Oracle® Collaboration Suite SSL Configuration Release 2 (9.0.4) Part Number B15611-01 |
|
|
View PDF |
This chapter explains how to configure SSL connections to the Middle Tier applications. This involves the following steps:
In this step, you will configure the advertising port of the Middle Tier Oracle HTTP Server (the Port
directive only). The advertising port should always be the same as the front-end port by which the Oracle HTTP Server is accessed. In this case, the front-end port is the Web Cache port, which we have already set to 80 for HTTP and 443 for HTTPS. See Section 1.2 for more information about the default ports of Oracle HTTP Server.
The file $ORACLE_HOME/Apache/Apache/conf/httpd.conf
on the Middle Tier is used to configure the HTTP Server for SSL, where $ORACLE_HOME
is the directory where the Oracle Collaboration Suite Middle Tier applications are installed.
To enable SSL on the Middle Tier HTTP Server:
Open the $ORACLE_HOME/Apache/Apache/conf/httpd.conf
file on the Middle Tier.
In this file, the SSL parameters reside within a VirtualHost
definition. You must change the Port
directive from 4443 to 443
and the ServerName
directive to webcachehostname
(for a single-box installation) or midtierhostname
(for a distributed installation). Do not change the Listen
directive, because Web Cache will still point to this port on the Middle Tier. For example:
<VirtualHost _default_:4444> #do not change this line
ServerName webcachehostname|midtierhostname
Port 443
SSLEngine on
SSLVerifyClient none
</VirtualHost>
Change the nonsecure HTTP Port
directive from 7777 to 80. Do not change the Listen
directive. Web Cache will still direct requests to the Middle Tier on this port. For example:
Port 80 Listen 7777
After making these changes in the httpd.conf
file, run the Distributed Configuration Management (DCM) utility to update your configurations and then restart the server. At the command line of your Middle Tier server, run the following commands:
dcmctl updateconfig -d -v dcmctl stop -ct ohs dcmctl start -ct ohs -v
The Portal Parallel Page Engine obtains the page metadata from the Portal repository and is responsible for assembling the portlets on a page. To secure the Portal Parallel Page Engine, you must edit its web.xml
file and add some initialization parameters for SSL.
To configure the Portal Parallel Page Engine for SSL:
Open the following file in your Middle Tier installation:
$ORACLE_HOME/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF/web.xml
Add the following lines just under the <servlet-class>
section of this file. The lines to be added are displayed in boldface font in the following example:
<servlet> <servlet-name>page</servlet-name> <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class> <init-param> <param-name>httpsports</param-name> <param-value>443</param-value> </init-param>
The Oracle9iAS Single Sign-On module for the Oracle HTTP Server, mod_osso,
is registered automatically with the Oracle9iAS Single Sign-On server when Oracle9iAS is installed. However, when SSL is enabled on the Oracle9iAS Single Sign-On server after installation, the mod_osso
component should be registered again manually with the Oracle9iAS Single Sign-On server. This ensures that the Oracle9iAS Single Sign-On server listens for all authentication requests on the SSL port. If this registration is not done, then the user will be redirected to the single sign-on page using HTTP rather than HTTPS.
Running the Oracle9iAS Single Sign-On registration tool updates the mod_osso
registration record in the osso.conf
file to reflect the SSL settings of the Oracle9iAS Single Sign-On server. The Single Sign-On registration tool generates this file whenever it is run.
To run the Oracle9iAS Single Sign-On registration tool, complete the following steps on your Middle Tier installation:
Update your LD_LIBRARY_PATH
environment variable as follows:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib:$ORACLE_HOME/jlib export LD_LIBRARY_PATH
Run the Oracle9iAS Single Sign-On registration tool by running the following command:
Note: Replace the placeholder information (denoted by text in italic font) with the correct information for your environment. For example, for a single-box installation usewebcachehostname . For a distributed installation, use midtierhostname . |
$ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/sso/lib/ossoreg.jar -oracle_home_path middle tier $ORACLE_HOME -host infrastructure_hostname \ -port 1521 \ -sid iasdb \ -site_name middleTier.webcachehostname|midtierhostname \ -success_url https://webcachehostname|midtierhostname/osso_login_success \ -logout_url https://webcachehostname|midtierhostname/osso_logout_success \ -cancel_url https://webcacheihostname|midtierhostname/ \ -home_url https://webcachehostname|midtierhostname/ \ -config_mod_osso TRUE \ -u root \ -sso_server_version v1.2
After the script is run, you should see the "SSO Registration Successful" message.
Restart the HTTP server for the Middle Tier by running the following commands:
dcmctl stop –ct ohs dcmctl start –ct ohs -v
This section discusses the steps involved in configuring Portal for SSL. It contains the following topics:
Section 7.4.1, "Before You Begin"
Section 7.4.2, "Running the Portal Configuration Script"
Section 7.4.3, "Changing the Default Portal Page"
Before you run the Portal configuration script, ensure that a NET8 client like SQL*Plus can connect to the Portal Repository and Infrastructure on the infratierhostname
from the midtierhostname
. This requires a valid TNS alias defined in the $ORACLE_HOME/network/admin/tnsnames.ora
file on the Middle Tier host.
Before you can run the Portal configuration script, you will also need the passwords for the following database users:
portal
orasso
orasso_ps
orasso_pa
To obtain these passwords:
Run the following from the command line. You must provide the correct information for orcladmin_password
, infratierhostname
, ldap_port
(which is typically 389). For OrclresourceName
, enter the password you want to retrieve (orasso,
orasso_ps,
orasso,
portal
). Substitute orclpasswordattribute
for the password value that is retrieved from Oracle Internet Directory:
ldapsearch -D cn=orcladmin -w orcladmin_password -p ldap_port -h infratierhostname -b "cn=IAS,cn=Products,cn=OracleContext" -s sub -v OrclresourceName=orasso | grep orclpasswordattribute
You can also get these passwords by using the administrator interface of Oracle Internet Directory. After signing on to oidadmin
as orcladmin
follow this path:
cn=orclcontext cn=Products cn=IAS cn=IAS Infrastructure databases cn=oracleReferenceName=iasdb.host.domain cn=OrclresourceName=orasso, orasso_ps, orasso, portal
To run the Portal configuration script:
Run the following script from $ORACLE_HOME/assistants/opca
on the Middle Tier:
Note: Replace the placeholder information (denoted by text in italic font) with the correct information for your environment. For example, for a single-box installation usewebcachehostname . For a distributed installation, use midtierhostname .
The |
ptlasst.csh -i custom -mode MIDTIER -s portal -sp portal_password -c infrahostname:1521:iasdb -sdad portal -o orasso -op orasso_password -odad orasso -host webcachehostname | midtierhostname -port 443 -silent -verbose -ldap_d "cn=orcladmin" -ldap_h infratierhostname -ldap_p ldap_port -ldap_w oid_admin_password -pwd initial_password_for_oid_seeded_users -sso_c infrastructure:1521:iasdb -mc false -mi true -chost webcachehostname | midtierhostname -cport_i cache_port_for_webcache_invalidation -cport_a cache_port_for_webcache_administration -wc_i_pwd invalidator -wc on -pa orasso_pa -pap orasso_pa password -ps orasso_ps -pp orasso_ps password -sso_h webcacheipaddress | infratierhostname -sso_p 443 -oh $ORACLE_HOME on the Middle Tier -emhost midtierhostname -emport 1810 -p_tns iasdb.hostname.domain -s_tns iasdb.hostname.domain -iasname middle.middletierhostname -ssl
After the script is run, stop all the Middle Tier components:
opmnctl stopall
Clear the cache by removing the directories $ORACLE_HOME/Apache/modplsql/cache/plsql
and $ORACLE_HOME/Apache/modplsql/cache/sessions
. These directories will be re-created.
Restart all the Middle Tier components:
opmnctl startall
To finish the configuration for Portal, you must change all of the URLs on the default Portal page to use the HTTPS protocol rather than HTTP.
To edit the default Portal page:
Open the following file in your Middle Tier installation:
$ORACLE_HOME/webclient/classes/oracle/collabsuite/webclient/resources/webclient.properites
Change the following URLs from http://
to https://
and enter the correct host name according to the following example. For a single-box installation, you must use webcachehostname.
For a distributed installation, you must use midtierhostname
in place of hostname
.
quicktour.url = https://hostname/quicktutorial/index.htm tools.url = https://hostname/download/index.html #Do not change this line. mail.help.url = http://collabtng11.us.oracle.com:7778/um/help/_MAIL_LOCALE_TOKEN_/The_All_Messages_Subtab.htm files.help.url = https://hostname/files/app/WelcomeHelp # The entry point to the Calendar online help system: # Note: Do not change the value for _CAL_LOCALE_TOKEN_. # This value is replaced dynamically by application. calendar.help.url = http://hostname:port/ocas/ocwc/_CAL_LOCALE_TOKEN_/help/helptoc.htm #Do not need to change this url imeeting.help.url = http://hostname:port/imthelp/help search.help.url = https://hostname/files/app/FederatedSearchHelp wireless.help.url = https://hostname/marconi/help mail=https://hostname/um/traffic_cop calendar=https://hostname/ocas-bin/ocas.fcgi?sub=web files=https://hostname/files/app search=https://hostname/files/app/FederatedSearch wireless=https://hostname/marconi/welcome.uix portal=https://hostname/pls/portal/PORTAL.wwsec_app_priv.login imeeting=https://hostname/imtapp/app/home.uix mail.provider=https://hostname/um/servlet/soaprouter files.provider=https://hostname/files/Portlet search.provider=https://hostname/files/Portlet/search wireless.provider=https://hostname/marconi/servlet/soaprouter webclient.provider=https://hostname/webclient-common/servlet/soaprouter imeeting.provider=https://hostname/webclient-imeeting/servlet/soaprouter calendar.provider=https://hostname/webclient-calendar/servlet/soaprouter
After editing this file, run the following script to update the Portal Repository with the correct URLs:
$ORACLE_HOME/webclient/bin/webclient_Installer.sh
Stop and restart all Middle Tier components:
opmnctl stopall opmnctl startall