Oracle9i Lite Administration and Deployment Guide
Release 5.0.2 for UNIX Systems
Part No. B10203-01
This document describes the Mobile Server support for the Secure Sockets Layer (SSL) communication protocol, a security protocol that provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. Secure communication can be established between the Mobile Server and the Mobile Client using HTTPS.
To run the Mobile Server in SSL mode, you must run the Mobile Server as a module in the Oracle9i Application Server (Oracle9iAS). For information on how to run the Mobile Server as a module in Oracle9iAS, see Oracle9i Lite Installation and Configuration Guide for UNIX or Oracle9i Lite Installation and Configuration Guide for Windows NT/2000/XP.
To enable the Mobile Server for SSL, follow these main steps:
Configure the Mobile Server for SSL.
Run the Mobile Server in SSL mode.
Upload the CA certificate.
Only the Mobile Server running as an Oracle9iAS module supports SSL. You can connect from the browser to the Mobile Server running in SSL Mode with Oracle9iAS.
To run the Mobile Server in SSL mode, you must configure your system as described in the following sections.
The Mobile Server running in standalone mode does not support SSL. If you try to set
SSL=YES in webtogo.ora, the Mobile Server will not work.
In a standalone running mode, if you try to connect from the browser to the Mobile Server in the SSL mode, you will not be able to connect to the Mobile Server.
Oracle9iAS comes with pre-configured SSL support. After installing Oracle9iAS, make sure that the httpd.conf file has the following entries :
Note:The following entries are the default configurations of Oracle9iAS. You only need to verify them. For more information, see the Oracle9i Application Server Installation Guide.
## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## Listen 80 Listen 443 # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on
# SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile \conf\ssl.crt\server.crt # For UNIX, use the following format: # SSLCertificateFile /conf/ssl.crt/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile conf\ssl.key\server.key # For UNIX, use the following format: # SSLCertificateKeyFile conf/ssl.key/server.key
Note:Oracle9iAS comes with a self-signed test server certificate "server.crt" and its private key "server.key". This certificate is only a test certificate. You must obtain your own server certificate signed by a trusted authority. After replacing the "server.crt" with a certificate signed by a trusted authority, go to the Mobile Server Control Center and upload this certificate to the Mobile Server Repository.
To run the Mobile Server in SSL mode, add the SSL configuration parameter in the WEBTOGO section of the webtogo.ora configuration file and set the SSL parameter's value as follows:
[WEBTOGO] # ssl mode SSL=YES
After the Mobile Server is configured for SSL, and it is running in SSL mode, you should upload the SSL CA certificate to the Mobile Server Repository. To set up the CA certificate from the Mobile Server Control Center, upload the Server certificate used for SSL communication in Oracle9iAS to the Mobile Server Repository.
To upload the CA certificate, go to the Mobile Server Control Center -> Server -> Server Certificate and upload the CA certificate.
To get more information about the type of SSL Cipher Suites that are supported, refer to the documentation regarding "Oracle Implementation of Java SSL" in Oracle Advanced Security Administrator's Guide.
You can configure the Mobile Client for Web-to-Go to establish SSL connection between the Mobile Client and the Mobile Server. Oracle9i Lite does not, however, support SSL connection between the browser and the Mobile Client for Web-to-Go.
There are two different situations regarding the configuration of the communication for SSL between the Mobile Client for Web-to-Go and the Mobile Server, depending on whether or not you download the Mobile Client for Web-to-Go from the Mobile Server running in SSL.
If you download the Mobile Client for Web-to-Go from the URL
https://<mobile_server_name>/setup, then the Mobile Client for Web-to-Go is automatically configured for SSL, and no manual configuration is required. The Mobile Client can communicate with the Mobile Server over SSL.
Note that you must type https, not http. (The bold style is used in the previous sentence for emphasis only.)
If you do not download the Mobile Client for Web-to-Go from the Mobile Server running in SSL mode, then you must modify the
SERVER_URL parameter in the configuration file webtogo.ora on the client side as follows:
Note that you must type https, not http.
Note:The default port number for the Mobile Server is 443. If your Mobile Server is running on port number 443, you do not have to specify the Mobile Server port number in the URL. If your Mobile Server is running on a port number other than 443, you must specify the Mobile Server port number in the URL as follows:
If you try to connect from the browser to the Mobile Client for Web-to-Go in SSL Mode, you will not be able to connect to the Mobile Client even if both of the following two conditions exist:
The Mobile Server is running in SSL as a module of Oracle9iAS.
The Mobile Client for Web-to-Go is also running in SSL mode.
Although, in this case, the communication between the client and the server is over HTTPS (that is, SSL), you still need to specify HTTP and not HTTPS in the client URL to connect to the Mobile Client for Web-to-Go from the browser.
If the Mobile Server is running in SSL mode, it can synchronize with any Mobile Client running in SSL or non-SSL mode. But, in the case of the Mobile Client for Web-to-Go, the client should also run in SSL mode to synchronize with the Mobile Server running in SSL mode.
The Mobile Server running in SSL mode can still support Mobile Clients running in non-SSL mode because on many Mobile Clients SSL is still not supported.
Note:To support SSL and non-SSL clients, the Mobile Server should run on both SSL and non-SSL ports inside Oracle9iAS. Also, by default, Oracle9iAS should be configured to run on both SSL and non-SSL ports.