Installing SSMs

This sections provides step-by-step instructions for installing and enrolling SSMs and performing additional post-installation tasks.

Installation Requirements

System Requirements

For system requirements on machines where which SSMs are installed, see the release notes.

Other Requirements

Installation Topologies

Distributed — SSMs are installed on the same machine as the secured application. The SSM obtains configuration information and policy updates directly from the Administration Server. This is the prevasive method of deploying SSMs.

For this model, install the SSM on the application machine as described in Installation Steps.

Centralized — An SSM proxy on the application client communicates with a centralized SSM on a separate machine. The proxy emulates an SSM security services on the application client and provides authorization caching, logging, and failover support.

When using an SSM proxy, RMI or SOAP can be used for communication with the remote SSM. Instructions for setting up SSM proxies are located in Configuring a Remote SSM and Proxy.

SSM Upgrades

The SSM installer detects earlier versions and upgrades an existing SSMs using its configuration information. To perform an upgrade, follow this procedure:

Upgrade the Administration Server before upgrading any SSMs. SSMs can continue to run while the Administration Server is being upgraded.
Make sure you have read and delete permission for the SSMs files. You must be logged in as a member of the group used when the earlier version was installed.
If using an SCM on the SSM machine, shut it down.
Run the installation program, as described in Installation Steps.

When the SSM installer runs, it detects the earlier versions and uses its configuration information.

Respond to the prompts as required.

Installation Steps

Shut down any running programs.
Unzip the installation ZIP file.

The file name is OES10gR3_ssm_win32.zip (Windows), OES10gR3_ssm_solaris32.zip (UNIX), or OES10gR3_ssm_linux.zip (Linux).

Launch the installation program as described in Table 3-1.

Table 3-1 SSM Installation Programs
Windows	Launch `OES10gR3_ssm_win.exe` Note: To generate a verbose installation log, add the following to the launch command: `-log=<logfile> -log_priority=debug` Example: `OES10gR3_ssm_win32.exe -log=D:\logs\oes_install.log -log_priority=debug`
Solaris	Change the protection on the install file by entering: `chmod u+x OES10gR3_ssm_solaris32.bin`. Enter: `OES10gR3_ssm_solaris32.bin` Note: To generate a verbose installation log, add the following to the launch command: `-log=<logfile> -log_priority=debug` Example: `oes320ssm_solaris32.bin -log=/opt/logs/oes_install.log -log_priority=debug`
Linux	Change the protection on the install file by entering chmod u+x `OES10gR3_ssm_rhas_IA32.bin`. Enter: `OES10gR3_ssm_rhas_IA32.bin` Note: To generate a verbose installation log, use same command string as described above for Solaris.

Complete the prompts using Table 3-2.

Table 3-2 SSM Installation Prompts
Window	Action
Welcome	Click Next.
Choose Home Directory	Accept the default location (recommended) or select a different one and click Next.
Choose Products and Components	Select the SSMs to install and click Next. Only installable components are listed. For example, if installing on WebLogic Server 9.2/10.0, the SSM for WebLogic 8.1 is not listed.
Choose Product Installation Directories	Accept the default or specify a different directory and click Next. If the directory you specify does not exist, the installation program will create it. If you have installed other SSMs, you will see Installation Complete. Otherwise, continue.
Centralized Configuration of Security Providers	Accept the default checkbox selection to use an SCM for distributing configuration data to the SSM or clear the checkbox to not use an SCM. For more information about this, see Running an SSM Without an SCM for more information. Note: This window does not appear when installing only the WLS SSM.
Choose Network Interface	Select the IP address the SCM will use to listen for requests to provision configuration data and click Next.
Configure SCM	SCM Logical Name — (Applicable only if using an SCM) Enter a name to assign the SCM. This name must be used later as described in Define an SCM in the Database. SCM Port — (Applicable only if using an SCM) Accept the default or specify a different port used by the SCM to receive data from the Administration Server. The port cannot be used by any other server. Primary Server URL — Enter the Administration Server address in the format: `https://servername:7010`. Backup Server URL — Leave blank unless you have a second Administration Server installed, in which case enter its address using the same URL format.
Choose JDK	Accept the default selection or specify a different JDK and click Next.

On the Installation Complete window, click Close.

Enrollment

Enrollment is the process by which an OES component on a remote machine registers with the Administration Server. As part of this process, the SSM system exchanges security certificates with the Administration Server.

All components located under a BEA_HOME directory use the same set of keys located in BEA_HOME/ales32-shared/keys. Therefore, the enrollment process must be run once for any given BEA_HOME.

In demo mode, enrollment clients use BEA_HOME\ales32-shared\keys\DemoTrust.jks to verify the Administration Server's certificate from webserver.jks.

When the client tries to enroll, the Administration Server presents its public certificate for verification to the client. This public certificate is signed by a trusted ALES Demo CA and bound to the server's hostname.

The client will trust the certificate, because the DemoTrust.jks keystore has the same public certificate of the same trusted Demo CA that is in webserver.jks.

In secure mode, the enrollment client uses the cacerts certificates file from the JDK installation to verify the Administration Server's certificate from webserver.jks.

cacerts is a system-wide keystore that conatins CA certificates. For example, the file for the jrockit_150_11 JDK is in BEA_HOME\jrockit_150_11\jre\lib\security\cacerts

Certificates

Some certificates issued by CA authorities do not strictly comply with Certicom’s Internet X.509 Public Key Infrastructure standard. To use these certificates, you must disable constraints extension checking by adding the following lines to enroll.bat|sh and unenroll.bat|sh located in the BEA_HOME/ales32-shared/bin directory.

if [ -f $JAVA_HOME/lib/security/cacerts ]; then

    JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/lib/security/cacerts  -Dlog4j.configuration=file:./log4j.properties"

         else

    JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false  -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/jre/lib/security/cacerts  -Dlog4j.configuration=file:./log4j.properties"

         fileif [ "$1" = "demo" ]; then

    JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false  -Dwles.ssl.verifyHostnames=no  -Dwles.ssl.trustedCAKeyStore=$ALES_SHARED_HOME/keys/DemoTrust.jks -Dlog4j.configuration=file:./log4j.properties"

else

Enrollment Steps

Make sure the Administration Server is running and configured for 1-way SSL. For further details, see Securing OES Production Environments.
If the SSM is using an SCM, make sure the SCM is running.
In the BEA_HOME/ales32-shared/bin directory, set the environment:

set-env

Run the following script:

enroll demo

When the Enrollment prompt appears, enter the Administration Server administrator username and password. (The defaults are admin and password respectively).
Enter and confirm the following passwords. You choose the passwords; they do not need to match the key passwords used when the Administration Server was installed.

Private key password — Protects the identity of the components being enrolled.
identity.jceks password — Protects the identity.jceks keystore.
peer.jks password — Protects the peer.jks keystore.
trust.jks password — Protects the trust.jks keystore.

For more information on enroll utility options, see Administrative Utilities in the Administration Reference.

Example of Running Enroll

D:\bea\ales32-shared\bin>set-env
D:\bea\ales32-shared\bin>enroll secure
=========================================================================
Enrollment/Unenrollment Utility
=========================================================================
Enter admin username :> admin
Enter admin password :>
Enter SSM private key password :>
Confirm SSM private key password :>
Enter password for identity.jceks :>
Confirm password for identity.jceks :>
Enter password for peer.jks :>
Confirm password for peer.jks :>
Enter password for trust.jks :>
Confirm password for trust.jks :>

Define an SCM in the Database

Use the Administration Console to define an SCM. When the ConfigTool sets up the initial security providers that will be used by the SSM to secure the application, this information will be maintained under this SCM.

You must define the SCM even if the SSM does not use it to obtain configuration data from the Administration Server. When this is the case, SCM will be the collection point for exporting configuration data to an XML file. For more information, see Running an SSM Without an SCM.

Run asipassword

Before configuring the SSM, use the asipassword utility to set the Administration Server's admin user password on the SSM machine. This password is required for secure communications between the SSM and the Administration Server.

Change to the BEA_HOME\ales32-shared\bin directory and enter the following:

asipassword admin <BEA_HOME>\ales32-shared\keys\password.xml <BEA_HOME>\ales32-shared\keys\password.key

Example:

asipassword admin c:\bea\ales32-shared\keys\password.xml c:\bea\ales32-shared\keys\password.key

When prompted for the ’alias’ password, enter the Administration Server user’s password. (The default password is password.)

What’s Next?

After installation, create and configure SSM instances as described in the following chapters:

SSM Installation and Configuration Guide