14 Securing Oracle Identity Analytics

This chapter contains the following sections:

• Section 14.1, "Overview"

• Section 14.2, "Understanding the Property Encryption Utility"

• Section 14.3, "Enabling SSL Encryption Between Oracle Identity Analytics and the Database"

14.1 Overview

This chapter covers topics that have to do with securing Oracle Identity Analytics at the system level.

14.2 Understanding the Property Encryption Utility

Oracle Identity Analytics (OIA) includes a property encryption utility that can encrypt sensitive property data that the system requires. Upon encrypting a property, the utility saves it with a .encrypted suffix appended to the property name. When OIA reads a property file and encounters a property name with the .encrypted suffix, the system decrypts the property value and assigns the clear-text value to the base property name in memory. The system can then use the clear-text value in internal references to the property.

14.2.1 To Run the Property Encryption Utility

1. Open a command prompt

2. At the command-line type the following command (all on one line):

   $ java -jar <servlet-container>/rbacx/WEB-INF/lib/vaau-commons-crypt.jar 
   -encryptProperty -cipherKeyProperties <arg> -propertyFile <arg> -propertyName <arg>
     
   

   where:

   -encryptProperty	The property encryptor command
   -cipherKeyProperties <arg>	The filesystem path to the cipher key properties file
   -propertyFile <arg>	The filesystem path to the property file containing the property to encrypt
   -propertyName <arg>	The name of the property to encrypt

   
   

   Following is a sample usage of the Property Encryption Utility:

   $ java -jar <webapp-root>/WEB-INF/lib/vaau-commons-crypt.jar 
   -encryptProperty -cipherKeyProperties ${RBACX_HOME}/conf/cipherKey.properties 
   -propertyFile ${RBACX_HOME}/conf/jdbc.properties -propertyName jdbc.password
         
   

14.2.2 To Encrypt the Database Password

Use the steps in this section to change your database password and encrypt it in Oracle Identity Analytics.

Note:

You should change and encrypt your database password if you upgraded from a version of Oracle Identity Analytics that is older than version 11.1.1.5.0.

1. Shut down all instances of Oracle Identity Analytics that use the JDBC database account for which you will be encrypting the password.

2. Log on to the database and change your database password.

3. On the OIA application server, open a text editor and set the jdbc.password property in the jdbc.properties file to the new clear-text database password.

4. At a command-line, type the following to run the Property Encryption Utility (see Section 14.2, "Understanding the Property Encryption Utility" for more information about this command):

   • Windows:

     C:\> java -jar <webapp-root>\WEB-INF\lib\vaau-commons-crypt.jar 
     -encryptProperty -cipherKeyProperties %RBACX_HOME%\conf\cipherKey.properties 
     -propertyFile %RBACX_HOME%\conf/jdbc.properties -propertyName jdbc.password
           
     

   • UNIX:

     $ java -jar <webapp-root>/WEB-INF/lib/vaau-commons-crypt.jar 
     -encryptProperty -cipherKeyProperties ${RBACX_HOME}/conf/cipherKey.properties 
     -propertyFile ${RBACX_HOME}/conf/jdbc.properties -propertyName jdbc.password
           
     

   The password is encrypted and stored as jdbc.password.encrypted.

5. Start the OIA instance and confirm it can access the OIA database.

6. Repeat these steps for each additional instance that you shut down in step 1, or, if every OIA instance uses identical JDBC connection properties, copy the jdbc.properties file to all instances.

14.3 Enabling SSL Encryption Between Oracle Identity Analytics and the Database

You can encrypt communication between the Oracle Identity Analytics server and the database by enabling SSL.

14.3.1 To Configure OIA to use SSL with the Database

These steps describe how to enable SSL encryption between OIA and the database. Instructions for enabling client-authentication and server-authentication are not provided.

1. Shut down all instances of Oracle Identity Analytics.

2. Open the RBACX_HOME/conf/jdbc.properties file for editing.

3. Add the following line to the file. Replace the host, port, and service name values with the values that point to your database server:

   For Oracle Database:

   jdbc.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.0.0.15)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))
   

   For example:

   jdbc.url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=psdb6011.us.example.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))
   

4. Save your changes.

5. Open the RBACX_HOME/conf/jdbcConnectionFactory.properties file for editing.

6. Add the following line to the file and save your changes:

   For Oracle Database:

   oracle.net.ssl_cipher_suites=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA)
   oracle.net.ssl_server_dn_match=false
   

7. Start the OIA instance and confirm it can access the OIA database.

8. Repeat these steps for each additional instance that you shut down in step 1, or, if every OIA instance uses identical JDBC connection properties, copy the jdbc.properties file and the jdbcConnectionFactory.properties file to all instances.

SSL encryption is now enabled for your JDBC connections.