|
Oracle® Application Server Installing and Getting Started with Standard Edition One
10g Release 2 (10.1.2) for Linux x86 B16043-02 |
|
 Previous |
 Next |
|
Oracle® Application Server Installing and Getting Started with Standard Edition One
10g Release 2 (10.1.2) for Linux x86 B16043-02 |
|
|
Previous |
Next |
This chapter provides instructions for enabling Secure Sockets Layer (SSL) in Oracle Application Server Standard Edition One. It contains the following sections:
Section 13.1, "SSL Communication Paths in the Infrastructure"
Section 13.2, "Common SSL Configuration Tasks for the Infrastructure"
Section 13.4, "Common SSL Configuration Tasks for the Middle Tier"
When you install Identity Management, you are prompted to select a mode for Oracle Internet Directory. The default mode is the dual mode, which allows some components to access Oracle Internet Directory using non-SSL connections. If you chose SSL mode during installation, then all installed components must use SSL when connecting to the directory.
|
Note: Before you begin SSL configuration, determine the Oracle Internet Directory mode. Start theoidadmin tool and view the SSL mode in Oracle Directory Manager. Navigate to the Directory Server and select View Properties and then SSL Settings.
|
This section identifies all the SSL communication paths used in the OracleAS Infrastructure and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
Following are the communication paths through OracleAS Infrastructure and the related SSL configuration instructions:
Oracle HTTP Server to the OC4J_SECURITY instance
To configure Apache Jserv Protocol (AJP) communication over SSL, you must configure how mod_oc4j communicates with the iaspt daemon. To do this, follow the instructions in the "Configuring mod_oc4j to Use SSL" section of Oracle HTTP Server Administrator's Guide,.
Oracle HTTP Server to iaspt (Port Tunneling) and then to the OC4J_SECURITY instance
To configure this connection path for SSL, follow the instructions in the "Understanding Port Tunneling" section of Oracle HTTP Server Administrator's Guide.
OC4J_SECURITY instance to Oracle Internet Directory
To configure this connection path for SSL, follow the instructions in Oracle Application Server Single Sign-On Administrator's Guide. This guide explains how to configure SSL communication between:
The browser and the OracleAS Single Sign-On server in the "Enable SSL on the Single Sign-On Middle Tier"section
The OracleAS Single Sign-On server and the Oracle Internet Directory server in the "Configuring SSL Between the Single Sign-On Server and Oracle Internet Directory" section
Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL. The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled. You do not have to perform any configuration tasks to accomplish this.
OC4J_SECURITY instance to the Metadata Repository database and Oracle Internet Directory to the Metadata Repository database
If Oracle Internet Directory is configured to accept SSL connections on the specified SSL port, then you need to specify only the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
|
Note: When you are using a secure connection, you must add ans to the name of the protocol. For example, use ldaps instead of ldap.
|
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, then you must modify the configuration.
|
See Also: Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory" |
Figure 13-1 Identity Management Components and SSL Connection Paths
This section provides references to the component guides in Oracle Application Server documentation library that provide instructions for configuring SSL for individual components. It contains the following topics:
Section 13.2.2, "Configuring SSL for Oracle Internet Directory"
Section 13.2.3, "Configuring SSL in the Identity Management Database"
Follow the instructions in Oracle Application Server Single Sign-On Administrator's Guide to configure SSL communication between:
The browser and the OracleAS Single Sign-On server (section titled "Enable SSL on the Single Sign-On Middle Tier")
The OracleAS Single Sign-On server and the Oracle Internet Directory server (section titled "Configuring SSL Between the Single Sign-On Server and Oracle Internet Directory")
Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL (as described in "Enable SSL on the Single Sign-On Middle Tier"). The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled. You do not have to perform any configuration tasks to accomplish this.
Instructions for configuring SSL communication in Oracle Internet Directory are provided in the following guides:
Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory"
Oracle Internet Directory Administrator's Guide, section titled "Configuring SSL Parameters"
Oracle Internet Directory Administrator's Guide, section titled "Limitations of the Use of SSL in 10g (10.1.2)"
This section identifies all SSL communication paths used in the Oracle Application Server middle tier installation types and provides cross-references to the configuration instructions for component guides in Oracle Application Server documentation library.
Following is a list of communication paths through the Oracle Application Server middle tier and the related SSL configuration instructions:
External Clients or Load Balancer to Oracle HTTP Server
To configure Oracle HTTP Server for SSL, follow the instructions in Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
External Clients or Load Balancer to OracleAS Web Cache
To configure OracleAS Web Cache for SSL, follow the instructions in the Oracle Application Server Web Cache Administrator's Guide, section titled "Configuring OracleAS Web Cache for HTTPS Requests".
OracleAS Web Cache to Oracle HTTP Server
To configure OracleAS Web Cache for SSL, follow the instructions in the Oracle Application Server Web Cache Administrator's Guide, section titled in "Configuring OracleAS Web Cache for HTTPS Requests".
Oracle HTTP Server to OC4J Applications (AJP)
To configure the AJP communication over SSL, you must configure how mod_oc4j communicates with the iaspt daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt and then to OC4J
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J (the JAAS Provider) to Oracle Internet Directory
To configure the JAAS Provider, follow the instructions in Oracle Application Server Containers for J2EE Security Guide. To configure the JAAS provider for SSL, set SSL_ONLY_FLAG to true.
OC4J to the database (ASO)
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, then you need to only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, then you must modify the configuration. Refer to Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
ORMI (Oracle Remote Method Invocation, a custom wire protocol) over HTTP and HTTP over SSL
ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.
Refer to the Oracle Application Server Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI or HTTP.
SSL into Standalone OC4J (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J", which explains how to use SSL to secure communication between clients and an OC4J instance.
OracleAS Portal Parallel Page Engine (the servlet in the OC4J_PORTAL instance) to OracleAS Web Cache (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J."
This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
OracleAS Web Cache is part of all Oracle Application Server middle-tier installations. To configure OracleAS Web Cache for SSL, follow the instructions in chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
OracleAS Portal uses several components for HTTP communication, such as the Parallel Page Engine, Oracle HTTP Server, and OracleAS Web Cache. Each of these components may function as a client or server. As a result, each component in the middle tier may be configured individually to use the HTTPS protocol instead of HTTP. These components interact with OracleAS Portal through the following distinct network hops:
Between the client browser and the entry point of the OracleAS Portal environment. The entry point can be OracleAS Web Cache or a network edge hardware device such as a reverse proxy or SSL accelerator
Between OracleAS Web Cache and the Oracle HTTP Server of the Oracle Application Server middle tier
Between the client browser and the Oracle HTTP Server of the OracleAS Single Sign-On or Oracle Internet Directory (or infrastructure) tier
A loop back connection between the Parallel Page Engine (PPE) on the middle tier and OracleAS Web Cache or the front-end reverse proxy
Between the Parallel Page Engine (PPE) and the Remote Web Provider that provides Portlet content
Between the OracleAS Portal infrastructure and the Oracle Internet Directory server
The following sections in the Oracle Application Server Portal Configuration Guide provide an overview of the most common SSL configurations for OracleAS Portal and instructions for implementing them:
SSL to OracleAS Single Sign-On: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Single Sign-On.
SSL to OracleAS Web Cache: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Web Cache.
SSL throughout OracleAS Portal: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure secure connections throughout OracleAS Portal.
External SSL with non-SSL within Oracle Application Server: Follow the instructions in Oracle Application Server Portal Configuration Guide to configure OracleAS Portal such that the site is externally accessible through SSL URLs, with Oracle Application Server running in the non-SSL mode.
|
Note: For general information about securing OracleAS Portal, refer to the Oracle Application Server Portal Configuration Guide (Chapter 6, Securing OracleAS Portal). |
