Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.1) Part Number B14489-02 |
|
|
View PDF |
This chapter provides instructions for enabling and configuring SSL in Oracle Collaboration Suite.
It contains these topics:
SSL Configuration in Oracle Collaboration Suite Infrastructure
SSL Configuration in Oracle Collaboration Suite Applications
The Oracle Collaboration Suite Deployment Guide discusses various deployment topologies. It presents sample architectures for Oracle Collaboration Suite installation types. After you have identified the components on which you need to enable SSL, use the instructions in this chapter to configure the components.
To enable SSL on Infrastructure, run the following script on the Infrastructure instance:
$ORACLE_HOME/bin/SSLConfigTool -config_w_default -opwd <orcladmin user password>
This section contains the following topics:
Run the following script on the Applications tier instance:
$ORACLE_HOME/bin/midtierSSLConfigTool.<sh|bat> <oid hostname> <oid port> <oid admin dn> <oid admin password> <http server SSL port> <https> <hostname of the computer> <True | False>
Where:
oid hostname
is the host name of the Oracle Internet Directory computer the Applications tier is associated with
oid port
is the port that the Oracle Internet Directory server is listening on
oid admin dn
is the administrative DN for the Oracle Internet Directory admin user (cn=orcladmin
)
oid admin password
is the password for the Oracle Internet Directory admin user
http server SSL port
is the SSL port that was configured during the install. This value can be found in the $ORACLE_HOME
/install/portlist.ini
file as the Oracle HTTP Server SSL port
value.
https
is the schema that the customer wants to update the Oracle Collaboration Suite service registry entries with
hostname of the computer
is the host name that the computer is using with reference to its Oracle Collaboration Suite configuration. This may be the local host name or a load balancer virtual host name, as the case may be.
True | False
is the boolean flag that determines the communication to OID
True
: Communication to the Oracle Internet Directory using SSL only
False
: Normal communication to Oracle Internet Directory
Start and Stop OC4J_OCSClient by using the following commands:
./opmnctl stopproc process-type=OC4J_OCSClient ./opmnctl startproc process-type=OC4J_OCSClient
Run the reRegisterSSO.sh
script located at $ORACLE_HOME
/wireless/bin
to register Oracle Mobile Collaboration. The syntax is
./reRegisterSSO.sh host_URL ORACLE_HOME Admin_dn
For example:
./reRegisterSSO.sh https://host:4443 $ORACLE_HOME cn=orcladmin
To update the Oracle Mobile Push Mail configuration to use SSL, run the mcsutil
script located at $ORACLE_HOME
/wireless/install
:
mcsutil.<sh|bat> -U -H <oldhost> -P <oldport> -N <new host> -W <new port>
Note:
You need to verify the host and ports before the update is done.You can provide SSL settings after Oracle Content Services has been installed and configured. To do this, perform the steps outlined in Setting Parameters in the Application Server Control for Collaboration Suite and Setting Additional SSL Information.
This section contains the following topics:
Use the Application Server Control for Collaboration Suite to set server configuration properties, as follows:
From the Collaboration Suite Home page, click the name of the Oracle Content Services domain. The Content Services Home page appears.
Click Domain Properties (under the Administration heading).
In the Properties section, select IFS.DOMAIN.APPLICATION.Application UseHttps and click Edit.
Set Value to True
and click OK.
Select IFS.DOMAIN.APPLICATION.ApplicationPort and click Edit.
Set the Value to be one of the following:
If you are using OracleAS Web Cache, then enter the Web Cache SSL port.
If you are not using OracleAS Web Cache, then enter the non-Web Cache SSL port.
Click OK on the Edit Property page.
Click OK on the Edit Server Configuration page.
Restart the Oracle Content Services domain.
In addition to setting Oracle Content Services server configuration parameters, you may need to set URLs in OracleAS Portal. Wherever the Oracle Content Services Portlet has been registered in OracleAS Portal, you should update the Oracle Content Services Portlet URLs.
If you did not provide Oracle Internet Directory SSL information during Oracle Content Services configuration but still want to connect to Oracle Internet Directory using SSL, then perform the following steps using the Application Server Control for Collaboration Suite:
From the Collaboration Suite Home page, click the name of the Oracle Content Services domain. The Content Services Home page appears.
Click Service Configurations (under the Configuration heading).
Click the name of the service configuration you are using (for example, SmallServiceConfiguration). The Edit page appears.
In the Properties section, click IFS.SERVICE.CREDENTIALMANAGER.Oid. OidSsl. You may need to move to the second or subsequent page to see this property.
Set Value to true
and click OK.
Select IFS.SERVICE.CREDENTIALMANAGER.Oid.OidUrl and click Edit.
Change the port number listed in the URL to be the SSL-enabled Oracle Internet Directory port, typically 636
or 4031
.
Click OK on the Edit Property page.
Click OK on the Edit Server Configuration page.
Restart the Oracle Content Services domain.
See Also:
Oracle Content Services Administrator's Guidefor more informationYou can set Oracle Real-Time Collaboration so that all conferences and messages use secure HTTPS connections. To do so, you set the following properties for the Oracle Real-Time Collaboration system.
Perform the following steps on one of your Oracle Real-Time Collaboration core component instances. You need to perform these steps only once, because you will set all other instances by using the -system true
option.
On an Oracle Real-Time Collaboration core components instance, start the rtcctl
configuration utility:
$ORACLE_HOME/imeeting/bin/rtcctl
Set the following property to indicate that the Oracle HTTP Server uses SSL connections:
rtcctl> setProperty -system true -pname ApacheProtocolSecure -pvalue true
Note:
The Oracle Real-Time Collaboration property for the HTTPS port is set at installation. If you change the HTTPS port after installation, then you must also change theApacheWebSecurePort
value to match the HTTPS port value. The syntax is:
rtcctl> setProperty -system true -pname ApacheWebSecurePort -pvalue port_value
Set the following property to enable SSL and force all instant messaging sessions and Web conferences to use SSL:
rtcctl> setProperty -system true -pname RTCSSLSupportEnabled -pvalue true
Note:
If you do not want to force SSL but just allow it as an option, you can set theSSLRequiredForMeetings
and IMSSLRequiredForXMPP
properties to True
and use the -force false
option. Refer to the Oracle Real-Time Collaboration Administrator's Guide for more details about these properties.Exit rtcctl
using the following command:
rtcctl> exit
The multiplexer used for Web conferences and the connection manager used for instant messaging on the Oracle Real-Time Collaboration core components system use the same wallet that the Oracle HTTP Server uses. You must set the WalletLocation property on each Oracle Real-Time Collaboration core components instance , to identify where the wallet file is located.
On the first of your Oracle Real-Time Collaboration core components instances, enter:
$ORACLE_HOME/imeeting/bin/rtcctl
rtcctl> setProperty -pname WalletLocation -pvalue "$ORACLE_HOME/Apache/Apache/conf/ssl.wlt/default"
rtcctl> exit
The default path to the wallet file is shown in the example.
Repeat Step 1 on each of your Oracle Real-Time Collaboration core component instances.
For more information about all the properties discussed here, see Chapter 3 in Oracle Real-Time Collaboration Administrator's Guide. For more information about using the rtcctl
utility, see Chapter 4 in the same manual.
SSL connections are used in two places, when Enterprise Manager connects to Oracle Internet Directory and when the Oracle Voicemail & Fax Applications connect to Oracle Internet Directory.
See Also:
Oracle Internet Directory Administrator's Guide Administrator's Guide for more information on setting up Oracle Internet Directory for SSL connectionsEnterprise Manager Connections
By default, when Enterprise Manager connects to Oracle Internet Directory, SSL is enabled for a target. Because SSL slows down the connection speed, you may want to disable SSL if you are behind a firewall and your network is secure.
To enable or disable SSL for Enterprise Manager connections to Oracle Internet Directory:
Log in to Enterprise Manager Grid Control, and navigate to the home page.
In the Target Search section, select Oracle Voicemail & Fax in the Search list and click Go.
Select the Voicemail & Fax target from the All Targets list and click Configure.
In the Configure Voicemail & Fax: name_of_Voicemail_&_Fax_target page, select Always require SSL for connections to enable SSL for all connections from Enterprise Manager to Oracle Internet Directory for this target.
To disable SSL connections for this target, deselect Always require SSL connections.
Click Finish.
Voicemail & Fax Application Connections
You can use an SSL connection when Voicemail & Fax Applications connect to Oracle Internet Directory. This is set in the %ORACLE_HOME%\config\ias.properties
file with the SSLONLY setting. By default, this is set as follows: SSLONLY=false
. Turn SSL on if your network is not very secure or if you want all of your data encrypted.
Note:
The SSLONLY setting affects how all applications configured under this Oracle home connect to the Oracle Collaboration Suite Database. Therefore, if other Oracle applications, in addition to Oracle Voicemail & Fax, are installed in this directory, they will be affected by changes to the SSLONLY setting.Perform the following steps to access the Enterprise Manager using SSL:
Shut down Application Server Control for Collaboration Suite by using the following command:
./emctl stop iasconsole
Run the following command:
./emctl secure em
Start the Application Server Control for Collaboration Suite by using the following command:
./emctl start iasconsole
Enterprise Manager can now be accessed only by using HTTPS.
In case Enterprise Manager is to be accessed again using http, then perform the following steps:
Shut down the Application Server Control for Collaboration Suite by using the following command:
./emctl stop iasconsole
Edit $ORACLE_HOME
/sysman/config/emd.properties
:
In EMD_URL
, change https
to http
.
Edit $ORACLE_HOME
/sysman/j2ee/config/emd-web-site.xml
:
In the line starting with <web-site...>,
change secure=true
to secure=false
Edit $ORACLE_HOME
/sysman/emd/targets.xml
:
Change the StandaloneconsoleURL
property for the oracle_ias
target from https
to http
.
Start the Application Server Control for Collaboration Suite by using the following command:
./emctl start iasconsole