| Oracle® Fusion Middleware Installation Guide for Oracle Mobile Security Suite Release 3.0.1 Part Number E51930-03 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Installation Guide for Oracle Mobile Security Suite Release 3.0.1 Part Number E51930-03 |
|
|
PDF · Mobi · ePub |
This chapter describes the requirements for installing Oracle Mobile Security Suite.
It contains the following sections:
The minimum server requirements for installing any of the Oracle Mobile Security Suite servers are as follows:
Windows 2008 R2 or Oracle Linux 6 Update 1+
Latest service pack and security updates
4 GB memory
2.2 GHZ processor with 4 cores
30GB hard drive
The Oracle Mobile Security Suite installer can be used to install the Mobile Security Access Server (formerly BMAX), Mobile Security Administrative Console (formerly ACP), Mobile Security File Manager (formally m/Drive), and Mobile Security Notification Server (formerly BNS). Depending on the intended use, the components can be installed on the same or different physical server (or virtual server) machines. The following table summarizes five common deployment configurations.
| Option | Machine 1 | Machine 2 | Machine 3 | Machine 4 | Comments |
|---|---|---|---|---|---|
|
1 |
Access Server Administrative Console File Manager Notification Server Database |
Lab Administrative Console not on IIS |
|||
|
2 |
Access Server |
Administrative Console File Manager Notification Server Database |
Lab or Production |
||
|
3 |
Access Server |
Administrative Console File Manager Notification Server |
Database |
Lab or Production |
|
|
4 |
Access Server |
Administrative Console |
Database |
File Manager Notification Server |
Lab or Production |
|
5 |
Access Server |
Administrative Console Notification Server |
Database |
File Manager |
Lab or Production |
This section contains the following topics:
Section 2.3.1, "LDAP, Database, and Authentication Server Requirements"
Section 2.3.3, "Mobile Security Administrative Console Requirements"
Section 2.3.6, "Mobile Security Notification Server Requirements"
When connecting the Oracle Mobile Security Suite to external LDAP, Database and Authentication servers the following prerequisites are required:
If you are using Oracle Access Manager for authentication, you must have least at Oracle Access Manager (OAM) with Mobile and Social (OAMMS) version 11g R2 PS2 with Patch 18325631.
If you are using Microsoft Active Directory for authentication, you must have at least version Windows 2008 domain controllers and a domain functional level of at least Windows 2003.
If you are using Oracle Unified Directory for LDAP user and group synchronization, you must have at least version 11g R2 PS2 with patch 18165497.
If you are using Microsoft Active Directory for LDAP user and group synchronization, you must have at least version Windows 2003.
If you are using Oracle Database as a repository then you must have at least version 11g R2.
If you are using Microsoft SQL Server as a repository then you must have at least version 2008.
Note:
Microsoft SQL Server support has been deprecated and might not be supported in future releases. It is not recommended for new installs.
If you are using Oracle Web Services Manager to protect web services with OAuth, you must have at least version 11gR1 PS6 with Patch 17278807.
The following prerequisites are required to install the Mobile Security Access Server:
Internet Information Services must NOT be installed
Ports 80 and 443 must be available for the Mobile Security Access Server application on the server.
Ports 80 and 443 must be open for incoming HTTP traffic on the firewall. These ports must be accessible from mobile devices.
Port 53 must be open between the Mobile Security Access Server and the Domain Name System (DNS) server(s).
Port 123 must be open between the Mobile Security Access Server and the Network Time Protocol (NTP) server.
Port 88 must be open between the Mobile Security Access Server and Active Directory for Kerberos authentication and negotiation.
Ports 80 and/or 443 must be open between the Mobile Security Access Server and Oracle Access Manager for OAM authentication and OAuth/OAM token management.
SharePoint and other web applications that will be accessed must be accessible from the Mobile Security Access Server, for example: port 80 for HTTP and port 443 for HTTPS.
Certificate for Mobile Security Access Server
If you are using a Microsoft Certificate Authority, the Microsoft Enhanced RSA and AES Cryptographic Provider is required when certificates are stored in the Windows certificate store (CAPI). Microsoft web server templates can be modified to include the Microsoft Enhanced RSA and AES Cryptographic Provider.
When using non-Microsoft Certificate Authorities, make sure that the Mobile Security Access Server certificate has the right to log in to Windows on the Mobile Security Access Server system. The size of the key should be no less than 1024 bits, and 2048 bits is recommended. If the certificate is stored using Windows CAPI (Windows certificate store) then refer to the Microsoft Enhanced RSA and AES Cryptographic Provider template for attributes to be configured for the non-Microsoft certificate request.
Certificates / keys can be stored in CAPI with a non-exportable key. Otherwise certificates / keys can be stored in PEM format on the file system.
If you are installing the Mobile Security Access Server on Windows with CAPI, Windows credentials are required to access the Microsoft cryptographic store. The account (service account) will require:
Windows Active Directory account with rights to login to the Mobile Security Access Server machine.
The right to start the Mobile Security Access Server Windows service.
The following prerequisites are required to install the Mobile Security Administrative Console server:
Note:
A logo in jpeg, png, or bmp format is optional.
If you are installing the Mobile Security Administrative Console using Oracle Database, you must use an account with the necessary permissions to read and write the selected schemas.
If you are installing the Mobile Security Administrative Console using Microsoft SQL Server using Windows authentication for a SQL account, the Windows SQL account must be created prior to running setup. The account (service account) will require the following:
Ports 389 and/or 636 must be open between the Mobile Security Administrative Console and Oracle Unified Directory for LDAP synchronization.
Ports 389, 636, 3268, and/or 3269 must be open between the Mobile Security Administrative Console and Active Directory for LDAP synchronization. For more information, refer to http://support.microsoft.com.
Windows Active Directory account with rights to login to the Mobile Security Administrative Console machine.
Defining the windows account to the desired SQL instance as a SQL account.
The right to start the Mobile Security Administrative Console windows service. The easiest way to accomplish this is by giving that account the same rights as Local System, or adding the account to the local Administrators group.
Port 1443 or custom port defined for Microsoft SQL Server
If you are installing the Mobile Security Administrative Console with Active Directory group synchronization, Windows credentials are required to authenticate to Active Directory. The credentials only require read access to Active Directory. If using Windows authentication for Microsoft SQL Server, then those credentials can be used as previously entered.
If you are installing the Mobile Security Administrative Console with Oracle Unified Directory group synchronization, LDAP credentials are required to authenticate to Oracle Unified Directory. The credentials only require read access to Oracle Unified Directory.
If you are installing Mobile Security Administrative Console on Internet Information Services:
Mobile Security Administrative Console must be installed on a separate server than the Mobile Security Access Server Gateway server.
Internet Information Services must be installed and configured before the Mobile Security Administrative Console installation.
Internet Information Services 7.5 and above
Add the webserver role using Windows server manager with the following features:
Application Development: CGI
Security: Basic Authentication and Windows Authentication
Management Tools: Internet Information Services Management Scripts and Tools, IIS 6 Metabase Compatibility, IIS 6 WMI Compatibility, IIS 6 Scripting Tools
SSL certificate must be assigned after installation.
Certificate for Mobile Security Administrative Console server. The Administrative Console server certificate can be your standard SSL server certificate.
The following prerequisites are required to install the Mobile Security File Manager server:
The Oracle Mobile Security Suite is configured to use Windows Kerberos authentication.
Existing file shares with network permissions for users.
File servers can be either Windows or UNIX servers; there is no restriction if the servers allow Kerberos or NTLM authentication based on the Windows user account.
Ports 8080 and 8443 must be available for the Mobile Security File Manager application on the server.
Certificate for Mobile Security File Manager server if installed separately from Mobile Security Access Server and Mobile Security Administrative Console.
The following prerequisites are required for user authentication certificate provisioning:
The Mobile Security Administrative Console must be installed on Windows.
Mobile Security Administrative Console must be installed with the Windows Active Directory Group Synchronization option selected.
Kerberos PKINIT must be selected as a primary authentication method. Time Limited Password must be selected as the backup authentication method.
Microsoft Certificate Authority
Configured to allow Subject Alternate Names (SAN) in certificate requests.
Configure a Certificate template for smart card login with the private key exportable (clone the smart card login template).
Update the template to make the private key exportable.
Update the template to allow the subject to be passed in the request.
The Active Directory account used to run the Mobile Security Administrative Console service must have the following permissions:
Read and Enroll the certificate template used (assigned on the security properties or the certificate template)
Manage certificates at the Certificate Authority level to revoke certificates (assigned on the security properties of the CA)
The following prerequisites are required to install the Mobile Security Notification Server:
Ports 8080 and 8443 must be available for the Mobile Security Notification Server. The ports can be shared by Mobile Security File Manager and Notification Server when they are installed on the same server.
Certificate for Mobile Security Notification Server, if installed separately from Mobile Security Access Server, Administrative Console, and File Manager.
Exchange Server with EWS Service Enabled for Mobile Security Notification Server to communicate.
Service Account in Exchange that has impersonation rights to access a group/user's mail boxes.
Certificate from Apple to authenticate with Apple Push Notification Service (APNS). Refer to http://developer.apple.com to find out how to get the certificate.
|
 Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
