| Oracle® Application Server Administrator's Guide 10g Release 3 (10.1.3) B25209-03 |
|
 Previous |
 Next |
| Oracle® Application Server Administrator's Guide 10g Release 3 (10.1.3) B25209-03 |
|
Previous |
Next |
This chapter provides instructions for enabling SSL in Oracle Application Server middle-tier installations.
|
Note: In this chapter, references to any of the following Oracle Application Server products are applicable for Release 2 (10.1.2) or earlier software only:
For more information about which specific versions are compatible with 10g Release 3 (10.1.3), see the Oracle Application Server Upgrade and Compatibility Guide. |
The following topics are covered:
This section identifies all SSL communication paths used in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
The following are communication paths through the Oracle Application Server middle tier, and their related SSL configuration instructions:
External Clients or Load Balancer to Oracle HTTP Server
To configure the Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
External Clients or Load Balancer to OracleAS Web Cache
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
OracleAS Web Cache to Oracle HTTP Server
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server to OC4J Applications (AJP)
To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt and then to OC4J
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J (the JAAS provider) to Oracle Internet Directory
To configure the provider, follow the instructions in the Oracle Containers for J2EE Security Guide. To configure the provider for SSL, set the SSL_ONLY_FLAG to true.
OC4J to the database (ASO)
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, you need only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, you must modify the configuration. See Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
ORMI (Oracle Remote Method Invocation, a custom wire protocol) over SSL
To configure this connection path for SSL, refer to the Oracle Containers for J2EE Security Guide.
SSL into standalone OC4J (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J" explains how to use SSL to secure communication between clients and an OC4J instance.
OracleAS Portal Parallel Page Engine (the servlet in the OC4J_PORTAL instance) to OracleAS Web Cache (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J."
The Oracle Application Server Security Guide discusses security concepts in detail and provides recommendations for configuring security in various configurations. The "Recommended Deployment Topologies" chapter presents sample architectures for Oracle Application Server installation types. After you have identified the components on which you need to enable SSL, use the instructions in this chapter and Chapter 13, "Enabling SSL in the Infrastructure" to configure the components.
This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
OracleAS Web Cache is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
To configure SSL connections to OC4J clients, follow the instructions in the Oracle Containers for J2EE Security Guide section titled "Oracle HTTPS for Client Connections."
To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL between mod_oc4j and OC4J."
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.
See the Oracle Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI/HTTP.
To configure the provider, follow the instructions in the Oracle Application Server Enterprise Deployment Guide, section titled "Configuring Application Authentication and Authorization." To configure the provider for SSL, set the SSL_ONLY_FLAG to true.
Depending on your security needs and the configuration of the Oracle Application Server J2EE and Web Cache installation, you may implement secure communication in one or more of the installed components. Configuring the first listener (whether it is OracleAS Web Cache or the Oracle HTTP Server) may be sufficient.
To configure the Oracle HTTP Server for SSL, follow the steps in "Enabling SSL for Oracle HTTP Server" in the Oracle HTTP Server Administrator's Guide.
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
You can use virtual hosts to deploy multiple Web sites on a single Oracle HTTP Server (for example, to make an application available over the HTTP protocol and the HTTPS protocol).
The Oracle Application Server Single Sign-On Administrator's Guide, section titled "Configuring mod_osso with Virtual Hosts" contains instructions on configuring an SSL virtual host to be protected by mod_osso. You cannot use name-based virtual hosting. You must use IP-based or port-based virtual hosting.
The scenario presented assumes that the following conditions are in effect:
The host name of the application middle tier is app.mydomain.com (replace this name with the host name of your application middle tier).
The middle tier is already configured as a non-SSL partner application (this is typically done during installation).
The default SSL port number of the application middle tier is 4443.
See Section 13.3.7, "Configuring SSL for Oracle Enterprise Manager 10g".
