Networking and Authentication Guide

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Network Security

This chapter provides an overview of security options for an Oracle WebCenter deployment.

The purpose of this chapter is assist in developing a security plan and should not be considered a replacement for the services of qualified security professionals. Oracle does not advocate the use of any specific security configuration. Oracle does provide professional consulting services to assist in securing an Oracle WebCenter deployment. To engage Oracle professional services, contact your Oracle representative.

This chapter discusses the following topics:

 

Security Architecture

This section describes Oracle WebCenter component architecture from a network security perspective. This includes how various components communicate with each other and which components need to be exposed to the end consumer.

Component Communication

With the exception of the database and Search, all requests from the Oracle WebCenter Interaction portal component are made using HTTP 1.1. This provides the following security advantages:

Communication between the Oracle WebCenter components can be further secured by:

Oracle WebCenter and the DMZ

A basic security architecture that limits external exposure to Oracle WebCenter products and other back-end systems is illustrated in Figure 2-1.

Figure 2-1 Basic Security Architecture

Basic Security Architecture

In this configuration, only the Oracle WebCenter Interaction portal component and Image Service are placed within the DMZ. The Oracle WebCenter Interaction portal component and Image Service should be the only Oracle WebCenter components installed in the DMZ. When the Portal is separate from other Oracle WebCenter components, persistent data in the search and database components and back-end tasks in the automation service are isolated from the external network.

The Portal gateways requests to all other Oracle WebCenter components and back-end services, communicating with HTTP 1.1 across the firewall and into the internal network. The server housing the Oracle WebCenter Interaction portal should be hardened by a security professional, as it receives direct user requests. All communication should be SSL-encrypted.

To avoid traffic across the firewall between non-portal Oracle WebCenter components and the Image Service, another Image Service can be placed within the internal network.

Note: This is one potential network topology. For topologies involving software and hardware load balancing, see Load Balancing.

 

SSL

Configuring Oracle WebCenter to use SSL is a relatively complex procedure that requires knowledge of SSL and CA certificates. This section provides an overview of the procedure. For more details, see the Administrator Guide for Oracle WebCenter Interaction.

In the general case, the Oracle WebCenter Interaction portal Image Service would be secured with SSL, while another, unsecured Image Service would reside in the internal network for other Oracle WebCenter components. In this case Oracle WebCenter applications such as Oracle WebCenter Collaboration, Oracle-BEA AquaLogic Interaction Publisher, Oracle-BEA AquaLogic Interaction Studio, and Oracle-BEA AquaLogic Interaction Workflow would use the unsecured Image Service and would only need to be configured for SSL communication with the portal.

The following sections explain how to configure the various Oracle WebCenter components for SSL:

  1. Security Modes
  2. Configuring Oracle WebCenter for SSL
  3. Importing CA Certificates
  4. Configuring Oracle WebCenter Applications to Use a Secure Portal or Image Service

Security Modes

After Oracle WebCenter components are installed, the security mode for the portal can be set. The security mode specifies how SSL is incorporated into your Oracle WebCenter deployment. Security mode options are described in the following table:

Security Mode
Description
0
Portal pages remain in whatever security mode—http or https—that the user initially uses to access the portal. For example, if a user accesses the portal via http, all the portal pages will remain http; if a user accesses the portal via https, all the portal pages will remain https. This is the default setting.

Note: This mode is not recommended for production deployments or deployments that are exposed to the external network.
1
Certain portal pages are always secured via SSL and other pages are not. For example, the login page might always be secured but a directory browsing page might not. The page types that are secured are configurable.

Note: This mode is not generally recommended.
2
All portal pages are always secured via SSL.
Use this mode if there is no SSL accelerator. In this mode, the Web server should provide an SSL endpoint.

Note: Configuring the SSL endpoint directly on a Tomcat application server is not recommended. A Web server should be used in front of the application server, and the SSL certificate should be installed on the Web server.
3
The portal uses an SSL accelerator.
This is the most common configuration for production deployments. As with Security Mode 2, users are not connecting to the application server directly, so the front-end application server and the channel between the accelerator and the application sever must be secured.

For detailed information on configuring these settings, see the Administrator Guide for Oracle WebCenter Interaction.

Configuring Oracle WebCenter for SSL

Use the following steps to configure Oracle WebCenter for SSL:

  1. Configure SSL on Web servers or SSL accelerators that front-end the Oracle WebCenter Interaction portal and Image Service components. Refer to your Web server or SSL accelerator documentation for instructions on configuring SSL and creating, signing, and installing an SSL certificate.
  2. Configure the Portal component:
    1. PT_HOME/settings/config/portalconfig.xml.
    2. Ensure that HTTPSecurePort and HTTPPort are set to the ports you want to use.
    3. Change ApplicationURL0 from * to

      4. http://host_name:port/portal/server.pt

      Note: The port number is not necessary for .NET deployments.
    4. Change SecureApplicationURL0 from * to

      5. https://host_name:port/portal/server.pt

      Note: The port number is not necessary for .NET deployments.
    5. If multiple URL mappings are configured, ensure that these entries are updated as in c and d. Refer to the comments in the configuration file for more information on URL mapping.
    6. Change SecurityMode from 0 to 1, 2, or 3.
    7. Change ImageServerSecureBaseURL from http to https. Ensure that the Image Service port is correct.
  3. If the Image Service is secured with SSL, set ImageServerConnectionURL to the secure URL. The CA certificate used by the Image Service must be imported into the Portal application server. For details, see Importing CA Certificates.

    4. If any portlets or remote servers use JSControls or Adaptive Portlets, the image service CA certificate must be imported into their runtimes as well. The JSControls libraries are embedded in server and IDK products, but are identified by XML stored on the Image Service.

  4. If any remote server — including portlet servers, authentication sources, profile sources, or content services — is secured with SSL, import the remote server CA certificate into the Portal application server. For details, see Importing CA Certificates.
  5. Configure Oracle WebCenter Collaboration, Oracle-BEA AquaLogic Interaction Publisher, Oracle-BEA AquaLogic Interaction Studio, and Oracle-BEA AquaLogic Interaction Workflow to use the SSL-secured Portal and Image Service. For details, see Configuring Oracle WebCenter Applications to Use a Secure Portal or Image Service.

Importing CA Certificates

For each application server that makes requests to an SSL-secured service, the CA certificate from the secured service must be imported. The following two sections detail the process for importing CA certificates into a Java Application Server or IIS and .NET.

Importing CA Certificates Into a Java Application Server or Standalone Oracle WebCenter Product

For Java application servers the CA certificate is imported into the cacerts keystore.

To import the CA certificate:

  1. On the computer that makes requests to an SSL secured service, open a command prompt.
  2. Copy the CA certificate to this computer.
    3. Note: The CA certificate is in the CA of the secured service. Save the .der encoded certificate as a .cer file.
  3. Import the certificate using keytool. For example:

    4. keytool -v -import -trustcacerts -alias CA_alias -file CA_certificate_path -keystore CA_keystore_path

    where

    • CA_alias is the alias for the CA. For example, verisign or the server hostname.
    • CA_certificate_path is the path and filename of the .cer file to be imported.
    • CA_keystore_path is the path to the cacerts keystore. The cacerts keystore is typically located under the home of the JVM being run by the application server, JVM_HOME/lib/security/cacerts.
  4. When prompted, enter the password for the cacerts keystore. The default password is changeme.

Importing CA Certificates into IIS and .NET

For IIS and .NET, the CA certificate is imported into the MMC.

  1. On the computer that makes requests to an SSL secured service, open a command prompt.
  2. Copy the CA certificate to this computer.
    3. Note: The CA certificate is in the CA of the secured service. Save the .der encoded certificate as a .cer file.
  3. Run MMC from the command line,

    4. > mmc

  4. Click Console | Add/Remove Snap-in.
  5. Click Add.
  6. Click Certificates.
  7. Click Computer Account and then click Next.
  8. Click local computer and then click Finish.
  9. Close the Add Standalone Snap-in dialog box.
  10. Close the Add/Remove Snap-in dialog box by clicking OK.
  11. In the MMC tree, expand to Console Root | Certificates | Trusted Root Certificate Authorities | Certificates.
  12. Right click Certificates and select All Tasks | Import. Click Next.
  13. Select the CA certificate to import. Click Next.
  14. Choose to place all certificates in the Trusted Root Certification Authorities store.
  15. Click Next and then click Finish.
  16. Restart IIS.

Configuring Oracle WebCenter Applications to Use a Secure Portal or Image Service

This section describes how to configure Oracle WebCenter Collaboration, Oracle-BEA AquaLogic Interaction Publisher, Oracle-BEA AquaLogic Interaction Studio, and Oracle-BEA AquaLogic Interaction Workflow to use a secure Portal or Image Service.

Configuring Oracle WebCenter Collaboration to Use a Secure Portal or Image Service

Oracle WebCenter Collaboration does not require any changes to function in security modes 1 or 2, as it uses the Portal's Image Service settings. A certificate is not required.

If you are using Security Mode 3, import the certificate of the CA that signed the Image Service and/or Portal certificate into Oracle WebCenter Collaboration. For details, see Importing CA Certificates.

However, if the host/port of the normal Image Service URL used by browsing users is not accessible from Oracle WebCenter Collaboration (for example, the Image Service is on a different machine than Oracle WebCenter Collaboration), you must change the jscontrols component that Oracle WebCenter Collaboration uses. This problem generates error messages that are displayed in the Calendar portlets. To avoid these errors:

  1. Open the Oracle WebCenter Collaboration config.xml configuration file, located in PT_HOME/ptcollab/version/settings/config.
  2. In the following line, set the URL to the value of ImageServerConnectionURL set in the portal portalconfig.xml configuration file.
    3. <jscontrols>
    <imageServerConnectionURL>[URL]</imageServerConnectionURL>

Configuring Oracle-BEA AquaLogic Interaction Publisher to Use a Secure Portal or Image Service

  1. If the Image Service is secured with SSL:
    1. Open the Oracle-BEA AquaLogic Interaction Publisher content.properties configuration file, located in PT_HOME/ptcs/version/settings/config.
    2. Change the following Image Service entries:
    • For Security Modes 1 or 2, find and replace all occurrences of http://machine_name/imageserver with https://machine_name/
      imageserver      , where machine_name is the name of the computer hosting Oracle-BEA AquaLogic Interaction Publisher.
    • For Security Mode 3, change the following entries:
      • CommunityImagePublishBrowserLocation=https://machine_name/imageserver/plumtree/portal/templates
      CommunityImagePreviewBrowserLocation=https://machine_name/imageserver/plumtree/portal/templates/preview
      CommunityStyleSheetListURL=http://machine_name/imageserver/plumtree/common/public/css/community-themes.txt
      JSComponents.AlternateImageServerUrl=http://machine_name/imageserver
      Note: Some of the above entries are HTTP and some are HTTPS. Ensure that the port is correct for each.
  2. Import the CA certificate from the Image Service and Portal into Oracle-BEA AquaLogic Interaction Publisher. For details, see Importing CA Certificates.
  3. Restart Oracle-BEA AquaLogic Interaction Publisher.

Configuring Oracle-BEA AquaLogic Interaction Studio to Use a Secure Portal or Image Service

Import the CA certificate from the Image Service and Portal into Oracle-BEA AquaLogic Interaction Studio. For details, see Importing CA Certificates.

Configuring Oracle-BEA AquaLogic Interaction Workflow to Use a Secure Portal or Image Service

  1. If you changed the AlternateImageServerURL in the content.properties file, perform the following steps so that Oracle-BEA AquaLogic Interaction Publisher can communicate the alternate Image Service URL to Oracle-BEA AquaLogic Interaction Workflow:
    1. Restart Oracle-BEA AquaLogic Interaction Publisher. This writes the URL to Oracle-BEA AquaLogic Interaction Workflow.
    2. After Oracle-BEA AquaLogic Interaction Publisher has restarted, restart Oracle-BEA AquaLogic Interaction Workflow. This forces the Oracle-BEA AquaLogic Interaction Workflow Web application to re-query Oracle-BEA AquaLogic Interaction Publisher for the alternate Image Service URL.
  2. Import the CA certificate from the Image Service and Portal into Oracle-BEA AquaLogic Interaction Workflow. For details, see Importing CA Certificates.

  Back to Top       Previous  Next