Oracle® Application Server ProcessConnect User's Guide 10g (9.0.4) Part Number B12121-01 |
|
The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Application Server ProcessConnect.
This chapter contains these topics:
This section describes the Oracle Application Server ProcessConnect security model. This section contains these topics:
A single user named admin
is automatically created during Oracle Application Server ProcessConnect installation. The password you specify for the Oracle Application Server administrator named ias_admin
when prompted during Oracle Application Server ProcessConnect installation also becomes the initial password for the admin
user.
The admin
user consists of a single default user role named Administrator
. The Administrator
role consists of the use cases (privileges) that enable the admin
user to use the Oracle Application Server ProcessConnect user interface tool to design, deploy, and manage integrations. The Administrator
role is the only user role available with Oracle Application Server ProcessConnect. The admin
user can create additional users to which to assign the Administrator
role. A default organization
name is also automatically created during Oracle Application Server ProcessConnect installation. This name is used to uniquely identify your organization or company. Along with the admin
username and password, the organization
name is required for connecting to the Oracle Application Server ProcessConnect user interface tool.
You can also administer portions of Oracle Application Server ProcessConnect through the Oracle Enterprise Manager Application Server Control. The password you specify for the Oracle Application Server administrator named ias_admin
when prompted during Oracle Application Server ProcessConnect installation also becomes the initial password to use when logging in with the Oracle Enterprise Manager ias_admin
username.
See Also:
The following sections for instructions on performing these tasks:
|
The following security is provided for protecting resources:
admin
username and password and by the security provided by the Oracle database.
"Oracle Application Server ProcessConnect Security Configuration" for an overview of security configuration for integrations between enterprises
See Also:
When you attempt to access the Oracle Application Server ProcessConnect user interface tool, you are prompted for a username, password, and organization
name. Without knowledge of this connection information, you cannot access the user interface tool to design, deploy, and manage integrations within an enterprise and between enterprises.
Oracle Application Server provides a series of security services. Oracle Application Server ProcessConnect uses SSL. You can use SSL for securing connections between host and remote trading partners. SSL uses a public key infrastructure to provide authentication and data integrity. HTTP client security is also provided through SSL.
Secure HTTP can also be used to secure the Oracle Application Server ProcessConnect user interface tool.
This initial release of Oracle Application Server ProcessConnect does not require use of Oracle Identity Management infrastructure features; Oracle Identity Management is optionally selectable for use during Oracle Application Server ProcessConnect installation and is only used for product-specific password verifiers.
This initial release of Oracle Application Server ProcessConnect does not support any special security extensibility.
This section describes Oracle Application Server security options to configure to use Oracle Application Server ProcessConnect. This section contains these topics:
The Oracle Application Server ProcessConnect and Oracle Workflow schemas are protected by passwords created during OracleAS Infrastructure 10g installation. These schemas are stored in the metadata repository of OracleAS Infrastructure 10g to which you configure access during Oracle Application Server ProcessConnect installation. In addition, the data you design, deploy, and manage with Oracle Application Server ProcessConnect user interface tool is stored in this same metadata repository of OracleAS Infrastructure 10g.
This initial release of Oracle Application Server ProcessConnect does not use the identity management infrastructure. Therefore, there are no identity management configuration issues and options.
This section provides an overview of Oracle Application Server ProcessConnect installation and configuration issues. This section contains these topics:
While you do not specify security parameters when installing Oracle Application Server ProcessConnect, the Oracle Application Server administrator must know the following information to install Oracle Application Server ProcessConnect:
ias_admin
password specified during J2EE and Web Cache installation, which is used as the initial password for the Oracle Application Server ProcessConnect admin
user and for the Oracle Enterprise Manager ias_admin
user
organization
name automatically assigned during Oracle Application Server ProcessConnect installation
You configure security with the Oracle Application Server ProcessConnect user interface tool after installation. Oracle Application Server ProcessConnect provides the following levels of security:
"Managing Trading Partner Agreements" to create a trading partner agreement to which to assign a trading partner with its delivery channel characteristics
See Also:
Adapters enable communication between applications and Oracle Application Server ProcessConnect. The adapter of an application includes its own delivery channel security characteristics that you must define (such as login credentials for accessing hosts and backend databases). Oracle Application Server ProcessConnect stores information such as passwords in encrypted format. Table 20-1 provides an overview of the tasks.
Task | See... |
---|---|
Add an adapter to an application |
|
Add a delivery channel to an adapter |
See Also:
"Managing Application Agreements" to create an application agreement to which to assign an application with its adapter of delivery channel characteristics |
You can create encrypted business messages with a remote trading partner's certificate. Table 20-2 provides an overview of the tasks.
Task | See... |
---|---|
Perform the following tasks when creating a remote trading partner certificate for a digital envelope, digital signature, or SSL certificate. |
|
|
|
|
|
Perform the following tasks when creating a document exchange: |
Step 2 of "Creating a Document Exchange" |
|
|
|
|
Perform the following tasks when creating a delivery channel: |
Step 2 of "Creating a Delivery Channel" |
|
|
|
You can then assign the delivery channel to a trading partner participating in a trading partner agreement.
You can use digital signatures with host and remote trading partners. The digital signature ensures that the message is authentic. Table 20-3 provides an overview of the tasks for configuring digital signatures.
Task | See... |
---|---|
Perform the following tasks when creating a document exchange: |
Step 2 of "Creating a Document Exchange" |
|
|
|
|
Select Yes from the following lists when creating a delivery channel: If you select Yes from the Is Non-Repudiation of Receipt Required list, you must also select Yes from the Is Non-Repudiation of Origin Required list. In a trading partner agreement, both the host and remote trading partners must have the same values for Is Non-Repudiation of Origin Required and Is Non-Repudiation of Receipt Required. |
Step 2 of "Creating a Delivery Channel" |
You can use SSL to secure connections between host and remote trading partners. You can use SSL with or without client authentication. Table 20-4 provides an overview of the tasks for configuring SSL. There are three parts to configuring SSL that must be performed in this order:
Part | Task | See... |
---|---|---|
1 |
Configure SSL outside of Oracle Application Server ProcessConnect and Oracle Application Server |
"Setting Up SSL for the Oracle Application Server ProcessConnect B2B Adapter" |
2 |
Configure SSL for Oracle Application Server |
|
3 |
Configure SSL for Oracle Application Server ProcessConnect: |
|
|
Select Yes from the Transport Security Enabled list when creating a delivery channel. |
Step 2 of "Creating a Delivery Channel" |
|
Perform the following tasks when creating a protocol endpoint: |
|
|
Step 4 of "Creating a Transport" |
|
|
Step 2 of "Creating a Protocol Endpoint" |
|
|
Step 4 of "Creating a Protocol Endpoint" |
|
|
Step 5 of "Creating a Protocol Endpoint" |
Before configuring trading partners to use SSL in the Oracle Application Server ProcessConnect user interface tool, you must set up SSL. The B2B adapter enables trading partners to communicate. Use the B2B adapter in either of two modes:
This mode is configured through SSL settings in the Oracle HTTP Server httpd.conf
file, as described in the Oracle Application Server 10g Security Guide
.txt
extension.
.txt
file with the Wallet Location parameter in the Oracle Application Server ProcessConnect configuration parameters. These parameters can be accessed and modified from the Server Properties page of the Oracle Enterprise Manager Application Server Control.
Chapter 18, "System Management with Oracle Enterprise Manager" for instructions on accessing the Oracle Enterprise Manager Application Server Control
See Also:
Follow these instructions to troubleshoot SSL setup:
Use the browser to connect to the secure HTTP URL. Upon successful connection, the following details are viewable:
Follow these instructions to verify SSL client authentication:
Internet Explorer does not recognize the .p12
file generated using Oracle Wallet. Perform these steps to import the Oracle Wallet:
Oracle Application Server ProcessConnect uses an Oracle Wallet for storing private and public keys. A wallet password is required for accessing an Oracle Wallet. You create an initial wallet password and an Oracle Wallet with Oracle Wallet Manager. The wallet password is stored in encrypted format in the Oracle Application Server Metadata Repository. This wallet is used for digital envelopes, digital signatures, and SSL. Table 20-5 provides an overview of the tasks to perform in the Oracle Application Server ProcessConnect user interface tool after you create the wallet password and Oracle Wallet:
Task | See... |
---|---|
Create a host trading partner wallet password |
"Creating a Host Trading Partner Wallet Password" Note: Enter the same wallet password that you created in Oracle Wallet Manager. If you later change the wallet password in Oracle Wallet Manager, you must also update the password in the Oracle Application Server ProcessConnect user interface tool. |
Specify the directory location for the wallet file |
"Oracle Application Server ProcessConnect Monitoring and Administration Tasks" to access the Oracle Application Server ProcessConnect configuration parameters (under the Server Properties section) with Oracle Enterprise Manager. The Wallet Location parameter in this file enables you to specify the directory location for the wallet file. |
Oracle Application Server ProcessConnect provides a feature that automatically encrypts the host trading partner's Oracle Application Server ProcessConnect passwords through use of an obfuscated, encryption key created during installation. If you want to change this key value, do so during Oracle Application Server ProcessConnect downtime, as all passwords within the Oracle Application Server ProcessConnect schema are re-encrypted. A new encryption key is then created.
If Oracle Application Server ProcessConnect is part of a high availability or disaster recovery configuration and you want to change the encryption key, you must perform the following procedures:
You can enable encryption between Oracle Application Server ProcessConnect and the Oracle Application Server Metadata Repository by setting several Oracle Net configuration parameters. For example, you can encrypt JDBC with the following sqlnet.ora
parameters:
sqlnet.encryption_server=accepted sqlnet.encryption_client=requested sqlnet.encryption_types_server=(RC4_40) sqlnet.encryption_types_client=(RC4_40) sqlnet.crypto_seed ="-kdje83kkep39487dvmlqEPTbxxe70273"
This chapter describes the security provisions of Oracle Application Server ProcessConnect including, for example, automatic encryption of the host trading partner's Oracle Application Server ProcessConnect passwords by using an obfuscated encryption key created during installation. Protection of Oracle Application Server ProcessConnect and Oracle Workflow schemas during OracleAS Infrastructure 10g installation is also discussed.
|
![]() Copyright © 2003 Oracle Corporation. All Rights Reserved. |
|