20
Oracle Application Server ProcessConnect Security

The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This chapter describes the architecture and configuration of security for Oracle Application Server ProcessConnect.

This chapter contains these topics:

• About Oracle Application Server ProcessConnect Security

• Configuring Oracle Application Server Security Framework for Oracle Application Server ProcessConnect

• Configuring Oracle Application Server ProcessConnect Security

• Chapter Summary

  See Also: The following documents for additional details about security: Oracle Application Server 10g Security Guide provides an overview of Oracle Application Server security and its core functionality Oracle Identity Management Concepts and Deployment Planning Guide for identity provides guidance for administrators of the Oracle security infrastructure

About Oracle Application Server ProcessConnect Security

This section describes the Oracle Application Server ProcessConnect security model. This section contains these topics:

• Classes of Users and Their Privileges

• Resources Protected

• Authorization and Access Enforcement

• Use of Oracle Application Server Security Services

• Use of Oracle Identity Management Infrastructure

• Security for Oracle Application Server ProcessConnect Extensibility

Classes of Users and Their Privileges

A single user named admin is automatically created during Oracle Application Server ProcessConnect installation. The password you specify for the Oracle Application Server administrator named ias_admin when prompted during Oracle Application Server ProcessConnect installation also becomes the initial password for the admin user.

The admin user consists of a single default user role named Administrator. The Administrator role consists of the use cases (privileges) that enable the admin user to use the Oracle Application Server ProcessConnect user interface tool to design, deploy, and manage integrations. The Administrator role is the only user role available with Oracle Application Server ProcessConnect. The admin user can create additional users to which to assign the Administrator role. A default organization name is also automatically created during Oracle Application Server ProcessConnect installation. This name is used to uniquely identify your organization or company. Along with the admin username and password, the organization name is required for connecting to the Oracle Application Server ProcessConnect user interface tool.

You can also administer portions of Oracle Application Server ProcessConnect through the Oracle Enterprise Manager Application Server Control. The password you specify for the Oracle Application Server administrator named ias_admin when prompted during Oracle Application Server ProcessConnect installation also becomes the initial password to use when logging in with the Oracle Enterprise Manager ias_admin username.

See Also: The following sections for instructions on performing these tasks: "Creating a Person" to create additional users of the Oracle Application Server ProcessConnect user interface tool "Adding a User Role to a Host Trading Partner Person" to add the Administrator role to a user "Updating a Person" to update the admin user password "Managing Organizations" to update the organization name Chapter 18, "System Management with Oracle Enterprise Manager" to monitor and administer Oracle Application Server ProcessConnect through Oracle Enterprise Manager

Resources Protected

The following security is provided for protecting resources:

• The modeling metadata and profile data that you design with the Oracle Application Server ProcessConnect user interface tool are protected by both the admin username and password and by the security provided by the Oracle database.

• Network messaging can be secured and encrypted using Oracle Advanced Security. Network messaging can also be secured by using secure HTTP for the Oracle Application Server ProcessConnect user interface tool.

• Adapters that enable communication between applications and Oracle Application Server ProcessConnect use the underlying security of their protocols (such as HTTP, FTP, and SMTP) to restrict access to data.

• Spoke (application) databases to which applications connect to access data are protected by username and password credentials that you specify when configuring a delivery channel for an application

• The messages that trading partners send and receive during integrations between enterprises are protected by the following levels of security:
  • Digital envelopes

  • Digital signatures for host and remote trading partners

  • Secure HTTP (using secure socket layer (SSL)) and client authentication

  • Encrypted wallet password for a host trading partner

    See Also: "Oracle Application Server ProcessConnect Security Configuration" for an overview of security configuration for integrations between enterprises

Authorization and Access Enforcement

When you attempt to access the Oracle Application Server ProcessConnect user interface tool, you are prompted for a username, password, and organization name. Without knowledge of this connection information, you cannot access the user interface tool to design, deploy, and manage integrations within an enterprise and between enterprises.

Use of Oracle Application Server Security Services

Oracle Application Server provides a series of security services. Oracle Application Server ProcessConnect uses SSL. You can use SSL for securing connections between host and remote trading partners. SSL uses a public key infrastructure to provide authentication and data integrity. HTTP client security is also provided through SSL.

Secure HTTP can also be used to secure the Oracle Application Server ProcessConnect user interface tool.

See Also: Oracle Application Server 10g Security Guide for a description of Oracle Application Server security services

Use of Oracle Identity Management Infrastructure

This initial release of Oracle Application Server ProcessConnect does not require use of Oracle Identity Management infrastructure features; Oracle Identity Management is optionally selectable for use during Oracle Application Server ProcessConnect installation and is only used for product-specific password verifiers.

Security for Oracle Application Server ProcessConnect Extensibility

This initial release of Oracle Application Server ProcessConnect does not support any special security extensibility.

Configuring Oracle Application Server Security Framework for Oracle Application Server ProcessConnect

This section describes Oracle Application Server security options to configure to use Oracle Application Server ProcessConnect. This section contains these topics:

• Oracle Application Server ProcessConnect Security Framework Configuration Issues

• Identity Management Configuration Issues Specific to Oracle Application Server ProcessConnect

Oracle Application Server ProcessConnect Security Framework Configuration Issues

The Oracle Application Server ProcessConnect and Oracle Workflow schemas are protected by passwords created during OracleAS Infrastructure 10g installation. These schemas are stored in the metadata repository of OracleAS Infrastructure 10g to which you configure access during Oracle Application Server ProcessConnect installation. In addition, the data you design, deploy, and manage with Oracle Application Server ProcessConnect user interface tool is stored in this same metadata repository of OracleAS Infrastructure 10g.

See Also: Oracle Application Server 10g Security Guide for OracleAS Infrastructure 10g and Oracle Application Server security details, including how to configure the Oracle HTTP Server with secure HTTP Oracle Application Server Containers for J2EE Security Guide

Identity Management Configuration Issues Specific to Oracle Application Server ProcessConnect

This initial release of Oracle Application Server ProcessConnect does not use the identity management infrastructure. Therefore, there are no identity management configuration issues and options.

Configuring Oracle Application Server ProcessConnect Security

This section provides an overview of Oracle Application Server ProcessConnect installation and configuration issues. This section contains these topics:

• Oracle Application Server ProcessConnect Installation

• Oracle Application Server ProcessConnect Security Configuration

• Host Trading Partner Password Encryption in High Availability Environments

• Configuration Issues and Options to Use for Oracle Application Server Security Framework

Oracle Application Server ProcessConnect Installation

While you do not specify security parameters when installing Oracle Application Server ProcessConnect, the Oracle Application Server administrator must know the following information to install Oracle Application Server ProcessConnect:

• The name of the host on which the OracleAS Infrastructure 10g installation to use as the metadata repository is installed

• The specific OracleAS Infrastructure 10g installation on that specific host that includes the Oracle Application Server ProcessConnect schema

• The Oracle Application Server ProcessConnect and Oracle Workflow schema passwords automatically created during OracleAS Infrastructure 10g installation

• The ias_admin password specified during J2EE and Web Cache installation, which is used as the initial password for the Oracle Application Server ProcessConnect admin user and for the Oracle Enterprise Manager ias_admin user

• The organization name automatically assigned during Oracle Application Server ProcessConnect installation

  See Also: Oracle9 Application Server ProcessConnect Installation Guide for installation instructions

Oracle Application Server ProcessConnect Security Configuration

You configure security with the Oracle Application Server ProcessConnect user interface tool after installation. Oracle Application Server ProcessConnect provides the following levels of security:

• Application Delivery Channels

• Digital Envelopes

• Digital Signatures for Host and Remote Trading Partners

• Secure HTTP and Client Authentication

• Encrypted Wallet Passwords for Host Trading Partners

  See Also: "Managing Trading Partner Agreements" to create a trading partner agreement to which to assign a trading partner with its delivery channel characteristics

Application Delivery Channels

Adapters enable communication between applications and Oracle Application Server ProcessConnect. The adapter of an application includes its own delivery channel security characteristics that you must define (such as login credentials for accessing hosts and backend databases). Oracle Application Server ProcessConnect stores information such as passwords in encrypted format. Table 20-1 provides an overview of the tasks.

Table 20-1  Application Delivery Channel Tasks

Task	See...
Add an adapter to an application	"Adding an Adapter to an Application"
Add a delivery channel to an adapter	"Creating an Application Delivery Channel"

See Also: "Managing Application Agreements" to create an application agreement to which to assign an application with its adapter of delivery channel characteristics

Digital Envelopes

You can create encrypted business messages with a remote trading partner's certificate. Table 20-2 provides an overview of the tasks.

Table 20-2  Remote Trading Partner Certificate Tasks

Task	See...
Perform the following tasks when creating a remote trading partner certificate for a digital envelope, digital signature, or SSL certificate.	Step 2 of "Creating a Remote Trading Partner Certificate"
Enter a remote certificate name in the Name field.
Enter a certificate directory location in the Certificate Location field.
Perform the following tasks when creating a document exchange:	Step 2 of "Creating a Document Exchange"
Select the remote certificate from the Encryption Credential list.
Select a digital envelope from the Digital Envelope list.
Perform the following tasks when creating a delivery channel:	Step 2 of "Creating a Delivery Channel"
Select the document exchange with the remote certificate from the Document Exchange list.
Select Yes from the Encryption Enabled list if you are using RosettaNet Implementation Framework 2.0.

You can then assign the delivery channel to a trading partner participating in a trading partner agreement.

See Also: "Adding a Delivery Channel to a Trading Partner Agreement Participant"

Digital Signatures for Host and Remote Trading Partners

You can use digital signatures with host and remote trading partners. The digital signature ensures that the message is authentic. Table 20-3 provides an overview of the tasks for configuring digital signatures.

Table 20-3  Digital Signatures

Task	See...
Perform the following tasks when creating a document exchange:	Step 2 of "Creating a Document Exchange"
Select a digital signature from the Digital Signature list.
If you are configuring a remote trading partner, select a signing credential (a remote certificate) from the Signing Credential list.
Select Yes from the following lists when creating a delivery channel: Is Non-Repudiation of Origin Required Is Non-Repudiation of Receipt Required If you select Yes from the Is Non-Repudiation of Receipt Required list, you must also select Yes from the Is Non-Repudiation of Origin Required list. In a trading partner agreement, both the host and remote trading partners must have the same values for Is Non-Repudiation of Origin Required and Is Non-Repudiation of Receipt Required.	Step 2 of "Creating a Delivery Channel"

Secure HTTP and Client Authentication

You can use SSL to secure connections between host and remote trading partners. You can use SSL with or without client authentication. Table 20-4 provides an overview of the tasks for configuring SSL. There are three parts to configuring SSL that must be performed in this order:

• Configure SSL outside of Oracle Application Server ProcessConnect and Oracle Application Server

• Configure SSL for Oracle Application Server

• Configure SSL for Oracle Application Server ProcessConnect

  Table 20-4  SSL

  Part	Task	See...
  1	Configure SSL outside of Oracle Application Server ProcessConnect and Oracle Application Server	"Setting Up SSL for the Oracle Application Server ProcessConnect B2B Adapter"
  2	Configure SSL for Oracle Application Server	Oracle Application Server 10g Administrator's Guide Oracle Application Server 10g Security Guide
  3	Configure SSL for Oracle Application Server ProcessConnect:
  	Select Yes from the Transport Security Enabled list when creating a delivery channel.	Step 2 of "Creating a Delivery Channel"
  	Perform the following tasks when creating a protocol endpoint:
  	Select Yes from the Client Authentication Enabled list to specify client authentication for host and remote trading partners	Step 4 of "Creating a Transport"
  	Select HTTP 1.0 (Secure) or HTTP 1.1 (Secure) from the Transport Protocol list.	Step 2 of "Creating a Protocol Endpoint"
  	Select SSL from the Security Specification list.	Step 4 of "Creating a Protocol Endpoint"
  	If host client authentication is enabled, select a remote trading partner certificate from the Certificate list.	Step 5 of "Creating a Protocol Endpoint"

Setting Up SSL for the Oracle Application Server ProcessConnect B2B Adapter

Before configuring trading partners to use SSL in the Oracle Application Server ProcessConnect user interface tool, you must set up SSL. The B2B adapter enables trading partners to communicate. Use the B2B adapter in either of two modes:

• As an HTTP server

  This mode is configured through SSL settings in the Oracle HTTP Server httpd.conf file, as described in the Oracle Application Server 10g Security Guide

• As an HTTP client
  1. Import a trading partner's CA authority into Oracle Wallet Manager.

     Note: Oracle Wallet Manager allows only base64 files to be imported. Use Internet Explorer or another tool to convert a nonbase64 encoded certificate to base64.

     .
  2. Export the entire wallet into a text file. This file requires a .txt extension.

  3. Place this file in the same location as the original wallet file.

  4. Specify the location for this .txt file with the Wallet Location parameter in the Oracle Application Server ProcessConnect configuration parameters. These parameters can be accessed and modified from the Server Properties page of the Oracle Enterprise Manager Application Server Control.

     See Also: Chapter 18, "System Management with Oracle Enterprise Manager" for instructions on accessing the Oracle Enterprise Manager Application Server Control

Troubleshooting SSL Setup

Follow these instructions to troubleshoot SSL setup:

Use the browser to connect to the secure HTTP URL. Upon successful connection, the following details are viewable:

• If you are using Internet Explorer, select File > Properties from the main menu. The connection information appears. A Certificates button that displays certificate information also appears.

• You may get a confirmation page from the remote server.

Verifying SSL Client Authentication

Follow these instructions to verify SSL client authentication:

• Using the Netscape browser:
  1. Import an Oracle Wallet by selecting Communicator > Tools > Security Info > Certificates > Yours > Import a Certificate from the main menu.

  2. Connect to the secure HTTP URL.

• Using the Internet Explorer browser:

  Internet Explorer does not recognize the .p12 file generated using Oracle Wallet. Perform these steps to import the Oracle Wallet:

  1. Import the Oracle Wallet by selecting Communicator > Tools > Security Info > Certificates > Yours > Import a Certificate from the main menu.

  2. Export the Oracle Wallet by selecting Communicator > Tools > Security Info > Certificates > Yours > Export.

  3. Import this Oracle Wallet into Internet Explorer and try connecting to the secure HTTP URL.

Encrypted Wallet Passwords for Host Trading Partners

Oracle Application Server ProcessConnect uses an Oracle Wallet for storing private and public keys. A wallet password is required for accessing an Oracle Wallet. You create an initial wallet password and an Oracle Wallet with Oracle Wallet Manager. The wallet password is stored in encrypted format in the Oracle Application Server Metadata Repository. This wallet is used for digital envelopes, digital signatures, and SSL. Table 20-5 provides an overview of the tasks to perform in the Oracle Application Server ProcessConnect user interface tool after you create the wallet password and Oracle Wallet:

Table 20-5  Host Trading Partner Wallet Password

Task	See...
Create a host trading partner wallet password	"Creating a Host Trading Partner Wallet Password" Note: Enter the same wallet password that you created in Oracle Wallet Manager. If you later change the wallet password in Oracle Wallet Manager, you must also update the password in the Oracle Application Server ProcessConnect user interface tool.
Specify the directory location for the wallet file	"Oracle Application Server ProcessConnect Monitoring and Administration Tasks" to access the Oracle Application Server ProcessConnect configuration parameters (under the Server Properties section) with Oracle Enterprise Manager. The Wallet Location parameter in this file enables you to specify the directory location for the wallet file.

Host Trading Partner Password Encryption in High Availability Environments

Oracle Application Server ProcessConnect provides a feature that automatically encrypts the host trading partner's Oracle Application Server ProcessConnect passwords through use of an obfuscated, encryption key created during installation. If you want to change this key value, do so during Oracle Application Server ProcessConnect downtime, as all passwords within the Oracle Application Server ProcessConnect schema are re-encrypted. A new encryption key is then created.

If Oracle Application Server ProcessConnect is part of a high availability or disaster recovery configuration and you want to change the encryption key, you must perform the following procedures:

1. Follow the instructions in "Managing and Monitoring a Middle-Tier Instance from Oracle Enterprise Manager Application Server Control" to log in to the Oracle Enterprise Manager Application Server Control and access the primary Oracle Application Server ProcessConnect instance.

2. Shut down the adapter framework, integration manager, and OC4J instance subcomponents on the primary system on which Oracle Application Server ProcessConnect is installed.

3. Go to the Security Key parameter on the Server Properties page:

   

   Text description of the illustration encrypt.gif

4. Make the following changes:
   1. Check the Re-encrypt ProcessConnect Repository's Security Data box.

   2. Change the encryption key in the Security Key field.

      This action re-encrypts the Oracle Application Server ProcessConnect schema passwords.

5. Click Apply.

6. Go to the secondary (or backup) system of which Oracle Application Server ProcessConnect is a part.

7. Repeat Steps 2 and 3 on the secondary system.

8. Enter the same encryption key in the Security Key field as you did in Step 4b. However, do not check the Re-encrypt ProcessConnect Repository's Security Data box.

9. Repeat Steps 6 through 8 for additional secondary systems.

10. Restart the primary and secondary systems.

Configuration Issues and Options to Use for Oracle Application Server Security Framework

You can enable encryption between Oracle Application Server ProcessConnect and the Oracle Application Server Metadata Repository by setting several Oracle Net configuration parameters. For example, you can encrypt JDBC with the following sqlnet.ora parameters:

sqlnet.encryption_server=accepted
sqlnet.encryption_client=requested
sqlnet.encryption_types_server=(RC4_40)
sqlnet.encryption_types_client=(RC4_40)
sqlnet.crypto_seed ="-kdje83kkep39487dvmlqEPTbxxe70273"

See Also: Oracle Advanced Security Administrator's Guide available on the Oracle Technology Network: http://otn.oracle.com/

Chapter Summary

This chapter describes the security provisions of Oracle Application Server ProcessConnect including, for example, automatic encryption of the host trading partner's Oracle Application Server ProcessConnect passwords by using an obfuscated encryption key created during installation. Protection of Oracle Application Server ProcessConnect and Oracle Workflow schemas during OracleAS Infrastructure 10g installation is also discussed.