Oracle® Application Server Administrator's Guide 10g Release 3 (10.1.3.2.0) Part Number B32196-01 |
|
|
View PDF |
This chapter provides instructions for enabling SSL in Oracle Application Server Infrastructure installations.
Note:
In this chapter, references to any of the following Oracle Application Server products are applicable for Release 10.1.4, Release 2 (10.1.2), or earlier software only:OracleAS Infrastructure
OracleAS Single Sign-On
OracleAS Web Cache
OracleAS Certificate Authority
Oracle Delegated Administration Services
Oracle Identity Management
The following topics are covered:
This section identifies all SSL communication paths used in the Oracle Application Server Infrastructure, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
Note:
When you install Oracle Identity Management, you are prompted to select a mode for Oracle Internet Directory. The default mode is dual mode, which allows some components to access Oracle Internet Directory using non-SSL connections. If SSL mode was chosen during installation, then all installed components must use SSL when connecting to the directory.Before you begin SSL configuration, determine the Oracle Internet Directory mode. Start the oidadmin
tool and view the SSL mode in Oracle Directory Manager. Go to the Directory Server and select View Properties > SSL Settings.
The following are the communication paths through the Oracle Application Server Infrastructure, and their related SSL configuration instructions:
Oracle HTTP Server to the OC4J_SECURITY instance
To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt (Port Tunneling) and then to the OC4J_SECURITY instance
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
The OC4J_SECURITY instance to Oracle Internet Directory
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide, section titled "Enable SSL on the Single Sign-On Middle Tier." It explains how to configure SSL communication between the browser and the OracleAS Single Sign-On server.
Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL. The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled; you do not have to perform any configuration tasks to accomplish this. (OracleAS Single Sign-On, Oracle Application Server Certificate Authority, and Oracle Delegated Administration Services communicate with Oracle Internet Directory in SSL mode by default.)
Oracle Directory Integration and Provisioning to Oracle Internet Directory and Oracle Internet Directory replication server to Oracle Internet Directory
As shown in Figure 12-1, a variety of components and communication paths may be configured for SSL. The following lists references to the instructions for each:
Communication between the Oracle Internet Directory Replication server and the Oracle Internet Directory server: Oracle Application Server High Availability Guide, section titled "Secure Sockets Layer (SSL) and Oracle Internet Directory Replication"
Communication between Oracle Directory Integration and Provisioning and the Oracle Internet Directory server: Oracle Identity Management Integration Guide, chapter titled "Oracle Directory Integration and Provisioning Server Administration"
The OC4J_SECURITY instance to the Metadata Repository database and Oracle Internet Directory to the Metadata Repository database
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, you need only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, you must modify the configuration. See Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
Figure 12-1 Oracle Identity Management Components and SSL Connection Paths
The Oracle Application Server Security Guide discusses security concepts in detail and provides recommendations for configuring security in various configurations. The "Recommended Deployment Topologies" chapter presents sample architectures. After you have identified the components on which you need to enable SSL, use the instructions in this chapter and Chapter 13, "Enabling SSL in the Middle Tier" to configure the components.
Configuring SSL in OracleAS Single Sign-On and Oracle Delegated Administration Services is typical in the recommended deployment topologies (as described in Section 12.3.1, "Configuring SSL for OracleAS Single Sign-On and Oracle Delegated Administration Services"). Configuring SSL in all Infrastructure communication paths is described in Section 12.1, "SSL Communication Paths in the Infrastructure".
This section provides references to the component guides in the Oracle Application Server documentation library that provide instructions for configuring SSL in individual components.
Follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide to configure SSL communication between:
The browser and the OracleAS Single Sign-On server (section titled "Enable SSL on the Single Sign-On Middle Tier")
The OracleAS Single Sign-On server and the Oracle Internet Directory server (section titled "Configuring SSL Between the Single Sign-On Server and Oracle Internet Directory")
Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL (as described in "Enable SSL on the Single Sign-On Middle Tier"). The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled; you do not have to perform any configuration tasks to accomplish this.
Instructions for configuring SSL communication in Oracle Internet Directory are provided in the following:
Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory"
Oracle Internet Directory Administrator's Guide, section titled "Configuring SSL Parameters"
Oracle Internet Directory Administrator's Guide, section titled "Limitations of the Use of SSL in 10g (10.1.2)"
As shown in Figure 12-1, a variety of components and communication paths may be configured for SSL. The following lists references to the instructions for each:
Communication between the Oracle Internet Directory Replication server and the Oracle Internet Directory server: Oracle Application Server High Availability Guide, section titled "Secure Sockets Layer (SSL) and Oracle Internet Directory Replication"
Communication between Oracle Directory Integration and Provisioning and the Oracle Internet Directory server: Oracle Identity Management Integration Guide, chapter titled "Oracle Directory Integration and Provisioning Server Administration"
Follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide, section titled "Reconfigure the Identity Management Infrastructure Database" to configure SSL communication to the Identity Management database.
This section provides references to SSL configuration information for mod_oc4j and OC4J.
To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL between mod_oc4j and OC4J."
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, you need only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host:sslport/...
Note that when you are using a secure connection, you must add an "s" to the name of the protocol (for example, use ldaps
instead of ldap
).
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, you must modify the configuration. See Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
Oracle Application Server Certificate Authority is SSL-enabled by default, so there are no configuration tasks associated with this component.
Tip:
OracleAS Certificate Authority simplifies the task of certificate provisioning for Oracle Identity Management users (certificates are automatically provisioned to SSO-authenticated users).To enable certificate-based authentication using OCA OracleAS Single Sign-On, see the Oracle Application Server Certificate Authority Administrator's Guide. To enable certificate-based authentication to OracleAS Single Sign-On, see the Oracle Application Server Single Sign-On Administrator's Guide.
Oracle Enterprise Manager 10g comprises two components, each of which can be configured for SSL communication: Grid Control Console and Application Server Control Console.
Follow the steps in the "Configuring Security (SSL and HTTPS) for Grid Control" in the Oracle Enterprise Manager Advanced Configuration Guide.
The communication paths of interest in the SSL configuration of Application Server Control Console are shown in Figure 12-2, and are labeled https.
Figure 12-2 SSL Connection Paths in Oracle Enterprise Manager 10g
To secure the communications between the Web browser and the Application Server Control Console, and between the Application Server Control Console and the Oracle Application Server components, refer to Section A.3, "Configuring Security for the Application Server Control Console".