Skip Headers
Oracle® Enterprise Manager Application Configuration Console Installation Guide
Release 5.3.2

E14652-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

B Security Concerns

This appendix covers several aspects related to Application Configuration Console security.

B.1 Best Practices

In keeping with Oracle's mandate to protect customer data, Application Configuration Console observes the following best practices:

Application Configuration Console stores passwords for keystore and truststore in obfuscated format on the Server:

SERVER_INSTALL/appserver/tomcat/conf/server.xml

And on the Client:

CLIENT_INSTALL/client/runtime/plugins/com.mvalent.integrity_5.3.2/config/client_boot.xml

If you suspect that these files or the keystore have been compromised in any way, contact Oracle support for assistance in changing passwords.

B.2 Generating New Keystore and Truststore Files

To ensure a secure connection, the Core Server and the Client use the SSL protocol to exchange sensitive information contained in files known as a keystore and a truststore. A keystore contains private keys, and the certificates with their corresponding public keys. A truststore contains certificates from other parties that you expect to communicate with, or from Certificate Authorities that you trust to identify other parties. To learn more about the Java SSL protocol and keystores and truststores, visit the following URL:

http://java.sun.com/docs/books/tutorial/security/sigcert/index.htm

The Core Server generates a self-signed certificate during installation. The keystore files (keystore and truststore) are generated the first time the Client connects to the Server. If something happens to the Client's keystore files (modified or deleted, for example), they are regenerated on the next startup, when you are prompted to accept the certificate. If something happens to the Server's keystore files, however, or if tampering is suspected, then it becomes necessary to generate new keystore files to continue secure operations.

B.2.1 Before You Begin

Back up either or both original files if they exist (mvserver.ks and mvserver.ts), located in the following directory:

$OACC_INSTALL/com.mvalent.integrity_5.3.2/webserver/tomcat

You will use the keytool utility that comes with any JDK 1.6 installation to regenerate your keystore files. This utility displays passwords in cleartext so be sure to take the necessary security precautions. Also, you may want to record the values that you supply, such as passwords and paths, as you will need to provide them several times during the process. To learn more about keytool visit the following URL:

http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

B.2.2 Generate a New Keystore

To generate a new keystore file, proceed as follows:

  1. Open a command shell prompt.

  2. Change directory to the JDK1.6_HOME/bin directory; to here, for example, if you elected to use the version embedded with the Core Server installation:

    $OACC_INSTALL/java/bin
    
  3. Execute the keystool command as follows:

    keytool -genkey -alias alias_value -keyalg RSA -keysize 1024 -storepass password -keypass password -keystore store_path -storetype jks -dname dname_values
    

    Where:

    • alias_value is the identifier of the original key created during keystore creation. This value can be any string.

    • password is a strong password for accessing the keystore file. Tomcat requires that you specify the same value to access the keystore and its private key.

    • store_path is the path of the keystore file that you are generating.

    • dbname_values are optional values that identify the owner of the credentials passed from the Server to any Client. For example: "CN=Application Configuration Console Server, OU=Enterprise Manager Grid Control, O=Oracle Corporation,L=Redwood City, S=California, C=US"

      Note:

      If you receive the following error: "keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect", it probably means that the value you specified for store_path already exists. Move or rename the file and rerun keytool. If this is not the case, contact support.
  4. Verify that the keystore file was created at the specified location. It should be about 2KB in size.

B.2.3 Generate a New Truststore

To generate a new truststore file, proceed as follows:

  1. Open a command shell prompt.

  2. Change directory to the JDK1.6_HOME/bin directory; to here, for example, if you elected to use the version embedded with the Core Server installation:

    $OACC_INSTALL/java/bin
    
  3. Execute the keystool command as follows:

    keytool -genkey -alias alias_value -keyalg RSA -keysize 1024 -storepass password -keypass password -keystore store_path -storetype jks -dname dname_values
    

    Where:

    • alias_value is the identifier of the original key created during truststore creation. This value can be any string.

    • password is a strong password for accessing the truststore file. Tomcat requires that you specify the same value to access the truststore and its private key.

    • store_path is the path of the truststore file that you are generating.

    • dbname_values are optional values that identify the owner of the credentials passed from the Server to any Client. For example: "CN=Application Configuration Console Server, OU=Enterprise Manager Grid Control, O=Oracle Corporation,L=Redwood City, S=California, C=US"

      Note:

      If you receive the following error: "keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect", it probably means that the value you specified for store_path already exists. Move or rename the file and rerun keytool. If this is not the case, contact support.
  4. Verify that the truststore file was created at the specified location. It should be about 2KB in size.

B.2.4 Update Tomcat server.xml

Update server.xml to include the values.

  1. Navigate to the following directory on the Core Server host and open server.xml in a text or XML editor:

    $OACC_INSTALL/appserver/tomcat/conf
    
  2. At the bottom of the file, locate the XML element <Connector port="9943" ... /> and edit the values of these four properties (keystoreFile, keystorePass, truststoreFile, truststorePass) with the values specified during keystore/truststore generation.

  3. Save your changes and restart the Core Server. You can restart from command line as follows: $OACC_INSTALL/appserver/tomcat/bin/startup.bat (for Windows) or startup.sh for (Linux/UNIX).

B.3 Disable Anonymous Read Write Access on the SVN Server

Some environments may require a layer of security between the Core Server and the SVN server. This section provides instructions for requiring authentication on the SVN server, and disabling anonymous read and write access.

First, you should encrypt an Application Configuration Console password, using the MVEncryption.bat file as follows:

  1. Navigate to the following directory:

    $OACC_INSTALL/appserver/tomcat/shared/scripts
    
  2. Run the following command:

    MVEncryption.bat mvpassword
    

    Command output resembles the following:

    Encrypting [mvpassword]
    
    Encrypted characters: [67|115|98|97|83|81|100|53|82|90|67|122|73|109|99|111|70]
    Encrypted string....: [CsbaSQd5RZCzImcoF45kmg=]
    
  3. Make a copy of the Encrypted string value between the brackets (shown in bold in the example). This is your encrypted password.

Now do the following:

  1. Make the following changes to the svnserve.conf file in $OACC_INSTALL/svn/db/conf:

    1. Uncomment the following line:

      password-db=mvuserfile
      
    2. Change the access in the general section to the following values:

      [general]
      anon-access = none
      auth-access = write
      
  2. In $OACC_INSTALL/svn/db/conf, create an ASCII file named mvuserfile with the following contents:

    [USERS]
    mvadmin=unencryptedpassword
    
  3. Set permissionss on mvuserfile such that the Application Configuration Console-specific operating system user (OACCUSER) has at least read access.

  4. Add username and password property values to the following module in server_modules_registry.xml:

    <module name="com.mvalent.service.system.repository.version.impl.
    subversion.SvnSessionContext">
    
    <property name="username" value="mvadmin"/>
    <property name="password" value="encryptedpassword"/>\
    
  5. Make this change to the versions of server_modules_registry.xml in the following locations:

    $OACC_INSTALL/appserver/tomcat/shared/classes/ 
    $OACC_INSTALL/appserver/tomcat/webapps/mvtrack/WEB-INF/classes
    $OACC_INSTALL/appserver/tomcat/webapps/mvwebreports/WEB-INF/classes
    

    Anonymous read and write access is now disabled on the SVN server.

B.4 Optionally Use a Customer-Supplied SSL Certificate

The Core Tomcat server uses an SSL certificate to ensure secure communication with the Application Configuration Console Clients. If desired, you can use your own certificate instead of the one supplied by Oracle. The certificate can be JKS or PKCS #12 format, and you must have the associated private key. With PKCS #12, for example, do the following:

  1. Stop the Core Server and Clients if they are running.

  2. Use OpenSSL to produce a keystore file from your certificate file:

    > openssl pkcs12 -export -in mycertificate.cer -inkey mycertificate.key -out mvserver.ks -name tomcat
    
  3. Copy the mvserver.ks file for use by the Clients:

    > cp mvserver.ks mvclient.ts
    
  4. On the Core Server system, rename the existing mvserver.ks file:

    > cd $OACC_INSTALL/com.mvalent.integrity_5.3.2/webserver/tomcat
    > rename mvserver.ks mvclient.ks.orig
    
  5. Copy the new mvserver.ks file that you created in Step 2 to the following directory:

    $OACC_INSTALL/com.mvalent.integrity_5.3.2/webserver/tomcat
    
  6. Open the $OACC_INSTALL/appserver/tomcat/conf/server.xml file in a text editor.

  7. Move to the end of the file and look for the <Connector> element that starts with port="9943".

  8. Change the keystorePass attribute in the Connector element to the password required by your certificate.

  9. Save and close the server.xml file.

  10. On each Client machine, copy the mvclient.ts file that you created in Step 3 to the following directory:

    $OACC_INSTALL\runtime\plugins\com.mvalent.integrity_5.3.2\config.
    
  11. On each Client, navigate to the following directory and open client_boot.xml in a text editor:

    $OACC_INSTALL\runtime\plugins\com.mvalent.integrity_5.3.2\config
    
  12. Change the value of the trustStorePassword to the password required by your certificate.

  13. Save and close the client_boot.xml file.

  14. Restart the Core Server and Clients.