|
Oracle® Database Lite Administration and Deployment Guide
10g (10.2.0) Part No. B15921-01 |
|
 Previous |
 Next |
|
Oracle® Database Lite Administration and Deployment Guide
10g (10.2.0) Part No. B15921-01 |
|
|
Previous |
Next |
The following sections detail how to manage security in Oracle Database Lite:
|
Note: There is additional information about developing for security in the "Security" chapter in the Oracle Database Lite Developer's Guide. |
Oracle Database Lite 10g supports Secure Socket Layer (SSL) communication between the Mobile Server and Mobile Clients. Oracle Database Lite uses the SSL that is embedded within OC4J, which is shipped as part of Mobile Server.
|
Note: If you choose to install standalone Mobile Server, the standalone OC4J is installed; however, the other option installs OracleAS as the middle-tier. OracleAS also includes OC4J, but the configuration for SSL is more involved. This chapter covers the basic SSL configuration for the standalone Mobile Server. See the Oracle Application Server Containers for J2EE Security Guide for more information on all aspects of configuring SSL. |
This chapter assumes that you understand the concepts behind SSL and provides only the steps for using keys and certificates for SSL communication for the standalone Mobile Server.
Section 12.1.3, "Troubleshooting Error Messages for an SSL-Enabled Mobile Server"
Section 12.1.4, "Client-Side Configuration for Secure Socket Layer (SSL)"
|
Note: These are server-level steps which are typically executed prior to deployment of an application that requires SSL communication. |
Oracle Database Lite ships a sample keystore file with a self-signed sample certificate. The password for this sample keystore file is oracle. Use this keystore only for development or testing purposes. Obtain a signature from a recognized certificate authority for all production systems. The test keystore is located in the following directory:
ORACLE_HOME\Mobile\Server\Bin\samplekeystore
To create a keystore file, perform the following steps:
Use the Sun Microsystems Java keytool utility to generate a private key, public key, and an unsigned certificate. Place this information into either a new or existing keystore.
|
Note: A keystore is ajava.security.KeyStore instance that you create and manipulate using the keytool utility, which is provided with the Sun Microsystems JDK. See http://java.sun.com/j2se/1.3/docs/tooldo for more information on the keytool utility.
|
Obtain a signature for the certificate, using either of the following approaches:
Generate your own signature by using keytool to self-sign the certificate. This is appropriate only if your clients trust you as your own certificate authority.
Obtain a signature from a recognized certificate authority through the following steps:
Using the certificate from Step 1, use keytool to generate a certificate request, which requests a certificate authority to sign the certificate.
Submit the certificate request to a certificate authority.
Receive the signature from the certificate authority and import it into the keystore using keytool. In the keystore, the signature is matched with the associated certificate.
Each certificate authority has its own process for requesting and receiving signatures. Since this is outside the scope and control of Oracle Database Lite, it is not covered in Oracle Database Lite documentation. However, the SSL section in the Oracle Application Server Containers for J2EE Security Guide has an example of how to generate your own keystore. For other information, go to the Web site of any certificate authority. Each browser lists trusted certificate authorities. Here are the Web addresses for VeriSign, Inc. and Thawte, for example:
http://www.verisign.com/ http://www.thawte.com/
Once you have a certificate, you must configure SSL in the application server that is installed with the Mobile Server. When you installed, you chose to install the Mobile Server either in standalone mode or to use the application server. Both of these environments are discussed below:
For production systems, you have either Oracle9iAS or OracleAS installed with the Mobile Server. You must configure SSL on both the application server and the Mobile Server, as follows:
Configure SSL in the application server using the administration GUI. The directions on how to configure SSL when using Oracle9iAS or OracleAS as your middle-tier is in the SSL or HTTPS chapter in the Oracle Application Server Containers for J2EE Security Guide.
Configure SSL in the Mobile Server by adding SSL=YES in the [WEBTOGO] section of the ORACLE_HOME\Mobile\Server\bin\webtogo.ora file.
After all configuration is complete, restart the application server to initialize the changes.
With the standalone Mobile Server, the standalone version of the OC4J application server is installed with the Mobile Server. To configure SSL for this environment, you modify the Mobile Server webtogo.ora file and certain XML elements within the OC4J XML configuration files, as follows:
Configure SSL in the Mobile Server by adding SSL=YES in the [WEBTOGO] section of the ORACLE_HOME\Mobile\Server\bin\webtogo.ora file.
If you do not have a secure-web-site.xml file, then copy and rename the http-web-site.xml to ORACLE_HOMEj2ee\mobileserver\config\secure-web-site.xml.
Edit the secure-web-site.xml file with the following elements:
Add secure="true" to the <web-site> element, as follows:
<web-site port="443" display-name="Oracle Application Server Containers for J2EE Web Site" secure="true">
Add the following new line inside the <web-site> element to define the keystore and the password:
<ssl-config keystore="YourKeystore" keystore-password="YourPassword" />
where YourKeystore is the path and name of the keystore and YourPassword is the keystore password. The path for the keystore can either be a full path or a path that is relative to ORACLE_HOMEj2ee\mobileserver\config. In addition, you can hide the password through password indirection. This is discussed fully in the Oracle Application Server Containers for J2EE Security Guide. For example, with a keystore of "../../keystore" and password of "oracle", the configuration is as follows:
<!-- Enable SSL --><ssl-config keystore="../../keystore" keystore-password="oracle"/>
Change the <web-site> element port number to use an available port. The reason you must change the port is because you copied this file from http-web-site.xml, which uses the port that is currently configured. Thus, choose a port that can be used for SSL communication; for example, the default for SSL ports is 443.
Save the changes to secure-web-site.xml.
Edit the server.xml file to point to the secure-web-site.xml file.
Uncomment or add the following line in the file server.xml so that the secure-web-site.xml file is added to the OC4J initialization.
<web-site path="./secure-web-site.xml" />
Save the changes to the server.xml file.
Stop and re-start OC4J to include the secure-web-site.xml file modifications.
Test the SSL port by accessing the Mobile Server in a browser on the SSL port. For example, https://<yourserver>:443/webtogo.
If you are using the test keystore file or your own self-signed certificate, you will be asked to accept the certificate, since the SSL certificate used is not signed by an accepted certificate authority. When completed, Mobile Server listens for SSL requests on the port configured in the secure-web-site.xml file and listens for non-SSL requests on the port configured in the http-web-site.xml file. You can disable either SSL requests or non-SSL requests, by commenting out the appropriate *web-site.xml in the server.xml configuration file.
<web-site path="./secure-web-site.xml" /> - comment out this to remove SSL <default-site path="./default-web-site.xml" /> - comment out this to remove non-SSL
The following errors may occur when using SSL certificates on your Mobile Server:
As the end user, you can configure the Mobile Client for Web-to-Go to establish an SSL connection between the Mobile Client and the Mobile Server.
The following sections describe how to enable SSL for your Mobile client:
Section 12.1.4.1, "Communication between the Mobile Client and the Mobile Server"
Section 12.1.4.2, "Connection between the Browser and the Mobile Client for Web-to-Go"
Based on whether or not you download the Mobile Client for Web-to-Go from the Mobile Server running in SSL, you can choose to configure communication between the Mobile Client for Web-to-Go and the Mobile Server. The following sections provide a description of configuring communication between the Mobile Client and the Mobile Server.
Mobile Client Download from a Mobile Server which is Running in SSL Mode
The Mobile Client for Web-to-Go which is downloaded from the following URL is automatically configured for SSL and does not require manual configuration on the part of the end user. This download enables the Mobile Client to communicate with the Mobile Server in SSL mode.
https://<mobile_server>:<port>/setup
Mobile Client Download from a Mobile Server which is not Running in SSL Mode
If you have downloaded the Mobile Client for Web-to-Go from a Mobile Server, which, is not running in SSL mode, you must modify the SERVER_URL parameter in the configuration file webtogo.ora as follows.
SERVER_URL=https://<mobile_server>:<port>/webtogo/setup
|
Note: in the location bar, you must typehttps, to specify and indicate the SSL Mode, and not http.
|
While trying to connect to the Mobile Client for Web-to-Go in SSL mode, you will not be able to connect to the Mobile Client, even if the following conditions exist.
The Mobile Server is running in SSL mode, as a module of Oracle9iAS.
The Mobile Client for Web-to-Go is also running in SSL mode.
To connect to the Mobile Client for Web-to-Go using a browser, you must specify HTTP and not HTTPS in the client URL, although the communication between the client and the server is through the HTTPS protocol.
For example, http://<client_machine>/webtogo
Mobile Servers running in SSL mode possess the ability to synchronize with any Mobile Client which is running in SSL or non-SSL mode. But, in the case of the Mobile Client for Web-to-Go, the client also runs in SSL mode to synchronize with the Mobile Server, which is running in SSL mode.
As SSL is not supported on many Mobile Clients, the Mobile Server, which, is running in SSL mode, still supports Mobile Clients that are running in non-SSL mode.
|
Note: Inside the Oracle Application Server, the Mobile Server runs on both SSL and non-SSL ports, to support SSL and non-SSL clients. The application server must be configured to run on both SSL and non-SSL ports, as a default function. |
Whether you are using a Mobile client or an embedded application, you can encrypt the database used on the client.
When encrypting the Oracle Lite database used with the Mobile client, modify the POLITE.INI file to set the ENCRYPT_DB parameter. See Section H.3.2.13, "ENCRYPT_DB" for more information.
When encrypting the Oracle Lite database that is used with an embedded application, use the encryptdb executable, as described in the "ENCRYPDB" section Appendix B in Oracle Database Lite Developer's Guide.
If you have the demo applications installed in a production environment, they can be used to access areas of Oracle Database Lite that you may want to be secure. The demo applications are provided for you to use when learning how to develop your own application. Thus, when you are finished developing your product, remove the demo applications from the repository. For directions, see the Installation chapter in the Oracle Database Lite Getting Started Guide.
