This sections provides step-by-step instructions for installing and enrolling SSMs and performing additional post-installation tasks.
The following topics are described:
SSMs require certain software components to operate properly.
For system requirements on machines where which SSMs are installed, see the release notes.
SSMs can be installed using a distributed or centralized deployment model:
For this model, install the SSM on the application machine as described in Installation Steps.
When using an SSM proxy, RMI or SOAP can be used for communication with the remote SSM. Instructions for setting up SSM proxies are located in Configuring a Remote SSM and Proxy.
The SSM installer detects earlier versions and upgrades an existing SSMs using its configuration information. To perform an upgrade, follow this procedure:
When the SSM installer runs, it detects the earlier versions and uses its configuration information.
Accept the default checkbox selection to use an SCM for distributing configuration data to the SSM or clear the checkbox to not use an SCM.
For more information about this, see Running an SSM Without an SCM for more information.
|
|
SCM Logical Name — (Applicable only if using an SCM) Enter a name to assign the SCM. This name must be used later as described in Define an SCM in the Database.
SCM Port — (Applicable only if using an SCM) Accept the default or specify a different port used by the SCM to receive data from the Administration Server. The port cannot be used by any other server.
|
|
Note: | This section does not apply to the Web Server SSM, which uses a different enrollment tool, as described in Configuring the Web Server SSM. |
Enrollment is the process by which an OES component on a remote machine registers with the Administration Server. As part of this process, the SSM system exchanges security certificates with the Administration Server.
All components located under a BEA_HOME
directory use the same set of keys located in BEA_HOME
/ales32-shared/keys
. Therefore, the enrollment process must be run once for any given BEA_HOME
.
There are two enrollment modes:
BEA_HOME
\ales32-shared\keys\DemoTrust.jks
to verify the Administration Server's certificate from webserver.jks
. When the client tries to enroll, the Administration Server presents its public certificate for verification to the client. This public certificate is signed by a trusted ALES Demo CA and bound to the server's hostname.
The client will trust the certificate, because the DemoTrust.jks
keystore has the same public certificate of the same trusted Demo CA that is in webserver.jks
.
cacerts
certificates file from the JDK installation to verify the Administration Server's certificate from webserver.jks
.
cacerts
is a system-wide keystore that conatins CA certificates. For example, the file for the jrockit_150_11 JDK is in BEA_HOME
\jrockit_150_11\jre\lib\security\cacerts
Some certificates issued by CA authorities do not strictly comply with Certicom’s Internet X.509 Public Key Infrastructure standard. To use these certificates, you must disable constraints extension checking by adding the following lines to enroll.bat|sh
and unenroll.bat|sh
located in the BEA_HOME/ales32-shared/bin
directory.
if [ -f $JAVA_HOME/lib/security/cacerts ]; then
JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/lib/security/cacerts -Dlog4j.configuration=file:./log4j.properties"
else
JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/jre/lib/security/cacerts -Dlog4j.configuration=file:./log4j.properties"
fileif [ "$1" = "demo" ]; then
JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=no -Dwles.ssl.trustedCAKeyStore=$ALES_SHARED_HOME/keys/DemoTrust.jks -Dlog4j.configuration=file:./log4j.properties"
else
To run the enroll tool, perform the following steps:
BEA_HOME/ales32-shared/bin
directory, set the environment:set-env
enroll demo
admin
and password
respectively).
Private key password — Protects the identity of the components being enrolled.
identity.jceks password — Protects the identity.jceks
keystore.
peer.jks password — Protects the peer.jks
keystore.
trust.jks password — Protects the trust.jks
keystore.
For more information on enroll
utility options, see
Administrative Utilities in the Administration Reference.
D:\bea\ales32-shared\bin>set-env
D:\bea\ales32-shared\bin>enroll secure
=========================================================================
Enrollment/Unenrollment Utility
=========================================================================
Enter admin username :> admin
Enter admin password :>
Enter SSM private key password :>
Confirm SSM private key password :>
Enter password for identity.jceks :>
Confirm password for identity.jceks :>
Enter password for peer.jks :>
Confirm password for peer.jks :>
Enter password for trust.jks :>
Confirm password for trust.jks :>
Submitting enrollment request
Processing enrollment response
Updating trusted CA keystore
Updating peer keystore
Use the Administration Console to define an SCM. When the ConfigTool sets up the initial security providers that will be used by the SSM to secure the application, this information will be maintained under this SCM.
Note: | For step-by-step instructions on creating an SCM, see "Configuring a Service Control Manager" in the Administration Console’s help system. |
If the SSM will run using an SCM, the name of the SCM must match the SCM Logical Name entered when the SSM was installed. For details, see Table 3-2, SSM Installation Prompts, on page 3-4.
You must define the SCM even if the SSM does not use it to obtain configuration data from the Administration Server. When this is the case, SCM will be the collection point for exporting configuration data to an XML file. For more information, see Running an SSM Without an SCM.
Before configuring the SSM, use the asipassword utility to set the Administration Server's admin
user password on the SSM machine. This password is required for secure communications between the SSM and the Administration Server.
BEA_HOME\ales32-shared\bin
directory and enter the following:
asipassword admin
<BEA_HOME
>\ales32-shared\keys\password.xml
<
BEA_HOME
>\ales32-shared\keys\password.key
asipassword admin c:\bea\ales32-shared\keys\password.xml
c:\bea\ales32-shared\keys\password.key
Notes: |
After installation, create and configure SSM instances as described in the following chapters: