialog. The Mandatory Properties page of the Create New Entry wizard appears.

Enter and select values for the required fields, and click Next.

Specify the following information.

Field	Description
cn	(Required) The common name.
Relative Distinguished Name	(Required) The relative distinguished name of the group.

The Status page of the Create New Entry wizard appears.

Verify the status of the new group, and click Finish to create the new group.
Click the entry for the newly-created group in the Data Tree pane. The Group page for the group appears.

Description of the illustration odsm_select_group_tab.gif
Specify details about the group, and click Apply.

How to Delete an Entry

To delete an entry:

Select an entry in the Data Tree pane.
Click the Delete this entry button in the Data Tree pane.

Configuring the Directory Service

When using Oracle Internet Directory as the authentication provider, you must set the orclsslinteropmode attribute to 0 (zero) using Oracle Directory Services Manager.

Note:

If the GUID attribute in the LDAP server is set to a binary value, which cannot be properly handled in the identity service, you must map it to a unique attribute that exists in both the user and group object classes and cannot have a binary value. For example, if the cn attribute is unique, it can be used because it satisfies both of these requirements.

You map GUID to cn in the jps-config.xml file:

<property value="GUID=cn" name="PROPERTY_ATTRIBUTE_MAPPING"/>

For more information about identity store attribute mapping, see Chapter "Developing with the User and Role API" of the Securing Applications with Oracle Platform Security Services.

To configure the directory service:

Launch Oracle Directory Services Manager and choose an Oracle Internet Directory connection using the drop-down list.
Click the Data Browser tab.
Expand the cn=subconfigsubentry > cn=osdldapd > cn=oid1 nodes.

Description of the illustration odsm_oid_attributes.gif
In the Attributes page, set the orclsslinteropmode attribute to 0.
Click the Apply button.

Customizing the Identity Provider

To customize the identity provider (for example, to handle user and role information stored in home grown solutions), visit the following URL:

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html

Seeding Users, Groups, and Application Roles using LDAP Tools

Get an overview of the procedures required for seeding users, groups, and application roles with LDAP tools.

When you create a task, you assign humans to participate in and act upon the task. Participants can perform actions upon tasks during runtime from Oracle BPM Worklist, such as approving a vacation request, rejecting a purchase order, providing feedback on a help desk request, or some other action. There are three types of participants:

Users
Groups
Application roles

For more information, see Developing SOA Applications with Oracle SOA Suite.

Changing the Default Password in the Embedded LDAP Server

The password credential is accessible from the Oracle WebLogic Remote Console by performing the following steps.

In the Edit Tree, go to Environment, then Domain.
On the Security tab, select the Embedded LDAP subtab.
Update the values as desired for your environment.
Click Save and commit your changes.
Restart the server.

For instructions on changing the default password credential, see Configure the Embedded LDAP Server.

Seeding Users or Groups through the LDAP Browser

To seed users or groups through the LDAP browser:

Start an LDAP browser (for example, openLdap browser, ldapbrowser, jXplorer, and so on). See the documentation for your browser for instructions.
Connect to the LDAP server by providing the hostname, port number on which the server is running, and the administration user credentials with which to log in.

For Embedded LDAP
1. The default managed server port number is 7001.
2. The administration credential username is cn=admin.
3. The administration credential password is what you set in Changing the Default Password in the Embedded LDAP Server.
For OIDm
1. The default port number is 3060.
2. The administration username is cn=orcladmin.
3. The administration password is the password for the LDAP server.
Seed a user or group through the browser by performing the following steps:
1. Select a parent under which to add a user or group.
2. Select the Edit menu and choose an appropriate option to add a new entry.
3. Enter all required attribute values for the entry.
Seed users or groups through the LDIF file by performing the following steps:
1. Select the domain under which to seed the users or groups.
2. Select the LDIF menu and choose to import an LDIF file.
3. In the Import LDIF File dialog, browse for and select the LDIF file and click Import.
  
  Similarly, the users or groups seeded on the LDAP server can be exported to an LDIF file by selecting the Export option from the LDIF menu.
Add attributes to the users or groups by performing the following steps:
1. Select an entry for which to add a new attribute.
2. Right-click and choose the option to add a new attribute.
3. In the Add Attribute dialog, provide the name and value of the attribute.
  
  You can only add attributes that are defined in the LDAP server schema.
Delete attributes for users or groups by performing the following steps:
1. Select an entry for which to delete a new attribute.
2. Select an attribute from the list of attributes and delete it.

Seeding Application Roles Using WLST Scripts

For instructions on using the WebLogic Scripting Tool (WLST) to seed application roles, see OPSS Security Store WLST Commands in WLST Command Reference for Infrastructure Security.

Managing Application Roles in Oracle Enterprise Manager Fusion Middleware Control

This section describes how to manage application roles in Oracle Enterprise Manager Fusion Middleware Control.

Note:

Follow these steps to provide nonadministrators with access to Oracle SOA Composer. This is accomplished by assigning the SOADesigner role to users or groups on the Edit Application Role page. The users must exist in the Oracle WebLogic Server realm.

To manage application roles in Oracle Enterprise Manager Fusion Middleware Control:

In the navigator, select the appropriate Oracle WebLogic Server under WebLogic Domain > Farm_Domain_name.
Right-click the domain name, and select Security > Application Roles.
Create an application role by performing the following steps:
1. In the Application list, select the application name (server_name/soa-infra) under which to create a role.
2. Select the Create option in the Application Roles page.
  
  The Create Application Role page appears.
3. Enter the role name, display name, and description for the application role.
4. Add members by selecting Add Role in the Roles section and Add User in the Users section.
5. Click OK to create the application role.
Edit application roles by performing the following steps:
1. In the Select Application Name to Search list of the Search section of the Application Roles page, select an appropriate application (for example, soa_server1/soa-infra).
2. To the right of the Role Name list, click the Search icon.
  
  This action lists all the application roles created for that application.
3. Select the application role to edit (for example, select SOADesigner).
4. Click Edit.
  
  The Edit Application Role page appears.
5. Add application roles and groups in the Roles section and users in the Users section (for example, assign SOADesigner to a user to which to provide access to Oracle SOA Composer). The user must be defined in the Oracle WebLogic Server realm.
6. Click OK.
Delete application roles by performing the following steps:
1. In the Select Application Name to Search list of the Search section of the Application Roles page, select an appropriate application.
2. To the right of the Role Name list, click the Search icon.
  
  This action lists all the application roles created for that application.
3. Select the application role to delete.
4. Click the Delete button to delete the application role.
5. Click Yes in the Confirmation dialog.

Enabling Case Agnostic Group Names in Human Tasks

By default, only user names in human tasks are case agnostic (case insensitive). This behavior is controlled by the value of the caseSensitive property in the System MBeans Browser for users, which is set to false by default. Group names in human tasks must be identical to what is seeded in the user directory. However, if you also want group names in human tasks to be case agnostic, you must set the caseSensitiveGroups property to false.

To enable case agnostic behavior for group names in human tasks:

Right-click soa-infra, and select Administration > System Mbean Browser.

The System MBean Browser is displayed on the right side of the page.
Expand Application Defined MBeans > oracle.as.soainfra.config > Server: server_name > WorkflowIdentityConfig > human-workflow > WorkflowIdentityConfig.PropertyType > caseSensitiveGroups.
Click Value.
In the Value field, enter false.
Click Apply.

Description of hwf_humantasks.png follows

Description of the illustration hwf_humantasks.png

Configuring Security Policies for Human Workflow Web Services

A policy set, which can contain multiple policy references, enables you to attach policies globally to a range of endpoints of the same type.

Attaching policies globally using policy sets enables you to ensure that all subjects are secured in situations in which multiple users, such as a developer, assembler, or deployer, did not explicitly specify the policies to attach. Policies that are attached using a policy set are considered externally attached.

For example, if the developer did not specify policies in annotations or include policy references in deployment descriptors, then the deployer must attach them or risk a potential security risk. By attaching policies globally to a set of subjects by type, the administrator can ensure that all subjects are secured by default independent of, and even before, deployment. For example, the administrator can define a policy set that attaches a security policy to all web service endpoints in a domain. In this case, any new services added to the domain automatically inherit the security configuration defined in the policy set.

For more information about attaching policies globally using policy sets, see About Attaching Policies Globally Using WLST in Securing Web Services and Managing Policies with Oracle Web Services Manager.

Enabling Lookup of Tasks Assigned to Groups not Part of the Configured Provider

Tasks that are assigned to the groups which are part of non configured provider do not appear in Human Workflow.

To enable the lookup of such tasks where the groups are not part of the configured provider, set the Mbean attribute GroupsFromNonConfiguredProvider in WorkflowConfig Mbean to true.