|
Oracle® Application Server Integration B2B User's Guide
10g Release 2 (10.1.2) B19370-03 |
|
 Previous |
 Next |
|
Oracle® Application Server Integration B2B User's Guide
10g Release 2 (10.1.2) B19370-03 |
|
|
Previous |
Next |
This chapter describes the architecture and configuration of security for OracleAS Integration B2B.
This chapter contains the following topics:
See the following for more information:
Oracle Application Server Security Guide for an overview of Oracle Application Server security and its core functionality
Oracle Identity Management Concepts and Deployment Planning Guide for guidance for administrators of the Oracle security infrastructure
This section describes the OracleAS Integration B2B security model. This section contains these topics:
A single user named admin is automatically created during OracleAS Integration B2B installation. The password for admin is the same one you specified for the Oracle Application Server administrator named ias_admin when prompted during the J2EE and Web Cache and OracleAS Integration B2B installations.
The admin user consists of a single default user role named Administrator. The Administrator role consists of the use cases (privileges) that enable the admin user to use the entire functionality of the OracleAS Integration B2B user interface to design, deploy, monitor, and manage integrations. A Reports role is also available for users (such as business analysts) that require access to only the Reports tab of the OracleAS Integration B2B user interface. The admin user can create additional users to which to assign the Administrator role.
You can also administer portions of OracleAS Integration B2B from the Oracle Enterprise Manager 10g Application Server Control Console. Log in with the ias_admin username. Use the same password for ias_admin that you specified when prompted during the J2EE and Web Cache and OracleAS Integration B2B installations.
See the following for more information:
"Creating a Trading Partner Person" to create additional users of the OracleAS Integration B2B user interface
"Assigning a User Role to a Host Trading Partner Person" to assign the Administrator or Reports role to a user
"Viewing a Trading Partner Person and Updating the Person Password" to update the admin user password
"Updating a Host or Remote Trading Partner" to update the name
Chapter 18, "System Management with Oracle Enterprise Manager 10g" to administer OracleAS Integration B2B from the Oracle Enterprise Manager 10g Application Server Control Console
The following security is provided for protecting resources:
The partner data that you design with the OracleAS Integration B2B user interface is protected by both the admin username and password and by the security provided by the Oracle database used for the Oracle Application Server Metadata Repository.
Network messaging can be secured and encrypted using Oracle Advanced Security. Network messaging can also be secured by using secure HTTP with the OracleAS Integration B2B user interface.
Transport protocols that enable communication between applications and OracleAS Integration B2B use their own security (such as HTTP, FTP, and SMTP) to restrict access to data.
The messages that trading partners send and receive during integrations between enterprises are protected by the following levels of security:
Digital envelopes and certificates
Digital signatures for host and remote trading partners
Secure HTTP (using secure socket layer (SSL))
Encrypted wallet password for a host trading partner
See "OracleAS Integration B2B Security Configuration" for an overview of security configuration for integrations between enterprises.
When you attempt to access the OracleAS Integration B2B user interface, you are prompted for a username and password. Without knowledge of this connection information, you cannot access the user interface to design, deploy, and manage integrations between enterprises.
Oracle Application Server provides a series of security services. OracleAS Integration B2B enables you to use SSL. You can use SSL for securing connections between host and remote trading partners. SSL uses a public key infrastructure to provide authentication and data integrity.
Secure HTTP can also be used to secure the OracleAS Integration B2B user interface.
See Oracle Application Server Security Guide for a description of Oracle Application Server security services.
This release of OracleAS Integration B2B does not require use of Oracle Identity Management infrastructure features; Oracle Identity Management is optionally selectable for use during OracleAS Integration B2B installation and is only used for OracleAS Integration B2B schema password storage.
This section describes Oracle Application Server security options to configure to use OracleAS Integration B2B. This section contains these topics:
OracleAS Integration B2B Security Framework Configuration Issues
Identity Management Configuration Issues Specific to OracleAS Integration B2B
The OracleAS Integration B2B schema is protected by a password created during Oracle Application Server Infrastructure installation. These schemas are stored in the metadata repository of Oracle Application Server Infrastructure to which you configure access during OracleAS Integration B2B installation. In addition, the partner data you design, deploy, and manage with the OracleAS Integration B2B user interface is stored in this same metadata repository of Oracle Application Server Infrastructure.
See the following for more information:
Oracle Application Server Security Guide for Oracle Application Server Infrastructure and Oracle Application Server security details, including how to configure the Oracle HTTP Server with secure HTTP
Oracle Application Server Containers for J2EE Security Guide
This section provides an overview of OracleAS Integration B2B installation and configuration issues. This section contains these topics:
Host Trading Partner Password Encryption in High Availability Environments
Configuration Issues and Options for Oracle Application Server Security
Oracle HTTP Server Transport Servlet and OracleAS Integration B2B
This section describes OracleAS Integration B2B security installation issues.
While you do not specify security parameters when installing OracleAS Integration B2B, the Oracle Application Server administrator must know the following information to install OracleAS Integration B2B:
The name of the host on which the Oracle Application Server Infrastructure installation to use as the metadata repository is installed
The specific Oracle Application Server Infrastructure installation on that host that includes the OracleAS Integration B2B schema
The OracleAS Integration B2B schema password automatically created during Oracle Application Server Infrastructure installation
The ias_admin password specified during J2EE and Web Cache installation, which is used as the initial password for the OracleAS Integration B2B admin user and for the Oracle Enterprise Manager 10g Application Server Control Console ias_admin user
See Oracle Application Server Integration B2B Installation Guide for OracleAS Integration B2B installation instructions.
You configure security with the OracleAS Integration B2B user interface after installation. OracleAS Integration B2B provides the following levels of security:
See "Creating a Trading Partner Agreement" to create a trading partner agreement to which to assign a trading partner with its delivery channel characteristics.
You can create encrypted business messages with remote trading partner certificates. Table 20-1 provides an overview of the tasks.
Table 20-1 Host and Remote Trading Partner Certificate Tasks
| Tasks | See... |
|---|---|
|
Assign a digital envelope to a remote trading partner with the Create Trading Partner wizard: |
|
|
|
|
|
|
Assign remote trading partner certificates through either of two methods: |
|
|
With the Create Trading Partner wizard: |
|
|
|
|
|
|
Without the Create Trading Partner wizard: Note: Creating a remote trading partner certificate through this second method means that you must manually attach the correct digital envelope. |
|
|
Assign a wallet password to the host trading partner in the user interface: |
|
|
|
|
|
These digital envelope and remote trading partner certificate details comprise a portion of the delivery channel characteristics. You can then assign the delivery channel to a trading partner participating in a trading partner agreement.
See the following for more information:
Chapter 9, "Creating Trading Partners" for information on the different methods for using the Create Trading Partner wizard
Oracle Application Server Certificate Authority Administrator's Guide
You can use a digital signature with host and remote trading partners. The digital signature ensures that the message is authentic. Table 20-2 provides an overview of the tasks for configuring digital signatures.
Table 20-2 Digital Signature Tasks
| Tasks | See... |
|---|---|
|
Assign digital signatures to host and remote trading partners with the Create Trading Partner wizard: |
|
|
|
|
|
|
|
Assign a signing credential to a remote trading partner with the Create Trading Partner wizard: |
|
|
|
|
|
|
|
|
|
|
|
|
These digital signature details comprise a portion of the delivery channel characteristics. You can then assign the delivery channel to a trading partner participating in a trading partner agreement.
See the following for more information:
Chapter 9, "Creating Trading Partners" for information on the different methods for using the Create Trading Partner wizard
You can use SSL to secure connections between host and remote trading partners. Table 20-3 provides an overview of the parts to configuring SSL.
Table 20-3 SSL Tasks
| Part | Task | See... |
|---|---|---|
|
1 |
Assign SSL for transport security with the Create Trading Partner wizard: |
|
|
|
|
|
|
|
|
|
|
2 |
Set up a certificate authority (CA): |
|
|
|
|
Oracle Application Server Administrator's Guide |
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
|
|
|
|
|
|
|
|
|
|
|
4 |
Configure SSL server and client authentication for Oracle Application Server. |
|
These SSL details comprise a portion of the delivery channel characteristics. You can then assign the delivery channel to a trading partner participating in a trading partner agreement.
|
Note: Oracle Wallet Manager allows only base64 files to be imported. Use Internet Explorer or another tool to convert a nonbase64 encoded certificate to base64. |
See the following for more information:
Chapter 9, "Creating Trading Partners" for information on the different methods for using the Create Trading Partner wizard
Follow these instructions to troubleshoot SSL setup:
Use the browser to connect to the secure HTTP URL. Upon successful connection, the following details are viewable:
If you are using Internet Explorer, then from File, select Properties. The connection information appears. A Certificates button that displays certificate information also appears.
You may get a confirmation page from the remote server.
Follow these instructions to verify SSL client authentication:
Using the Netscape browser:
Import an Oracle Wallet by selecting Communicator, then Tools, then Security Info, then Certificates, then Yours, and then Import a Certificate from the main menu.
Connect to the secure HTTP URL.
Using the Internet Explorer browser:
Internet Explorer does not recognize the .p12 file generated using Oracle Wallet. Perform these steps to import the Oracle Wallet:
Import the Oracle Wallet by selecting Communicator, then Tools, then Security Info, then Certificates, then Yours, and then Import a Certificate from the main menu.
Export the Oracle Wallet by selecting Communicator, then Tools, then Security Info, then Certificates, then Yours, and then Export.
Import this Oracle Wallet into Internet Explorer and try connecting to the secure HTTP URL.
OracleAS Integration B2B uses an Oracle Wallet for storing private and public keys. A wallet password is required for accessing an Oracle Wallet. You create an initial wallet password and an Oracle Wallet with Oracle Wallet Manager. The wallet password is stored in encrypted format in the Oracle Application Server Metadata Repository. This wallet is used for digital envelopes, digital signatures, and SSL. Table 20-4 provides an overview of the tasks to perform in the OracleAS Integration B2B user interface after you create the wallet password and Oracle Wallet:
Table 20-4 Host Trading Partner Wallet Password
| Task | See... |
|---|---|
|
Create a host trading partner wallet password |
"Creating a Host Trading Partner Wallet Password" Note: Enter the same wallet password that you created in Oracle Wallet Manager. If you later change the wallet password in Oracle Wallet Manager, you must also update the password in the OracleAS Integration B2B user interface. |
|
"OracleAS Integration B2B Middle-Tier Instance Server Properties" to access the OracleAS Integration B2B server properties (under the Server Properties section) with Oracle Enterprise Manager 10g Application Server Control Console. The Wallet Location property enables you to specify the directory location for the wallet file. |
OracleAS Integration B2B provides a feature that automatically encrypts the host trading partner's OracleAS Integration B2B passwords through use of an obfuscated, encryption key created during installation. If you want to change this key value, do so during OracleAS Integration B2B downtime, as all passwords within the OracleAS Integration B2B schema are re-encrypted. A new encryption key is then created.
If OracleAS Integration B2B is part of a high availability or disaster recovery configuration and you want to change the encryption key, you must perform the following procedures:
Follow the instructions in "Managing and Monitoring a Middle-Tier Instance from Oracle Enterprise Manager 10g Application Server Control Console" to log in to the Oracle Enterprise Manager 10g Application Server Control Console and access the primary OracleAS Integration B2B instance.
Shut down the B2B server and Oracle Application Server Containers for J2EE (OC4J) instance subcomponents on the primary system on which OracleAS Integration B2B is installed.
Go to the Security Key parameter on the Server Properties page.
Make the following changes:
Click Apply.
Go to the secondary (or backup) system of which OracleAS Integration B2B is a part.
Enter the same encryption key in the Security Key field as you did in Step 3a. However, do not check the Re-encrypt Security Key for B2B Repository box.
Restart the primary and secondary systems.
You can enable encryption between OracleAS Integration B2B and the OracleAS Metadata Repository by setting several Oracle Net configuration parameters. For example, you can encrypt JDBC with the following sqlnet.ora parameters:
sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(RC4_40) sqlnet.encryption_types_client=(RC4_40) sqlnet.crypto_seed ="-kdje83kkep39487dvmlqEPTbxxe70273"
|
See Also: Oracle Database Advanced Security Administrator's Guide available on the Oracle Technology Network: |
OracleAS Integration B2B is integrated with the transport servlet of the Oracle HTTP Server to provide security for incoming messages of trading partners.
Messages sent from remote trading partners must first pass through the transport servlet of the Oracle HTTP Server that is automatically deployed after installation. The transport server receives and passes messages on to a remote method invocation (RMI) port and instance name to which the B2B server component of OracleAS Integration B2B listens. RMI functionality enables the different Java processes of the Oracle HTTP Server and the B2B server to interface. RMI also provides for scalability: you can configure one RMI to communicate with multiple B2B servers. The messages are then passed on to OracleAS Integration B2B.
Figure 20-1 shows Oracle HTTP Server and OracleAS Integration B2B configuration.
Figure 20-1 Oracle HTTP Server and OracleAS Integration B2B
The RMI port number and instance name to which the OracleAS Integration B2B listens are automatically configured with the same values in both the transport servlet's web.xml file and in the OracleAS Integration B2B server properties settings (accessible from the Oracle Enterprise Manager 10g Application Server Control Console). These values must be the same. If you change these values in one location, you must also change them to the same values in the other location.
This procedure is followed only for incoming messages from remote trading partners.
For security reasons, Oracle recommends that you install and configure an additional Oracle HTTP Server outside your corporate network to receive messages from remote trading partners and pass them onto the Oracle HTTP Server and OracleAS Integration B2B instances inside your corporate network. This additional Oracle HTTP Server hides the actual location of the host trading partner from all outside parties.
|
See Also:
|
