Oracle® Application Server Administrator's Guide 10g Release 3 (10.1.3.2.0) Part Number B32196-01 |
|
|
View PDF |
This chapter provides instructions for enabling SSL in Oracle Application Server middle-tier installations.
Note:
In this chapter, references to any of the following Oracle Application Server products are applicable for Release 10.1.4, Release 2 (10.1.2) or earlier software only:OracleAS Single Sign-On
OracleAS Web Cache
Oracle Internet Directory
The following topics are covered:
This section identifies all SSL communication paths used in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
The following are communication paths through the Oracle Application Server middle tier, and their related SSL configuration instructions:
External Clients or Load Balancer to Oracle HTTP Server
To configure the Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
External Clients or Load Balancer to OracleAS Web Cache
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
OracleAS Web Cache to Oracle HTTP Server
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server to OC4J Applications (AJP)
To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt and then to OC4J
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J (the JAAS provider) to Oracle Internet Directory
To configure the provider, follow the instructions in the Oracle Containers for J2EE Security Guide. To configure the provider for SSL, set the SSL_ONLY_FLAG
to true
.
OC4J to the database (ASO)
If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, you need only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host.sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, you must modify the configuration. See Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
ORMI (Oracle Remote Method Invocation, a custom wire protocol) over SSL
To configure this connection path for SSL, refer to the Oracle Containers for J2EE Security Guide.
SSL into standalone OC4J (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J." It explains how to use SSL to secure communication between clients and an OC4J instance.
OracleAS Portal Parallel Page Engine (the servlet in the OC4J_PORTAL instance) to OracleAS Web Cache (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J."
The Oracle Application Server Security Guide discusses security concepts in detail and provides recommendations for configuring security in various configurations. The "Recommended Deployment Topologies" chapter presents sample architectures for installation types. After you have identified the components on which you need to enable SSL, use the instructions in this chapter and Chapter 12, "Enabling SSL in the Infrastructure" to configure the components.
This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
OracleAS Web Cache is part of Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in the chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
To configure SSL connections to OC4J clients, follow the instructions in the Oracle Containers for J2EE Security Guide, section titled "Oracle HTTPS for Client Connections."
To configure the AJP communication over SSL, you must configure mod_oc4j
's communication with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL between mod_oc4j and OC4J."
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.
See the Oracle Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI/HTTP.
To configure the provider, follow the instructions in the Oracle Application Server Enterprise Deployment Guide, section titled "Configuring Application Authentication and Authorization." To configure the provider for SSL, set the SSL_ONLY_FLAG
to true
.
The Oracle Containers for J2EE Security Guide, section titled "Enabling SSL in OC4J" explains how to configure Oracle HTTP Server for SSL.
The Oracle Containers for J2EE Security Guide, section titled "Enabling SSL in OC4J" explains how to use SSL to secure communication between clients and an OC4J instance.
Depending on your security needs and the configuration of the Oracle Application Server J2EE and Web Cache installation, you may implement secure communication in one or more of the installed components. Configuring the first listener (whether it is OracleAS Web Cache or the Oracle HTTP Server) may be sufficient.
To configure the Oracle HTTP Server for SSL, follow the steps in "Enabling SSL for Oracle HTTP Server" in the Oracle HTTP Server Administrator's Guide.
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
The Oracle Content Database for Oracle WebCenter Suite Administrator's Guide, section titled "SSL Configuration for Oracle Content DB," explains how to enable SSL for Oracle Content DB.
You can use virtual hosts to deploy multiple Web sites on a single Oracle HTTP Server (for example, to make an application available over the HTTP protocol and the HTTPS protocol).
The Oracle Application Server Single Sign-On Administrator's Guide, section titled "Configuring mod_osso with Virtual Hosts" contains instructions on configuring an SSL virtual host to be protected by mod_osso. You cannot use name-based virtual hosting. You must use IP-based or port-based virtual hosting.
The scenario presented assumes that the following conditions are in effect:
The host name of the application middle tier is app.mydomain.com (replace this name with the host name of your application middle tier).
The middle tier is already configured as a non-SSL partner application (this is typically done during installation).
The default SSL port number of the application middle tier is 4443.
See Section 12.3.7, "Configuring SSL for Oracle Enterprise Manager 10g".