Oracle® Beehive Installation Guide Release 1 (1.5) for Solaris Operating System (SPARC 64-Bit) Part Number E14832-05 |
|
|
View PDF |
This module describes various ways to configure Oracle Beehive with SSL. It covers the following topics:
Notes:
Refer to "Configuring Oracle Beekeeper for SSL Access" to configure SSL for Oracle Beekeeper.If you do not want to use SSL with your Oracle Beehive deployment, follow the steps described in "Installing Non-SSL Oracle Beehive Site".
If you have a load balancer supports SSL termination or offloading, you may offload SSL processing to your load balancer so that your Oracle Beehive instances do not have to decrypt SSL-encrypted data, thereby reducing the load of your Oracle Beehive instances. Refer to "Configuring SSL Termination at Load Balancer" in "Installing Oracle Beehive in High Availability Environment" for more information.
After following the steps described in this module, ensure the following for all your application tiers:
A properly configured Oracle wallet resides in <Oracle home>
/Apache/Apache/conf/ssl.wlt/default
for each application tier.
For each Oracle Beehive instance, the property WalletDir
is set to the properly configured Oracle wallet. In addition, the property WalletDir
refer to the same location for each application tier.
Each Oracle Beehive instance's wallet contains a valid certificate.
The file <Oracle home of DMZ instance>
/beehive/conf/bti.properties
is configured properly for each Oracle Beehive DMZ instance.
The file <Oracle home>
/opmn/conf/opmn.xml
is configured properly for each application tier.
This section covers the following procedures:
Configuring SSL with Self-Signed Certificates During Installation of Oracle Beehive
Configuring SSL with Self-Signed Certificates After Installation of Oracle Beehive
The following steps describe how to configure SSL with test certificates during or after the installation of one or more Oracle Beehive instances:
Install your first Oracle Beehive instance, if you have not already done so.
By default, an Oracle wallet with test certificates for OPMN is created in Oracle Beehive. This Oracle wallet is located in <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
.
Copy the contents of <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
to the <Database home>
/opmn/conf/ssl.wlt/default
directory. This will overwrite the Oracle wallet files in this directory.
If you are using Oracle RAC, copy the contents of <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
to the <Database home>
/opmn/conf/ssl.wlt/default
directory on each Oracle RAC node.
Configure TLS on your first Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".
Perform the post-install steps for configuring Oracle RAC except step 7 (Register for ONS Notification). Refer to "Post-Install Steps" in "Configuring and Installing Oracle Beehive for Oracle RAC"
Configure the virtual server of your Oracle Beehive instance with a load balancer. Refer to "Configuring High Availability Environment with Load Balancer" in "Installing Oracle Beehive in High Availability Environment".
If you have more than one Oracle Beehive instance, configure TLS on all your other Oracle Beehive instances. Refer to "Configuring TLS on Multiple Instances" in "Configuring TLS with Oracle Wallet".
Enable ORMIS on all your Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet".
Enable AJPS on all your Oracle Beehive instances. Refer to "Enabling AJPS".
Note:
After configuring SSL with test (self-signed) certificates for an Oracle Beehive environment with multiple instances, you may receive an alert message similar to the following:You have received an invalid certificate.... Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
In this scenario, create a self-signed certificate for each Oracle Beehive instance with a unique serial number. If you are using OpenSSL to create self-signed certificates, use the -set_serial option:
openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem
-CAcreateserial -set_serial 01 -days 365 > server.crt
For more information about creating self-signed certificates with OpenSSL (and then importing them into Oracle Wallet), refer to "Creating Self-Signed Certificate and Importing it into Wallet".
The following steps describe how to configure SSL with self-signed certificates during the installation of one or more Oracle Beehive instances:
Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.
For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".
Install your first Oracle Beehive instance.
Configure TLS on your first Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".
Remove the test certificates using Oracle Wallet Manager from the wallets in Oracle Beehive. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
and <Oracle Beehive home>
/Apache/Apache/conf/ssl.wlt/default
.
For the wallet located in <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
, create a self-signed server certificate for the Oracle Beehive server using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".
Repeat this step for the wallet located in <Oracle Beehive home>
/Apache/Apache/conf/ssl.wlt/default
.
Perform the post-install steps for configuring Oracle RAC except Step 7 (Register for ONS Notification).
Configure the virtual server of each Oracle Beehive instances with a load balancer. Refer to "Configuring High Availability Environment with Load Balancer" in "Installing Oracle Beehive in High Availability Environment".
Install an additional Oracle Beehive instance (software only install). In the following steps, this instance will be referred to as the second instance.
Replace orapki
and Oracle Wallet Manager (owm
) binaries of the second instance with those from the first instance. Create new wallets located in <Oracle Beehive new instance home>
/opmn/conf/ssl.wlt/default
and <Oracle Beehive new instance home>
/Apache/Apache/conf/ssl.wlt/default
. Refer to "Configuring TLS with Oracle Wallet".
Remove test certificates using Oracle Wallet Manager from the wallets in <Oracle Beehive new instance home>
/opmn/conf/ssl.wlt/default
and <Oracle Beehive new instance home>
/Apache/Apache/conf/ssl.wlt/default
, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.
Repeat Step 8 for the second instance.
Run the Config Wizard for the second instance and complete the configuration.
Configure TLS on all Oracle Beehive instances.
If you want to install another Oracle Beehive instance, repeat Steps 11 to 15.
Enable ORMIS on all Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet"
Enable AJPS on all Oracle Beehive instances. Refer to "Enabling AJPS".
The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive instances:
Remove all test certificates using Oracle Wallet Manager from the wallet you created for Oracle Database in Step 1, if any. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate.
For the wallet of Oracle Database you created in Step 1, create a self-signed server certificate for each Oracle RAC node using a root certificate (from a certificate authority). Import these self-signed server certificates as well as the root certificate to the wallet for Oracle Database. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".
Choose one of your Oracle Beehive instances on which to perform Steps 4 to 7 (you will repeat these steps on your other instances later). Configure TLS on the Oracle Beehive instance. Refer to "Configuring TLS with Oracle Wallet".
Remove the test certificates from the wallets of the Oracle Beehive instance. The order of removal should be (1) user certificate, (2) certificate request, and (3) trusted certificate. These wallets should be located in <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
and <Oracle Beehive home>
/Apache/Apache/conf/ssl.wlt/default
.
For the wallet located in <Oracle Beehive home>
/opmn/conf/ssl.wlt/default
, create a self-signed server certificate for Oracle Beehive using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. Refer to "Creating Self-Signed Certificate and Importing it into Wallet".
Repeat this step for the wallet located in <Oracle Beehive home>
/Apache/Apache/conf/ssl.wlt/default
.
If you have multiple Oracle Beehive instances, repeat Steps 4 to 7 for each of your instances.
Enable ORMIS on all Oracle Beehive instances. Refer to "Enabling ORMIS with Password-Protected Oracle Wallet" in "Configuring TLS with Oracle Wallet"
Enable AJPS on all Oracle Beehive instances. Refer to "Enabling AJPS".
This section covers the following procedures:
Configuring SSL with Test Certificates After Installation of DMZ Instances
Configuring SSL with Self-Signed Certificates After Installation of DMZ Instances
The following steps describe how to configure SSL with test certificates during the installation of one or more Oracle Beehive instances:
Install your DMZ instance.
Configure Oracle Wallet for the DMZ instance. For more information, refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances". This step involves creating an Oracle Wallet for your DMZ instance and editing the file <Oracle home of DMZ instance>
/opmn/conf/opmn.xml
so that it refers to the new Oracle Wallet.
Follow the steps described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances"
Configure the virtual server of your Oracle Beehive DMZ instances with a load balancer. For more information, refer to "Configuring High Availability Environment with DMZ Instances and Load Balancer" in "Installing Oracle Beehive in High Availability Environment".
The following steps describe how to configure SSL with self-signed certificates after the installation of one or more Oracle Beehive DMZ instances:
Install your DMZ instance.
Configure Oracle Wallet for the DMZ instance. For more information, refer to "Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances". This step involves creating an Oracle Wallet for your DMZ instance and editing the file <Oracle home of DMZ instance>
/opmn/conf/opmn.xml
so that it refers to the new Oracle Wallet.
For the wallet located in <Oracle Beehive DMZ home>
/opmn/conf/ssl.wlt/default
, create a self-signed server certificate for the Oracle Beehive DMZ instance using a root certificate (from a certificate authority). Import this self-signed server certificate as well as the root certificate to this wallet. For more information, refer to "Creating Self-Signed Certificate and Importing it into Wallet"
Repeat this step for the wallet located in <Oracle Beehive DMZ home>
/Apache/Apache/conf/ssl.wlt/default
.
Follow the steps described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances"
Configure the virtual server of your Oracle Beehive DMZ instances with a load balancer. For more information, refer to "Configuring High Availability Environment with DMZ Instances and Load Balancer" in "Installing Oracle Beehive in High Availability Environment".
This section covers the following procedures related to configuring SSL:
The following steps create a self-signed server certificate and imports it into an Oracle Wallet. You may also create a certificate signed by a certificate authority (CA) and import that into an Oracle Wallet. Refer to "Creating CA-Signed Certificate and Importing it into Wallet" for more information.
You will be performing these steps for the wallet you created in the following procedures:
"Configuring TLS with Oracle Wallet" (which creates a wallet for Oracle Beehive)
"Step A: Configuring Oracle Wallet with Oracle Beehive DMZ Instances" (which creates a wallet for an Oracle Beehive DMZ instance)
Create your own certificate authority. This step uses OpenSSL. For more information about OpenSSL, refer to http://www.openssl.org/
.
On Linux and other UNIX-based operating systems, the command openssl
is typically located in /usr/bin
.
openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 365
This command generates two files named cakey.pem
and cacert.crt
.
Create and export a certificate request with Oracle Wallet Manager:
Run Oracle Wallet manager, <Oracle Beehive home>
/bin/owm
. (Use <Database home>
/bin/owm
instead if you have not installed any Oracle Beehive instances.)
Open the wallet (to which you want to add the certificate).
Create a certificate request. Click the Operations tab. Click Add Certificate Request. Fill out the form. The Common Name should be the name of the server for which you are creating the certificate (such as the name of the Oracle RAC node). Click OK.
Save the wallet.
Click the Operation tab. Click Export Certificate Request. Enter the path and file name of the certificate request. These steps assume that the name of this file is certreq.csr
. (Keep Oracle Wallet Manager open; you will use it in Step 4.)
From a command prompt, generate a server certificate with the following command:
openssl x509 -req -in certreq.csr -CA cacert.crt -CAkey cakey.pem -CAcreateserial -days 365 > server.crt
This command generates two files, cacert.crt
and server.crt
(which is the server certificate).
In Oracle Wallet Manager, click the Operations tab. Click Import Trusted Certificate. Select the file cacert.crt
. Click OK.
Click Import User Certificate. Select the file server.crt
. Click OK.
Repeat Steps 2 to 5 (except Step 1; you can use the same cakey.pem
and cacert.crt
files for other servers) for each server for which you want to create a certificate. (In particular, you would repeat these steps for each Oracle RAC node.)
Alternatively, you may use Oracle Wallet to create a self-signed certificate.
Add a self-signed certificate to the wallet with the following command:
orapki wallet add
-wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
-dn CN=user
-keysize 2048
-self_signed
-validity 365
CN=user
is the distinguished name of an arbitrary user who will be the certificate owner.
Alternatively, you may create a certificate signed by a certificate authority (CA), and import that into the Oracle Beehive wallet:
Add a certificate request to the Oracle Beehive wallet:
orapki wallet add
-wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
-dn CN=user
-keysize 2048
-validity 365
The directory <Oracle home>
/Apache/Apache/conf/ssl.wlt/default/
is the Oracle Beehive default wallet directory. CN=user
is the distinguished name of an arbitrary user who will be the certificate owner.
Export the certificate request to a file:
orapki wallet export
-wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
-dn CN=user
-request certificate_request.txt
The file certificate_request.txt
is the exported certificate request.
With your certificate authority (CA) and your certificate request (certificate_request.txt
), create a signed user certificate. In addition, export the trusted certificate from your CA. These steps use the file user_certificate.txt
as the signed user certificate and the file trusted_certificate.txt
as the trusted certificate exported from your CA.
You may use Oracle Wallet as a CA for testing purposes by following these steps.
Create an auto-login wallet to act as a certificate authority. These steps assume that this wallet is stored in /private/ca_wallet
. Create a signed certificate from the request for test purposes:
orapki cert create -wallet /private/ca_wallet -request certificate_request.txt -cert user_certificate.txt -validity 365
The file user_certificate.txt
is the signed user certificate.
Export the trusted certificate from the CA wallet:
orapki wallet export -wallet /private/ca_wallet -dn CN=ca_user -cert trusted_certificate.txt
The file trusted_certificate.txt
is the exported (test) trusted certificate from the CA wallet.
Add the trusted certificate from the CA to the Oracle Beehive wallet:
orapki wallet add
-wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
-trusted_cert
-cert trusted_certificate.txt
Add the user certificate to the Oracle Beehive wallet:
orapki wallet add
-wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/
-user_cert user_certificate.txt
The following steps describe how to install a non-SSL Oracle Beehive site in which none of its tiers communicate using SSL:
Note:
Because Oracle Beehive DMZ instances have SSL enabled by default, the following steps will not work for DMZ instances unless you configure them to receive non-SSL notifications as described in "Step B: Configuring Oracle Beehive DMZ Instances" in "Configuring Oracle Beehive Demilitarized Zone Instances".Install your first Oracle Beehive application tier. Note that this application tier, by default, will have SSL disabled for Oracle Notification Service (ONS), which is used by OPMN of this application tier to communicate with other OPMNs in the site. In the next step, you will disable SSL (if necessary).
Ensure that the value of NotificationServerSslEnabled
in the _current_site:OpmnCluster
component in the first Oracle Beehive application tier is false:
beectl list_properties --component _current_site:OpmnCluster --name NotificationServerSslEnabled
If NotificationServerSslEnabled
is true, then set it to false:
beectl modify_property --component _current_site:OpmnCluster --name NotificationServerSslEnabled --value false --activate_configuration
In the first Oracle Beehive application tier, set the value of HttpServerSslEnabled
in the _current_site:HttpServerCluster
component to false, then run beectl modify_local_configuration_files
:
beectl modify_property --component _current_site:HttpServerCluster --name HttpServerSslEnabled --value false --activate_configuration beectl modify_local_configuration_files
Install any additional Oracle Beehive application tiers. You do not need to perform any additional steps for these application tiers.