7 Configuring SSL for the Middle Tier Applications

This chapter explains how to configure SSL connections to the Middle Tier applications. This involves the following steps:

• Section 7.1, "Enabling SSL for HTTP Server"

• Section 7.2, "Configuring the Portal Parallel Page Engine"

• Section 7.3, "Reregistering HTTP Server with the Oracle9iAS Single Sign-On Server"

• Section 7.4, "Configuring Portal for SSL"

7.1 Enabling SSL for HTTP Server

In this step, you will configure the advertising port of the Middle Tier Oracle HTTP Server (the Port directive only). The advertising port should always be the same as the front-end port by which the Oracle HTTP Server is accessed. In this case, the front-end port is the Web Cache port, which we have already set to 80 for HTTP and 443 for HTTPS. See Section 1.2 for more information about the default ports of Oracle HTTP Server.

The file $ORACLE_HOME/Apache/Apache/conf/httpd.conf on the Middle Tier is used to configure the HTTP Server for SSL, where $ORACLE_HOME is the directory where the Oracle Collaboration Suite Middle Tier applications are installed.

To enable SSL on the Middle Tier HTTP Server:

1. Open the $ORACLE_HOME/Apache/Apache/conf/httpd.conf file on the Middle Tier.

2. In this file, the SSL parameters reside within a VirtualHost definition. You must change the Port directive from 4443 to 443 and the ServerName directive to webcachehostname (for a single-box installation) or midtierhostname (for a distributed installation). Do not change the Listen directive, because Web Cache will still point to this port on the Middle Tier. For example:

   <VirtualHost _default_:4444> #do not change this line
   ServerName webcachehostname|midtierhostname
   Port 443
   SSLEngine on
   SSLVerifyClient none
   </VirtualHost>
   

3. Change the nonsecure HTTP Port directive from 7777 to 80. Do not change the Listen directive. Web Cache will still direct requests to the Middle Tier on this port. For example:

   Port 80
   Listen 7777
   
   

4. After making these changes in the httpd.conf file, run the Distributed Configuration Management (DCM) utility to update your configurations and then restart the server. At the command line of your Middle Tier server, run the following commands:

   dcmctl updateconfig -d -v
   dcmctl stop -ct ohs
   dcmctl start -ct ohs -v
   

7.2 Configuring the Portal Parallel Page Engine

The Portal Parallel Page Engine obtains the page metadata from the Portal repository and is responsible for assembling the portlets on a page. To secure the Portal Parallel Page Engine, you must edit its web.xml file and add some initialization parameters for SSL.

To configure the Portal Parallel Page Engine for SSL:

1. Open the following file in your Middle Tier installation:

   $ORACLE_HOME/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF/web.xml
   
   

2. Add the following lines just under the <servlet-class> section of this file. The lines to be added are displayed in boldface font in the following example:

   <servlet>
      <servlet-name>page</servlet-name>
      <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class>
      <init-param>
         <param-name>httpsports</param-name>
         <param-value>443</param-value>
      </init-param>
   

7.3 Reregistering HTTP Server with the Oracle9iAS Single Sign-On Server

The Oracle9iAS Single Sign-On module for the Oracle HTTP Server, mod_osso, is registered automatically with the Oracle9iAS Single Sign-On server when Oracle9iAS is installed. However, when SSL is enabled on the Oracle9iAS Single Sign-On server after installation, the mod_osso component should be registered again manually with the Oracle9iAS Single Sign-On server. This ensures that the Oracle9iAS Single Sign-On server listens for all authentication requests on the SSL port. If this registration is not done, then the user will be redirected to the single sign-on page using HTTP rather than HTTPS.

Running the Oracle9iAS Single Sign-On registration tool updates the mod_osso registration record in the osso.conf file to reflect the SSL settings of the Oracle9iAS Single Sign-On server. The Single Sign-On registration tool generates this file whenever it is run.

To run the Oracle9iAS Single Sign-On registration tool, complete the following steps on your Middle Tier installation:

1. Update your LD_LIBRARY_PATH environment variable as follows:

   LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib:$ORACLE_HOME/jlib
   export LD_LIBRARY_PATH
   
   

2. Run the Oracle9iAS Single Sign-On registration tool by running the following command:

   
   

   Note: Replace the placeholder information (denoted by text in italic font) with the correct information for your environment. For example, for a single-box installation use webcachehostname. For a distributed installation, use midtierhostname.

   
   

   $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoreg.jar
   -oracle_home_path middle tier $ORACLE_HOME
   -host infrastructure_hostname \
   -port 1521 \
   -sid iasdb \
   -site_name middleTier.webcachehostname|midtierhostname \
   -success_url https://webcachehostname|midtierhostname/osso_login_success \
   -logout_url https://webcachehostname|midtierhostname/osso_logout_success \
   -cancel_url https://webcacheihostname|midtierhostname/ \
   -home_url https://webcachehostname|midtierhostname/ \
   -config_mod_osso TRUE \
   -u root \
   -sso_server_version v1.2
   
   

3. After the script is run, you should see the "SSO Registration Successful" message.

4. Restart the HTTP server for the Middle Tier by running the following commands:

   dcmctl stop –ct ohs
   dcmctl start –ct ohs -v
   

7.4 Configuring Portal for SSL

This section discusses the steps involved in configuring Portal for SSL. It contains the following topics:

Section 7.4.1, "Before You Begin"

Section 7.4.2, "Running the Portal Configuration Script"

Section 7.4.3, "Changing the Default Portal Page"

7.4.1 Before You Begin

Before you run the Portal configuration script, ensure that a NET8 client like SQL*Plus can connect to the Portal Repository and Infrastructure on the infratierhostname from the midtierhostname. This requires a valid TNS alias defined in the $ORACLE_HOME/network/admin/tnsnames.ora file on the Middle Tier host.

Before you can run the Portal configuration script, you will also need the passwords for the following database users:

• portal

• orasso

• orasso_ps

• orasso_pa

To obtain these passwords:

1. Run the following from the command line. You must provide the correct information for orcladmin_password, infratierhostname, ldap_port (which is typically 389). For OrclresourceName, enter the password you want to retrieve (orasso, orasso_ps, orasso, portal). Substitute orclpasswordattribute for the password value that is retrieved from Oracle Internet Directory:

   ldapsearch -D cn=orcladmin -w orcladmin_password -p ldap_port -h infratierhostname -b "cn=IAS,cn=Products,cn=OracleContext" -s sub -v OrclresourceName=orasso | grep orclpasswordattribute
   
   

2. You can also get these passwords by using the administrator interface of Oracle Internet Directory. After signing on to oidadmin as orcladmin follow this path:

   cn=orclcontext
   cn=Products
   cn=IAS
   cn=IAS Infrastructure databases
   cn=oracleReferenceName=iasdb.host.domain
   cn=OrclresourceName=orasso, orasso_ps, orasso, portal
   

7.4.2 Running the Portal Configuration Script

To run the Portal configuration script:

1. Run the following script from $ORACLE_HOME/assistants/opca on the Middle Tier:

   
   

   Note: Replace the placeholder information (denoted by text in italic font) with the correct information for your environment. For example, for a single-box installation use webcachehostname. For a distributed installation, use midtierhostname. The ptlasst.csh script must be run on one line.

   
   

   ptlasst.csh  
   -i custom 
   -mode MIDTIER 
   -s portal 
   -sp portal_password
   -c infrahostname:1521:iasdb
   -sdad portal
   -o orasso
   -op orasso_password
   -odad orasso
   -host webcachehostname | midtierhostname
   -port 443
   -silent
   -verbose
   -ldap_d "cn=orcladmin"
   -ldap_h infratierhostname
   -ldap_p ldap_port
   -ldap_w oid_admin_password
   -pwd initial_password_for_oid_seeded_users
   -sso_c infrastructure:1521:iasdb
   -mc false
   -mi true
   -chost webcachehostname | midtierhostname
   -cport_i cache_port_for_webcache_invalidation
   -cport_a cache_port_for_webcache_administration
   -wc_i_pwd invalidator
   -wc on
   -pa orasso_pa
   -pap orasso_pa password
   -ps orasso_ps
   -pp orasso_ps password
   -sso_h webcacheipaddress | infratierhostname
   -sso_p 443
   -oh $ORACLE_HOME on the Middle Tier
   -emhost midtierhostname
   -emport 1810
   -p_tns iasdb.hostname.domain
   -s_tns iasdb.hostname.domain
   -iasname middle.middletierhostname
   -ssl
   
   

2. After the script is run, stop all the Middle Tier components:

   opmnctl stopall
   
   

3. Clear the cache by removing the directories $ORACLE_HOME/Apache/modplsql/cache/plsql and $ORACLE_HOME/Apache/modplsql/cache/sessions. These directories will be re-created.

4. Restart all the Middle Tier components:

   opmnctl startall
   

7.4.3 Changing the Default Portal Page

To finish the configuration for Portal, you must change all of the URLs on the default Portal page to use the HTTPS protocol rather than HTTP.

To edit the default Portal page:

1. Open the following file in your Middle Tier installation:

   $ORACLE_HOME/webclient/classes/oracle/collabsuite/webclient/resources/webclient.properites

2. Change the following URLs from http:// to https:// and enter the correct host name according to the following example. For a single-box installation, you must use webcachehostname. For a distributed installation, you must use midtierhostname in place of hostname.

   quicktour.url = https://hostname/quicktutorial/index.htm
   tools.url = https://hostname/download/index.html
   
   #Do not change this line.
   mail.help.url = http://collabtng11.us.oracle.com:7778/um/help/_MAIL_LOCALE_TOKEN_/The_All_Messages_Subtab.htm
   files.help.url = https://hostname/files/app/WelcomeHelp
   # The entry point to the Calendar online help system:
   # Note: Do not change the value for _CAL_LOCALE_TOKEN_. 
   # This value is replaced dynamically by application.
   calendar.help.url = http://hostname:port/ocas/ocwc/_CAL_LOCALE_TOKEN_/help/helptoc.htm
   #Do not need to change this url
   imeeting.help.url = http://hostname:port/imthelp/help
   search.help.url = https://hostname/files/app/FederatedSearchHelp
   wireless.help.url = https://hostname/marconi/help
   mail=https://hostname/um/traffic_cop
   calendar=https://hostname/ocas-bin/ocas.fcgi?sub=web
   files=https://hostname/files/app
   search=https://hostname/files/app/FederatedSearch
   wireless=https://hostname/marconi/welcome.uix
   portal=https://hostname/pls/portal/PORTAL.wwsec_app_priv.login
   imeeting=https://hostname/imtapp/app/home.uix
   mail.provider=https://hostname/um/servlet/soaprouter
   files.provider=https://hostname/files/Portlet
   search.provider=https://hostname/files/Portlet/search
   wireless.provider=https://hostname/marconi/servlet/soaprouter
   webclient.provider=https://hostname/webclient-common/servlet/soaprouter
   imeeting.provider=https://hostname/webclient-imeeting/servlet/soaprouter
   calendar.provider=https://hostname/webclient-calendar/servlet/soaprouter
   
   

3. After editing this file, run the following script to update the Portal Repository with the correct URLs:

   $ORACLE_HOME/webclient/bin/webclient_Installer.sh
   
   

4. Stop and restart all Middle Tier components:

   opmnctl stopall
   opmnctl startall