Complete guide to Oracle IRM (Part 2): Management Website installation

First part of this guide covered installing the Oracle IRM server. The server is core to an IRM deployment providing the centralized management of users, classifications, roles and rights. It provides the service for authorizing users and issuing rights/decryption keys allowing access to protected content. However after installing the server you still need to go through the process of configuring the classifications and roles, adding new users and then assigning roles to their accounts giving them rights to content protected against the classifications.

Currently the guide comprises of; In the early days of IRM deployments we would sit down with a customer and ask questions like, "How do your users need to access content? Do they need print rights? Do they need change tracking enabled when they edit?". This helped us define a classification and rights model which reflected their needs. After we had been through this loop several times we realized the same roles kept being created. There was also a use case which was constantly being addressed where business users who owned classifications and wanted to share sensitive documents outside the company, required a simple mechanism for adding external users to the system and giving them rights to the business users classifications.

This led to the development of the Oracle IRM Management Website and the Standard Rights Model. This is an out of the box, predefined set of roles that are based on our 10 years of best practice and feedback from customers. It includes a set of document roles, (Contributor, Reviewer, Reader, Reader (No Print) and Item Reader) and a set of administrative roles, (Service Owner, System Manager, Context Manager and Inspector) which facilitate appropriate segregation of business and technical duties. The Management Website then delivers some simple logic in the form of a web application to implement common use cases, such as adding users and creating contexts. The next part of this guide will go through the installation of this software. Part 3 of the guide will involve creating a classification and testing that everything works and the final part 4 will discuss further the decision making around applying your IRM service to your company's classification policies.


As described in part one, it is best practice to run the Oracle IRM server on TCP port 80. Obviously the Management Website should also run on TCP port 80. When both are running on the same machine, as in this guided installation, you therefore need to stop IIS from listening on all available interfaces on port 80, a practice called socket pooling.

Disabling socket pooling in IIS

I'm going to run the IRM server on port 80 and also will be running the website on port 80. Therefore I have bound two IP addresses to the Ethernet interface which will handle my public server requests. However IIS has also been installed and this is currently listening on all available addresses on port 80. To disable this behavior you need to use a tool from Microsoft called httpcfg. It is found in the Windows Server Support Tools.

After installing these tools, run the link to the command prompt and type the following commands replacing the IP address with the one you want the IIS server to listen on. Don't put in the IP address you wish to use for the IRM server, the command below is telling IIS which addresses to listen on.

net stop http /y
httpcfg set iplisten -I
net start w3svc

To confirm that IIS is now listening on only the IP address specified above and that the IRM server is running and listening on another port, you can start a command prompt and run the command netstat -nao | find "80". This will return something akin to the following.


Note that IIS, running under the process ID 4 is listening on port 80 with address Also the previously installed IRM Server, running with the process id 3640 is listening again on TCP port 80 but bound to the address

Ensuring the local Microsoft SMTP service is installed

Another aspect of the Management Website is that it sends out emails when users accounts are added, classifications created etc. These emails are a way to simplify communication to users introducing them to using Oracle IRM. The Management Website comes with a set of template emails which can be customized specific to your deployment. The website sends these emails out using the Microsoft SMTP service which is bundled as part of the IIS installation.
  • Go to the Control Panel and start the "Add or Remove Programs" applet
  • Select "Add/Remove Windows Components"
  • In the resulting wizard select "Application Server" and hit details
  • Select "Internet Information Services (IIS)" and hit details again
  • Make sure that the SMTP Service is selected
  • Click OK back through the wizard to install the service
You will now have in your C:\Inetpub folder a mailroot folder which we will reference during the website installation.

Setting up the local IRM user

The management website uses a Windows NT account when communicating from website to IRM server. This account must be pre created and in my case I'm doing it on an Active Directory Domain Controller.

So create a user and make it a member of the group IIS_WPG. Remember the password, it gets used during the installation. Also make sure you know what domain this user is a part of.


Getting the install files

Download the following zip file and extract to disk. All Oracle IRM software can be downloaded from OTN.

Run the installer and hit next, now we can start installing the Management Website.

Installing the Oracle IRM Management Website

The installer is split into two main activities. First the installation of the files to the local machine and the configuration of the website in IIS, then it launches a web browser connecting to the Management Website to complete configuration and setup.

This dialog is a checklist, it doesn't actually check that you've done any of these so make sure you've read the install guide and following the preparation tasks described at the start of this article. Check all the items and continue.

Next the installer asks for where to place the web files. I changed this location to remove the reference to SealedMedia, the company which originally developed the IRM technology.

Choose a language to install. Note this will set the default language for the entire Management Website.

Enter in the hostnames and ports to the IRM server, note the port and hostname must be the private port but this is usually the same as the public interface settings.

Specify details of the NT user you created which will be used to run the Mangement Website in IIS and connect to the IRM server.

Confirm the location of the STMP service pickup folder.

Hit install to complete the first part of installation.

Hitting next will then launch an instance of the browser to continue to the next phase of installation. But before you do this, its wise to ensure the web site it is about to browse to is correctly configured. The first part of the installation will have created an IIS website called "SealedMedia Management Website". To ensure the website is configured correctly do the following.
  • Go to Start\Programs\Administrative tools and start Internet Information Services (IIS) Manager
  • Open the Web Sites folder and you should see the "SealedMedia Management Website" instance. Right click and select properties.
  • Change the IP address that the web site listens on to the one which your hostname for the web site resolves to, in my example, resolves to So I set the IP address for this website to that value.
  • Also just check in the Application Pools folder that the "SealedMedia MWA AppPool" instance is also started. Sometimes i've found this application pool stopped and the next step won't work.

After hitting next your browser will start and access the installation page of the Management Website. Provide the administration account that was created during the initial IRM server installation.

Once the Management Website authenticates with the IRM server you are asked for the settings for this web application.
  • System email address will be copied on every email sent out from the server. So actually I would use a mail box specifically for these emails.
  • Default password applies to when users are added to the system using the website. The business user doesn't set a password, instead the system can either create a secure random one or use the same password every time. This password ends up in the new user email and is only used the first time the end user accesses the system, they will be prompted to change the password on first login.
  • Don't set the export contexts check box, this can be changed later and is rare to be used out of the box.
  • Organization name is used only on the web site and is displayed on all pages.
  • The check boxes for email notifications allow you to configure what emails get sent automatically. These can also be changed later.

You are now asked to create the first service owner account. This is typically a sevice named account, e.g. "serviceowner" in the same kin as root or administrator accounts. A service owner basically makes changes to the Management Website settings. The account is authorized for routine management tasks, such as user account creation, but these tasks are typically performed by the business users themselves. An important note is that the role of Service Owner does not include the assignment of rights to access sealed documents. The assignment of document rights is a Context Manager task. This is a good example of the separation of duties that is possible with Oracle IRM.

Next comes the last account to be created, the first System Manager account. This in contrast to the Service Owner is typically a real user account and hence the requested information is slightly different. System Managers are primarily responsible for managing user accounts and user groups, and for creating classifications. The typical work flow is that a System Manager as part of the classification creation process, creates a classification and in doing so adds in the first manager. This generates an automated email to that new manager who then in turn logs into the Management Website and removes the account of the System Manager that created it. This is a nice example of the hand off from IT to the business of classifications and again how well separation of duties is played out.

Again the role of System Manager does not include the assignment of rights to access sealed documents. The assignment of document rights is a Context Manager task. It is possible for a System Manager to be a Context Manager for one or more contexts, but there is no requirement.

And finally everything is installed and configured. You can now hit finish and be taken to the login page of the Management Website. The next steps are in guide 3 where i'll walk through the creation of a test classification, do some more configuration and check that the system can successfully create a sealed document and that a user can open it.

Post a Comment:
  • HTML Syntax: NOT allowed

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« February 2017