|
Oracle® Application Server ProcessConnect User’s Guide
10g (9.0.4) Part No. B12121-02 |
|
|
|
|
Oracle® Application Server ProcessConnect User’s Guide
10g (9.0.4) Part No. B12121-02 |
|
|
|
|
The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Application Server ProcessConnect.
This chapter contains these topics:
Configuring Oracle Application Server ProcessConnect Security
|
See Also: The following documents for additional details about security:
|
This section describes the Oracle Application Server ProcessConnect security model. This section contains these topics:
A single user named admin is automatically created during Oracle Application Server ProcessConnect installation. The password you specify for the Oracle Application Server administrator named ias_admin when prompted during Oracle Application Server ProcessConnect installation also becomes the initial password for the admin user.
The admin user consists of a single default user role named Administrator. The Administrator role consists of the use cases (privileges) that enable the admin user to use the Oracle Application Server ProcessConnect user interface tool to design, deploy, and manage integrations. The Administrator role is the only user role available with Oracle Application Server ProcessConnect. The admin user can create additional users to which to assign the Administrator role. A default organization name is also automatically created during Oracle Application Server ProcessConnect installation. This name is used to uniquely identify your organization or company. Along with the admin username and password, the organization name is required for connecting to the Oracle Application Server ProcessConnect user interface tool.
You can also administer portions of Oracle Application Server ProcessConnect through the Oracle Enterprise Manager 10g Application Server Control Console. The password you specify for the Oracle Application Server administrator named ias_admin when prompted during Oracle Application Server ProcessConnect installation also becomes the initial password to use when logging in with the Oracle Enterprise Manager 10g ias_admin username.
|
See Also: The following sections for instructions on performing these tasks:
|
The following security is provided for protecting resources:
The modeling metadata and profile data that you design with the Oracle Application Server ProcessConnect user interface tool are protected by both the admin username and password and by the security provided by the Oracle database.
Network messaging can be secured and encrypted using Oracle Advanced Security. Network messaging can also be secured by using secure HTTP for the Oracle Application Server ProcessConnect user interface tool.
Adapters that enable communication between applications and Oracle Application Server ProcessConnect use the underlying security of their protocols (such as HTTP, FTP, and SMTP) to restrict access to data.
Spoke (application) databases to which applications connect to access data are protected by username and password credentials that you specify when configuring a delivery channel for an application
The messages that trading partners send and receive during integrations between enterprises are protected by the following levels of security:
Digital envelopes
Digital signatures for host and remote trading partners
Secure HTTP (using secure socket layer (SSL)) and client authentication
Encrypted wallet password for a host trading partner
|
See Also: "Oracle Application Server ProcessConnect Security Configuration" for an overview of security configuration for integrations between enterprises |
When you attempt to access the Oracle Application Server ProcessConnect user interface tool, you are prompted for a username, password, and organization name. Without knowledge of this connection information, you cannot access the user interface tool to design, deploy, and manage integrations within an enterprise and between enterprises.
Oracle Application Server provides a series of security services. Oracle Application Server ProcessConnect uses SSL. You can use SSL for securing connections between host and remote trading partners. SSL uses a public key infrastructure to provide authentication and data integrity. HTTP client security is also provided through SSL.
Secure HTTP can also be used to secure the Oracle Application Server ProcessConnect user interface tool.
|
See Also: Oracle Application Server 10g Security Guide for a description of Oracle Application Server security services |
This initial release of Oracle Application Server ProcessConnect does not require use of Oracle Identity Management infrastructure features; Oracle Identity Management is optionally selectable for use during Oracle Application Server ProcessConnect installation and is only used for product-specific password verifiers.
This section describes Oracle Application Server security options to configure to use Oracle Application Server ProcessConnect. This section contains these topics:
Oracle Application Server ProcessConnect Security Framework Configuration Issues
Identity Management Configuration Issues Specific to Oracle Application Server ProcessConnect
The Oracle Application Server ProcessConnect and Oracle Workflow schemas are protected by passwords created during OracleAS Infrastructure 10g installation. These schemas are stored in the metadata repository of OracleAS Infrastructure 10g to which you configure access during Oracle Application Server ProcessConnect installation. In addition, the data you design, deploy, and manage with Oracle Application Server ProcessConnect user interface tool is stored in this same metadata repository of OracleAS Infrastructure 10g.
|
See Also:
|
This section provides an overview of Oracle Application Server ProcessConnect installation and configuration issues. This section contains these topics:
Oracle Application Server ProcessConnect Security Configuration
Host Trading Partner Password Encryption in High Availability Environments
Configuration Issues and Options to Use for Oracle Application Server Security Framework
While you do not specify security parameters when installing Oracle Application Server ProcessConnect, the Oracle Application Server administrator must know the following information to install Oracle Application Server ProcessConnect:
The name of the host on which the OracleAS Infrastructure 10g installation to use as the metadata repository is installed
The specific OracleAS Infrastructure 10g installation on that specific host that includes the Oracle Application Server ProcessConnect schema
The Oracle Application Server ProcessConnect and Oracle Workflow schema passwords automatically created during OracleAS Infrastructure 10g installation
The ias_admin password specified during J2EE and Web Cache installation, which is used as the initial password for the Oracle Application Server ProcessConnect admin user and for the Oracle Enterprise Manager 10g ias_admin user
The organization name automatically assigned during Oracle Application Server ProcessConnect installation
|
See Also: Oracle Application Server ProcessConnect Installation Guide for installation instructions |
You configure security with the Oracle Application Server ProcessConnect user interface tool after installation. Oracle Application Server ProcessConnect provides the following levels of security:
Encrypted Wallet Passwords for Host Trading Partners
|
See Also: "Managing Trading Partner Agreements" to create a trading partner agreement to which to assign a trading partner with its delivery channel characteristics |
Adapters enable communication between applications and Oracle Application Server ProcessConnect. The adapter of an application includes its own delivery channel security characteristics that you must define (such as login credentials for accessing hosts and backend databases). Oracle Application Server ProcessConnect stores information such as passwords in encrypted format. Table 20-1 provides an overview of the tasks.
Table 20-1 Application Delivery Channel Tasks
| Task | See... |
|---|---|
| Add an adapter to an application | "Adding an Adapter to an Application"
|
| Add a delivery channel to an adapter | "Creating an Application Delivery Channel"
|
|
See Also: "Managing Application Agreements" to create an application agreement to which to assign an application with its adapter of delivery channel characteristics |
You can create encrypted business messages with a remote trading partner’s certificate. Table 20-2 provides an overview of the tasks.
Table 20-2 Remote Trading Partner Certificate Tasks
| Task | See... |
|---|---|
| Perform the following tasks when creating a remote trading partner certificate for a digital envelope, digital signature, or SSL certificate. | Step 2 of "Creating a Remote Trading Partner Certificate" |
|
|
|
|
| Perform the following tasks when creating a document exchange: | Step 2 of "Creating a Document Exchange" |
|
|
|
|
| Perform the following tasks when creating a delivery channel: | Step 2 of "Creating a Delivery Channel" |
|
|
|
|
You can then assign the delivery channel to a trading partner participating in a trading partner agreement.
You can use digital signatures with host and remote trading partners. The digital signature ensures that the message is authentic. Table 20-3 provides an overview of the tasks for configuring digital signatures.
Table 20-3 Digital Signatures
| Task | See... |
|---|---|
| Perform the following tasks when creating a document exchange: | Step 2 of "Creating a Document Exchange" |
|
|
|
|
Select Yes from the following lists when creating a delivery channel:
If you select Yes from the Is Non-Repudiation of Receipt Required list, you must also select Yes from the Is Non-Repudiation of Origin Required list. In a trading partner agreement, both the host and remote trading partners must have the same values for Is Non-Repudiation of Origin Required and Is Non-Repudiation of Receipt Required. |
Step 2 of "Creating a Delivery Channel" |
You can use SSL to secure connections between host and remote trading partners. You can use SSL with or without client authentication. Table 20-4 provides an overview of the tasks for configuring SSL. There are three parts to configuring SSL that must be performed in this order:
Configure SSL outside of Oracle Application Server ProcessConnect and Oracle Application Server
Configure SSL for Oracle Application Server
Configure SSL for Oracle Application Server ProcessConnect
Table 20-4 SSL
| Part | Task | See... |
|---|---|---|
| 1 | Configure SSL outside of Oracle Application Server ProcessConnect and Oracle Application Server | "Setting Up SSL for the Oracle Application Server ProcessConnect B2B Adapter "
|
| 2 | Configure SSL for Oracle Application Server |
|
| 3 | Configure SSL for Oracle Application Server ProcessConnect: |
|
|
|
Select Yes from the Transport Security Enabled list when creating a delivery channel. | Step 2 of "Creating a Delivery Channel" |
|
|
Perform the following tasks when creating a protocol endpoint: |
|
|
|
|
Step 4 of "Creating a Transport" |
|
|
|
Step 2 of "Creating a Protocol Endpoint" |
|
|
|
Step 4 of "Creating a Protocol Endpoint" |
|
|
|
Step 5 of "Creating a Protocol Endpoint" |
Before configuring trading partners to use SSL in the Oracle Application Server ProcessConnect user interface tool, you must set up SSL. The B2B adapter enables trading partners to communicate. Use the B2B adapter in either of two modes:
As an HTTP server
This mode is configured through SSL settings in the Oracle HTTP Server httpd.conf file, as described in the Oracle Application Server 10g Security Guide
As an HTTP client
Start Oracle Wallet Manager at the operating system command prompt:
owm
Import a trading partner's CA authority into Oracle Wallet Manager.
|
Note: Oracle Wallet Manager allows only base64 files to be imported. Use Internet Explorer or another tool to convert a nonbase64 encoded certificate to base64. |
Export the entire wallet into a text file. This file requires a .txt extension.
Place this file in the same location as the original wallet file.
Specify the location for this .txt file with the Wallet Location parameter in the Oracle Application Server ProcessConnect configuration parameters. These parameters can be accessed and modified from the Server Properties page of the Oracle Enterprise Manager 10g Application Server Control Console.
|
See Also: Chapter 18, " System Management with Oracle Enterprise Manager 10g" for instructions on accessing the Oracle Enterprise Manager 10g Application Server Control Console |
Follow these instructions to troubleshoot SSL setup:
Use the browser to connect to the secure HTTP URL. Upon successful connection, the following details are viewable:
If you are using Internet Explorer, select File > Properties from the main menu. The connection information appears. A Certificates button that displays certificate information also appears.
You may get a confirmation page from the remote server.
Follow these instructions to verify SSL client authentication:
Using the Netscape browser:
Import an Oracle Wallet by selecting Communicator > Tools > Security Info > Certificates > Yours > Import a Certificate from the main menu.
Connect to the secure HTTP URL.
Using the Internet Explorer browser:
Internet Explorer does not recognize the .p12 file generated using Oracle Wallet. Perform these steps to import the Oracle Wallet:
Import the Oracle Wallet by selecting Communicator Tools Security Info Certificates Yours Import a Certificate from the main menu.
Export the Oracle Wallet by selecting Communicator > Tools > Security Info > Certificates > Yours > Export.
Import this Oracle Wallet into Internet Explorer and try connecting to the secure HTTP URL.
Oracle Application Server ProcessConnect uses an Oracle Wallet for storing private and public keys. A wallet password is required for accessing an Oracle Wallet. You create an initial wallet password and an Oracle Wallet with Oracle Wallet Manager. The wallet password is stored in encrypted format in the Oracle Application Server Metadata Repository. This wallet is used for digital envelopes, digital signatures, and SSL. Table 20-5 provides an overview of the tasks to perform in the Oracle Application Server ProcessConnect user interface tool after you create the wallet password and Oracle Wallet:
Table 20-5 Host Trading Partner Wallet Password
| Task | See... |
|---|---|
| Create a host trading partner wallet password | "Creating a Host Trading Partner Wallet Password"
Note: Enter the same wallet password that you created in Oracle Wallet Manager. If you later change the wallet password in Oracle Wallet Manager, you must also update the password in the Oracle Application Server ProcessConnect user interface tool. |
| Specify the directory location for the wallet file | "Oracle Application Server ProcessConnect Monitoring and Administration Tasks" to access the Oracle Application Server ProcessConnect configuration parameters (under the Server Properties section) with Oracle Enterprise Manager 10g. The Wallet Location parameter in this file enables you to specify the directory location for the wallet file. |
Oracle Application Server ProcessConnect provides a feature that automatically encrypts the host trading partner’s Oracle Application Server ProcessConnect passwords through use of an obfuscated, encryption key created during installation. If you want to change this key value, do so during Oracle Application Server ProcessConnect downtime, as all passwords within the Oracle Application Server ProcessConnect schema are re-encrypted. A new encryption key is then created.
If Oracle Application Server ProcessConnect is part of a high availability or disaster recovery configuration and you want to change the encryption key, you must perform the following procedures:
Follow the instructions in "Managing and Monitoring a Middle-Tier Instance from Oracle Enterprise Manager 10g Application Server Control Console" to log in to the Oracle Enterprise Manager 10g Application Server Control Console and access the primary Oracle Application Server ProcessConnect instance.
Shut down the adapter framework, integration manager, and OC4J instance subcomponents on the primary system on which Oracle Application Server ProcessConnect is installed.
Go to the Security Key parameter on the Server Properties page:
Make the following changes:
Click Apply.
Go to the secondary (or backup) system of which Oracle Application Server ProcessConnect is a part.
Enter the same encryption key in the Security Key field as you did in Step 3b. However, do not check the Re-encrypt ProcessConnect Repository’s Security Data box.
Restart the primary and secondary systems.
You can enable encryption between Oracle Application Server ProcessConnect and the Oracle Application Server Metadata Repository by setting several Oracle Net configuration parameters. For example, you can encrypt JDBC with the following sqlnet.ora parameters:
sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(RC4_40) sqlnet.encryption_types_client=(RC4_40) sqlnet.crypto_seed ="-kdje83kkep39487dvmlqEPTbxxe70273"
|
See Also: Oracle Advanced Security Administrator's Guide available on the Oracle Technology Network:http://otn.oracle.com/ |
This chapter describes the security provisions of Oracle Application Server ProcessConnect including, for example, automatic encryption of the host trading partner’s Oracle Application Server ProcessConnect passwords by using an obfuscated encryption key created during installation. Protection of Oracle Application Server ProcessConnect and Oracle Workflow schemas during OracleAS Infrastructure 10g installation is also discussed.
