|Oracle9i Application Server Security Guide
Release 2 (9.0.2)
Part Number A90146-01
This chapter explains how to configure security settings for Oracle9iAS Web Cache, including configuration for passwords and executable ownership. In addition, this chapter describes how to configure Oracle9iAS Web Cache for HTTPS support of secure pages.
This chapter contains these topics:
When Oracle9iAS Web Cache is installed, it is set up with default passwords for administration and invalidation requests. In addition, the computer on which you installed Oracle9iAS Web Cache is the default trusted host.
To change the security settings:
Configuration and operational tasks can be performed with the Oracle9iAS Web Cache
administrator user. The
administrator user has a default password of
administrator set up during installation. Before you begin configuration, change the default password to a secure password.
The Security page appears in the right pane.
The Change Administration User Password dialog box appears.
administratorin the Old Password field and a new password between four and 20 characters in the New Password and Confirm New Password fields.
The invalidation administrator has a user ID of
invalidator, with default password of
The Change Invalidation User Password dialog box appears.
invalidatorin the Old Password field, and a new password between four and 20 characters long in the New Password and Confirm New Password fields.
By default, the computer on which you installed Oracle9iAS Web Cache is the trusted host.
The Change Trusted Subnets dialog box appears.
Select to allow administration requests from all computers in all the subnets in the network.
This machine only
Select to allow administration and invalidation requests from only this computer.
Enter list of IPs
Select to allow requests from all IP addresses you enter in a comma-separated list. You can enter IP addresses in one of the following formats:
10.1.0.0/255.255.0.0 allows all the hosts in the
10.1 subnet access.
10.1.0.0/16 allows all the hosts in the
10.1 subnet access. This example is similar to the network/netmask example, except the netmask consists of nnn high-order 1 bits.
By default, the user that performed the installation is the owner of Oracle9iAS Web Cache executables. This can user can execute
webcachectl commands. Users that belong to the same group ID of the user that performed installation can also execute
The Process Identity page appears in the right pane.
The Change Process Identity dialog box appears.
If you changed the password for the
administrator user in Step 2, you must restart the
admin server process with the
webcachectl restart command rather than with the Restart option in the Operations page (Administration > Operations).
If you changed the password for the
You can configure Oracle9iAS Web Cache to receive HTTPS browser requests and send HTTPS requests to the origin server. HTTPS uses the Secure Sockets Layer (SSL) to encrypt and decrypt user page requests as well as the pages that are returned by the origin server.
To describe the how SSL works in an HTTPS connection, the word client is used to describe either a browser or Oracle9iAS Web Cache, and the word server is used to describe either Oracle9iAS Web Cache or an origin server.
The authentication process between the client and server consists of the steps that follow:
At the commencement of an HTTPS network connection between the client and server, an SSL handshake is performed. An SSL handshake includes the following actions:
To configure HTTPS support, perform these tasks:
Wallets are needed to support the following HTTPS requests:
Each site requires at least one wallet. One wallet can be shared among all the Oracle9iAS Web Cache listening ports, or a separate wallet can be created for each Oracle9iAS Web Cache listening port.
To create a wallet, use Oracle Wallet Manager. Create the wallet as the following user:
WebCacheservice on Windows
WebCache service starts the
cache server process, Oracle9iAS Web Cache opens the wallet as the
webcachectl or the
WebCache service owner.
By default, wallets are stored in the following locations:
Chapter 5, "Using Oracle Wallet Manager" for information about using Oracle Wallet Manager to create and manage Oracle Wallets.
Oracle9iAS Web Cache attempts to open wallets at startup on Windows. On Windows, wallets are protected so that only the user that created them can open and use them. By default, Oracle9i Application Server services are associated with the local system account, which does not have permission to open wallets.
To enable Oracle9iAS Web Cache to open wallets at startup:
|Windows NT||Windows 2000|
On Windows NT, additionally grant the wallet administrator the right to run Oracle9iAS Web Cache as a service:
The User Manager window appears.
The User Rights Policy dialog box appears.
If Users does not exist, create it:
The User Manager window reappears.
To configure HTTPS protocol support between browsers and Oracle9iAS Web Cache:
The ports for these requests can share the same wallet as established for the Oracle9iAS Web Cache listening port in Step 1.
To configure HTTPS protocol support between Oracle9iAS Web Cache and origin servers:
The ports for these requests can share the same wallet as established for the Oracle9iAS Web Cache listening ports.
You can restrict a URL or set of URLs for a site to permit only HTTPS requests.
To allow only HTTPS traffic for a URL or a set of URLs:
The Add Site or Edit Site dialog box appears.
If all traffic must be restricted to HTTPS, enter "
/ " for the entire site.