Oracle® Beehive Installation Guide Release 2 (2.0.1.8) for Oracle Solaris on SPARC (64-Bit) Part Number E16643-07 |
|
|
PDF · Mobi · ePub |
This chapter describes how to configure Transport Layer Security (TLS) with Oracle Wallet.
A wallet is a password-protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication.
Oracle Wallet provides a TLS encrypted communication channel that some services support or require, such as XMPP and FTPS. The following steps configure Oracle Beehive to use Oracle Wallet so that clients may access Oracle Beehive with a TLS connection.
Refer to the section "Changing Oracle Wallet Password" to change the password of your Oracle Wallet.
Refer to the section "Configuring TLS on Multiple Instances" if you have more than one Oracle Beehive instance.
Refer to the section "Enabling ORMIS with Password-Protected Oracle Wallet" if you want to enable Oracle Remote Method Invocation over SSL.
Ensure that the environment variable ORACLE_HOME is set to the home directory of Oracle Beehive.
Enable auto login mode for the default wallet with the following command. The default password for the default wallet is welcome
:
<Oracle home>/bin/orapki wallet create -wallet <Oracle home>/Apache/Apache/conf/ssl.wlt/default/ -auto_login -pwd welcome
Note:
Alternatively, you may create a new wallet with auto login mode enabled. Use the same command except specify a different directory that does not contain a wallet. You may specify any password when creating a new wallet.The following steps describe how to configure your Oracle Beehive instance to use Oracle Wallet.
Run the following beectl
command:
beectl modify_property --component beehive_instance_<instance>.<host name> --name WalletDir --value <Oracle home>/Apache/Apache/conf/ssl.wlt/default
<instance>
is the instance name you specified when you installed Oracle Beehive. To retrieve the full instance name, run the command beectl list_components --type BeehiveInstance
.
<Oracle home>
/Apache/Apache/conf/ssl.wlt/default
is the location of the auto login wallet you configured or created previously.
Activate the configuration and restart by running the following beectl
command:
beectl activate_configuration
Note:
If thebeectl activate_configuration
command asks you to run the beectl modify_local_configuration_files
command, run this command.
The beectl modify_local_configuration_files
will ask you to run this command on all your other instances. Do not run this command on all your other instances at this time. For each instance, you must perform steps 1 and 2 before running the beectl modify_local_configuration_files
command.
If you created a wallet as part of TLS configuration, it will contain test certificates. These certificates are valid for a very short period of time and will expire quickly. Once they expire, when a user tries to access HTTPS, that user will receive an error similar to one of the following:
You have received an invalid certificate.
The security certificate presented by this Website has expired or is not yet valid.
The connection is untrusted.
Consequently, you must replace these test certificates with self-signed or CA-signed certificates. Refer to the sections "Creating Self-Signed Certificate and Importing it into Wallet" and "Creating CA-Signed Certificate and Importing it into Wallet" in "Configuring SSL" for more information.
Note:
After replacing these certificates with self-signed or CA-signed certificates, restart Oracle Beehive.Follow these steps to change the Oracle Wallet password:
Specify the wallet's new password in Oracle Beehive by running the following beectl
commands:
beectl modify_property --component beehive_instance_<instance>.<host name> --name WalletDir --value <$ORACLE_HOME>/Apache/Apache/conf/ssl.wlt/default beectl modify_local_configuration_files
<instance>
is the instance name you specified when you installed Oracle Beehive. To retrieve the full instance name, run the command beectl list_components --type BeehiveInstance
.
--value is the directory location of the wallet.
To obfuscate a password, use the beectl obfuscate
command:
beectl obfuscate --expiration_time_in_minutes 0 Enter value for password: Successfully obfuscated the string.
Set the wallet password:
beectl modify_secure_property –-component beehive_instance_<instance>.<host name> --name WalletPassword --value <password>
Change the password to the one you specified in the previous step in Oracle Wallet Manager, <Oracle home>
/bin/owm
. Refer to "Changing the Password" in Chapter 11, "Managing Wallets and Certificates" in Oracle Application Server Administrator's Guide for more information.
Activate the configuration and commit changes:
beectl activate_configuration beectl modify_local_configuration_files
For each instance, run all the steps required to configure TLS with Oracle Wallet.
Oracle Remote Method Invocation over Secure Socket Layer (ORMIS) is ORMI over SSL. For more information about ORMIS, refer to "Using ORMI/SSL (ORMIS) in OC4J" in Chapter 6, "Using Remote Method Invocation" in Oracle Containers for J2EE Services Guide.
By default, Oracle Beehive is ORMIS enabled using an anonymous cipher suite.
This section covers the following topics:
Modify the property _CURRENT_SITE:ManagedOc4jCluster:OrmisEnabled to false and activate the configuration:
beectl modify_property --component _CURRENT_SITE:ManagedOc4jCluster --name OrmisEnabled --value false
Activate the configuration:
beectl activate_configuration
Run the command beectl modify_local_configuration_files
. This command may restart your application tier:
beectl modify_local_configuration_files
Modify the property _CURRENT_SITE:ManagedOc4jCluster to true and activate the configuration:
beectl modify_property --component _CURRENT_SITE:ManagedOc4jCluster --name OrmisEnabled --value true
Activate the configuration:
beectl activate_configuration
Run the command beectl modify_local_configuration_files
. This command may restart your application tier:
beectl modify_local_configuration_files
Create a wallet as described in this module.
Modify the property _CURRENT_SITE:ManagedOc4jCluster to true:
beectl modify_property --component _CURRENT_SITE:ManagedOc4jCluster --name OrmisEnabled --value true
Modify the property WalletDir of your Oracle Beehive instance to the path of your Oracle Wallet directory you just created with the following beectl
commands:
beectl list_components --type BeehiveInstance ------------------------------------------------------- | Component type | Component identifier | ------------------------------------------------------- | BeehiveInstance | beehive_instance_example.com | ... beectl modify_property --component beehive_instance_example.com --name WalletDir --value <Your wallet directory> Successfully stored the property for component id 09386579-b66c-41d7-96e6-88f44673ec55.
Set the wallet password:
beectl modify_secure_property –-component <Component ID or alias of your Oracle Beehive instance; for example, the previous step used beehive_instance_example.com> --name WalletPassword --value <password>
Activate the configuration:
beectl activate_configuration
Run the command beectl modify_local_configuration_files
. This command may restart your application tier:
beectl modify_local_configuration_files