Oracle® Application Server Quick Administration Guide
10g Release 2 (10.1.2) Part No. b14046-01 |
|
![]() Previous |
![]() Next |
This chapter provides instructions for enabling Secure Sockets Layer (SSL) in Oracle Application Server on Infrastructure and Middle Tier installations. It contains the following topics:
This section identifies all the SSL communication paths used in the Oracle Application Server Infrastructure, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
Note: When you install Identity Management, you are prompted to select a mode for Oracle Internet Directory. The default mode is the dual mode, which allows some components to access Oracle Internet Directory using non-SSL connections. If you chose SSL mode during installation, then all installed components must use SSL when connecting to the directory.Before you begin SSL configuration, determine the Oracle Internet Directory mode. Start the |
The following paragraph lists the communication paths through the Oracle Application Server Infrastructure, and the related SSL configuration instructions:
Oracle HTTP Server to the OC4J_SECURITY instance
To configure AJP communication over SSL, you must configure how mod_oc4j communicates with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt (Port Tunneling) and then to the OC4J_SECURITY instance
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J_SECURITY instance to Oracle Internet Directory
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide. It explains how to configure SSL communication between:
The browser and the OracleAS Single Sign-On server in the section titled "Enable SSL on the Single Sign-On Middle Tier"
The OracleAS Single Sign-On server and the Oracle Internet Directory server section titled "Configuring SSL Between the Single Sign-On Server and Oracle Internet Directory"
Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL. The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled. You do not have to perform any configuration tasks to accomplish this.
Oracle Directory Integration and Provisioning to Oracle Internet Directory and Oracle Internet Directory replication server to Oracle Internet Directory
As shown in Figure 7-1, you can configure several components and communication paths for SSL. The following paragraph lists references to the instructions for each:
Communication between the Oracle Internet Directory Replication server and the Oracle Internet Directory server: Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and Oracle Internet Directory Replication"
Communication between Oracle Directory Integration and Provisioning and the Oracle Internet Directory server: Oracle Identity Management Integration Guide, chapter titled "Oracle Directory Integration and Provisioning Server Administration"
The OC4J_SECURITY instance to the Metadata Repository database and Oracle Internet Directory to the Metadata Repository database
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, then you need to specify only the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, then you must modify the configuration. Refer to Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
Figure 7-1 Identity Management Components and SSL Connection Paths
This section provides references to the component guides in the Oracle Application Server documentation library that provide instructions for configuring SSL in individual components.
Follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide to configure SSL communication between:
The browser and the OracleAS Single Sign-On server (section titled "Enable SSL on the Single Sign-On Middle Tier")
The OracleAS Single Sign-On server and the Oracle Internet Directory server (section titled "Configuring SSL Between the Single Sign-On Server and Oracle Internet Directory")
Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL (as described in "Enable SSL on the Single Sign-On Middle Tier"). The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled. You do not have to perform any configuration tasks to accomplish this.
Instructions for configuring SSL communication in Oracle Internet Directory are provided in the following guides:
Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory"
Oracle Internet Directory Administrator's Guide, section titled "Configuring SSL Parameters"
Oracle Internet Directory Administrator's Guide, section titled "Limitations of the Use of SSL in 10g (10.1.2)"
As shown in Figure 7-1, you can configure several components and communication paths for SSL. The following lists references to the instructions for each:
Communication between the Oracle Internet Directory Replication server and the Oracle Internet Directory server: Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and Oracle Internet Directory Replication"
Communication between Oracle Directory Integration and Provisioning and the Oracle Internet Directory server: Oracle Identity Management Integration Guide, chapter titled "Oracle Directory Integration and Provisioning Server Administration"
Follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide, section titled "Reconfigure the Identity Management Infrastructure Database" to configure SSL in the Identity Management database.
This section identifies all SSL communication paths used in the Oracle Application Server middle tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
The following lists the communication paths through the Oracle Application Server middle-tier, and the related SSL configuration instructions:
External Clients or Load Balancer to Oracle HTTP Server
To configure the Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
External Clients or Load Balancer to OracleAS Web Cache
To configure OracleAS Web Cache for SSL, follow the instructions in the Oracle Application Server Web Cache Administrator's Guide, section titled "Configuring OracleAS Web Cache for HTTPS Requests".
OracleAS Web Cache to Oracle HTTP Server
To configure OracleAS Web Cache for SSL, follow the instructions in the Oracle Application Server Web Cache Administrator's Guide, section titled in "Configuring OracleAS Web Cache for HTTPS Requests".
Oracle HTTP Server to OC4J Applications (AJP)
To configure the AJP communication over SSL, you must configure how mod_oc4j communicates with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt and then to OC4J
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J (the JAAS Provider) to Oracle Internet Directory
To configure the JAAS Provider, follow the instructions in Oracle Application Server Containers for J2EE Security Guide. To configure the JAAS provider for SSL, set SSL_ONLY_FLAG
to true
.
OC4J to the database (ASO)
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, then you need to only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, then you must modify the configuration. Refer to Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
ORMI (Oracle Remote Method Invocation, a custom wire protocol) over HTTP and HTTP over SSL
ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.
Refer to the Oracle Application Server Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI or HTTP.
SSL into Standalone OC4J (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J", which explains how to use SSL to secure communication between clients and an OC4J instance.
OracleAS Portal Parallel Page Engine (the servlet in the OC4J_PORTAL instance) to OracleAS Web Cache (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J."
This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
OracleAS Web Cache is part of all Oracle Application Server middle-tier installations. To configure OracleAS Web Cache for SSL, follow the instructions in chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
The Oracle Application Server Discoverer Configuration Guide explains how to configure OracleAS Discoverer for SSL.
For a discussion of Oracle Application Server Framework Security, including the SSL protocols for Oracle Business Intelligence, refer to the Oracle Application Server Discoverer Configuration Guide, section titled "Using Discoverer with OracleAS Framework Security."
For information about implementing SSL in OracleAS Discoverer, refer to the Oracle Application Server Discoverer Configuration Guide, section titled "What is HTTPS and why should I use it?"
For instructions on enabling OracleAS Discoverer for SSL, refer to the Oracle Application Server Discoverer Configuration Guide, section titled "About running Discoverer over HTTPS."
For instructions on configuring SSL in OracleAS Wireless, refer to the Wireless Security chapter in the Oracle Application Server Wireless Administrator's Guide. The section titled "Site Administration" explains how to use the System Manager HTTP, HTTPS configuration page in Oracle Enterprise Manager 10g to configure the Wireless site's proxy server settings, URLs, and SSL certificates in the Wireless site.
OracleAS Portal uses several components for HTTP communication (such as the Parallel Page Engine, Oracle HTTP Server, and OracleAS Web Cache), each of which may function as a client or server. As a result, each component in the Oracle Application Server middle tier may be configured individually to use the HTTPS protocol instead of HTTP. These components' interact with OracleAS Portal through the following distinct network hops:
Between the client browser and the entry point of the OracleAS Portal environment. The entry point can be OracleAS Web Cache or a network edge hardware device such as a reverse proxy or SSL accelerator
Between OracleAS Web Cache and the Oracle HTTP Server of the Oracle Application Server middle tier
Between the client browser and the Oracle HTTP Server of the OracleAS Single Sign-On or Oracle Internet Directory (or Infrastructure) tier
A loop back connection between the Parallel Page Engine (PPE) on the middle tier and OracleAS Web Cache or the front-end reverse proxy
Between the Parallel Page Engine (PPE) and the Remote Web Provider that provides Portlet content
Between the OracleAS Portal infrastructure and the Oracle Internet Directory server
The following sections in the Oracle Application Server Portal Configuration Guide provide an overview of the most common SSL configurations for OracleAS Portal and instructions for implementing them:
SSL to OracleAS Single Sign-On: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Single Sign-On.
SSL to OracleAS Web Cache: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Web Cache.
SSL throughout OracleAS Portal: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure secure connections throughout OracleAS Portal.
External SSL with non- SSL within Oracle Application Server: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure OracleAS Portal such that the site is externally accessible through SSL URLs, with the Oracle Application Server running in the non-SSL mode.
Note: For general information about securing OracleAS Portal, refer to the Oracle Application Server Portal Configuration Guide (Chapter 6, Securing OracleAS Portal). |
To configure SSL for Oracle Enterprise Manager 10g, refer to the Oracle Application Server 10g Administrator's Guide.