SSM Installation and Configuration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Installing SSMs

This sections provides step-by-step instructions for installing and enrolling Security Service Modules (SSM), and performing some additional post-installation tasks.

The following topics are described:

 

Installation Requirements

The ALES Security Service Modules require certain software components to operate properly.

System Requirements

Table 3-1 lists the system requirements for machines on which SSMs are installed.

Table 3-1 System Requirements
SSM
Platform Version(s)
Windows 2000, 20031
Solaris 8, 9, 10
RHAS2 3.0, 4.0
Suse3
9.2, 10.0
AIX4
5.3
Web Service
MS .NET 1.1 and 2.05
WebLogic Workshop 9.0, 10.0
Studio 3.0
Yes
Yes
Yes
Yes
Yes
BEA WebLogic Platform
WLS/P 8.1 SP5, SP6
WLS/P6 9.2 MP2, 10.0 MP1
WLI 9.2 MP2
Yes
Yes
Yes
Yes
No
BEA AquaLogic Products
ALDSP 2.5, 3.07
ALSB 2.6, 3.08
ALBPM 6.0
Yes
Yes
Yes
Yes
No
IBM WebSphere
WebSphere App Server 6.1
Yes
Yes
Yes
Yes
Yes
Java
Sun JVM 1.4.2, 5.0, 6.0
JRockit 1.4.2, 5.0, 6.0
IBM JDK 1.4.2, 5.0, 6.0
Yes
Yes
Yes
Yes
Yes
Web Servers
Apache
IIS Web Server
Yes
Yes
Yes
No
Yes
No
Yes
No
No
No

1Windows 2000 SP4 and higher, Windows 2003 R2 and higher.

2RedHat Advanced Server.

3Suse Linux is supported on both 32-bit and 64-bit hardware.

4AIX SSM support will be delivered post-GA as a CP to ALES 3.0.

5NET Web Services client on Windows 2000 and 2003 only.

6Works with WLS configured to use either the Sun JVM or the JRockit JVM that ship with the 9.x or 10.x version of the server. JRockit JVM supported on Intel hardware only.

7ALDSP 2.5 running on WLS 8.1.x, ALDSP 3.0 running on WLS 10.0 MP1.

8ALSB 2.6 running on WLS 9.2, ALSB 3.0 running on WLS 9.2 MP1 and WLS 10.0 MP1.

Other Requirements

 

Installation Topology

Although it is possible to install the ALES Administration Server and SSMs on the same system, this is not recommended in a production environment. This document assumes that SSMs and the Administration Server are being installed on separate machines.

 

SSM Upgrades

ALES 3.0 includes a utility to upgrade from ALES 2.2 and 2.6. To perform an upgrade, follow this procedure:

  1. Upgrade the Administration Server before upgrading any SSMs. SSMs can continue to run while the Administration Server is being upgraded.
  2. Make sure you have read and delete permission for the ALES files. You must be logged in as a member of the group used when the earlier ALES version was installed.
  3. If using an SCM on the SSM machine, shut it down.
  4. Run the installation program, as described in Installation Steps.
  5. When the SSM installer runs, it detects the earlier versions and uses its configuration information. Respond to the prompts as required.

 

Installation Steps

To install an SSM:

  1. Shut down any running programs.
  2. Locate and launch the installation program. This varies by operating system, as shown in Table 3-2.

    3. Table 3-2 SSM Installation Programs
    Windows
    Launch ales300ssm_win.exe
    Note: To generate a verbose installation log, add the following to the launch command:
    -log=<logfile> -log_priority=debug
    Example:
    ales300ssm_win32.exe -log=D:\logs\ales_install.log -log_priority=debug
    Solaris
    1. Change the protection on the install file by entering: chmod u+x ales300ssm_solaris32.bin.
    2. Enter: ales300ssm_solaris32.bin
    Note: To generate a verbose installation log, add the following to the launch command:
    -log=<logfile> -log_priority=debug
    Example:
    ales300ssm_solaris32.bin -log=/opt/logs/ales_install.log -log_priority=debug
    Linux
    1. Change the protection on the install file by entering chmod u+x ales300ssm_rhas_IA32.bin.
    2. Enter: ales300ssm_rhas_IA32.bin
    Note: To generate a verbose installation log, use same command string as described for Solaris.

  3. Complete the prompts using Table 3-3.

Table 3-3 SSM Installation Prompts
Window
Action
Welcome
Click Next.
BEA License Agreement
Select Yes and then click Next.
Choose BEA Home Directory
Accept the default location (recommended) or specify a different one and click Next.
Choose Components
Select the SSMs to install and click Next.
Only installable components are listed. For example, if installing on WebLogic Server 9.2, the SSM for WebLogic 8.1 is not listed.
Choose Product Installation Directories
Accept the default or specify a different directory and click Next.
If the directory you specify does not exist, the installation program will create it.
If you have installed other ALES products, you will see Installation Complete. Otherwise, continue.
Centralized Configuration of Security Providers
Accept the default checkbox selection to use an SCM for distributing configuration data to the SSM or clear the checkbox to not use an SCM.
For more information about this, see Running an SSM Without an SCM for more information.
Note: This window does not appear when installing only the WLS SSM.
Choose Service Control Manager Directory
Accept the default directory where the SCM will be installed or specify a different one. Then click Next.
Choose Network Interface
Select the IP address the SCM will use to listen for requests to provision configuration data and click Next.
Configure SCM
SCM Logical Name — (Applicable only if using an SCM) Enter a name to assign the SCM. This name must be used as described in Define a SCM in the ALES Database.
SCM Port — (Applicable only if using an SCM) Accept the default or specify a different port used by the SCM to receive data from the Administration Server. The port cannot be used by any other server.
Primary Server URL — Enter the Administration Server address in the format: https://servername:7010.
Backup Server URL — Leave blank unless you have a second Administration Server installed, in which case enter its address using the same URL format.
Choose Java JDK for the SSM
Accept the default selection or specify a different JDK and click Next.
Choose Java JDK for the SCM
Accept the default selection or specify a different JDK and click Next.

  1. On the Installation Complete window, click Close.

 

Enrollment

Note: This section does not apply to the Web Server SSM, which uses a different enrollment tool, as described in Configuring the Web Server SSM.

Enrollment is the process by which an ALES component on a remote machine registers with the Administration Server. As part of this process, the SSM system exchanges security certificates with the ALES Administration Server.

All ALES components located under a BEA_HOME directory use the same set of keys located in BEA_HOME/ales30-shared/keys. Therefore, the enrollment process must be run once for any given BEA_HOME.

There are two enrollment modes:

Certificates

Some certificates issued by CA authorities do not strictly comply with Certicom’s Internet X.509 Public Key Infrastructure standard. To use these certificates, you must disable constraints extension checking by adding the following lines to enroll.bat|sh and unenroll.bat|sh located in the BEA_HOME/ales30-shared/bin directory. 

if [ -f $JAVA_HOME/lib/security/cacerts ]; then

    JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/lib/security/cacerts  -Dlog4j.configuration=file:./log4j.properties"

         else

    JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false  -Dwles.ssl.verifyHostnames=yes -Dwles.ssl.trustedCAKeyStore=$JAVA_HOME/jre/lib/security/cacerts  -Dlog4j.configuration=file:./log4j.properties"

         fileif [ "$1" = "demo" ]; then

    JAVA_OPTIONS="-Dbea.home=$BEA_HOME -Dwles.ssl.enforceConstraints=false  -Dwles.ssl.verifyHostnames=no  -Dwles.ssl.trustedCAKeyStore=$ALES_SHARED_HOME/keys/DemoTrust.jks -Dlog4j.configuration=file:./log4j.properties"

else

Enrollment Steps

To run the enroll tool, perform the following steps:

  1. Make sure that the Administration Server is running and configured for 1-way SSL. For further details, see SSL for Production Environments.
  2. If the SSM is using an SCM, make sure the SCM is running.
  3. In the BEA_HOME/ales30-shared/bin directory, set the environment:
    4. set-env
  4. Run the following script:
    5. enroll demo
  5. When the Enrollment prompt appears, enter the Administration Server administrator username and password. (The defaults are system and weblogic respectively).
  6. Enter and confirm the following passwords. You choose the passwords; they do not need to match the key passwords used when the Administration Server was installed.

    7. — Private key password — Protects the identity of the components being enrolled.
    — identity.jceks password — Protects the identity.jceks keystore.
    — peer.jks password — Protects the peer.jks keystore.
    — trust.jks password — Protects the trust.jks keystore.

For more information on enroll utility options, see Administrative Utilities in the ALES Administration Reference.

Example of Running Enroll 

D:\bea\ales30-shared\bin>set-env
D:\bea\ales30-shared\bin>enroll secure
======================================================================
AquaLogic Enterprise Security Enrollment/Unenrollment Utility
======================================================================
Enter admin username :> system
Enter admin password :>
Enter SSM private key password :>
Confirm SSM private key password :>
Enter password for identity.jceks :>
Confirm password for identity.jceks :>
Enter password for peer.jks :>
Confirm password for peer.jks :>
Enter password for trust.jks :>
Confirm password for trust.jks :>
Submitting enrollment request
Processing enrollment response
Updating trusted CA keystore
Updating peer keystore

 

Define a SCM in the ALES Database

Use the Administration Console to define an SCM in the ALES database. When the ConfigTool sets up the initial security providers that will be used by the SSM to secure the application, this information will be maintained under this SCM.

Note: For step-by-step instructions on creating an SCM in the ALES database, see "Configuring a Service Control Manager" in the Administration Console’s help system.

If the SSM will run using an SCM, the name of the SCM must match the SCM Logical Name entered when the SSM was installed. Otherwise, the name can be of your choosing. For details, see Table 3-3, SSM Installation Prompts, on page 3-4.

You must define the SCM even if the SSM does not use an SCM to obtain configuration data from the Administration Server. When this is the case, SCM will be the collection point for exporting configuration data to an XML file. For more information, see Running an SSM Without an SCM.

 

Run asipassword

Before configuring the SSM, you must use the asipassword utility to set the Administration Server's system user password on the SSM machine. This password is required to secure communications between the SSM and the Administration Server.

To run the tool:

  1. Change to the BEA_HOME\ales30-shared\bin directory and enter the following:

    2. asipassword system <BEA_HOME>\ales30-shared\keys\password.xml <BEA_HOME>\ales30-shared\keys\password.key

    Example:

    asipassword system c:\bea\ales30-shared\keys\password.xml c:\bea\ales30-shared\keys\password.key

  2. When prompted for the ’alias’ password, enter the Administration Server's system user’s password. (The default password is password.)
Notes:

 

What’s Next?

After installation, create and configure SSM instances as described in the following chapters:


  Back to Top       Previous  Next