| Oracle® Traffic Director Administrator's Guide 11g Release 1 (11.1.1.7.0) Part Number E21036-04 |
|
|
PDF · Mobi · ePub |
| Oracle® Traffic Director Administrator's Guide 11g Release 1 (11.1.1.7.0) Part Number E21036-04 |
|
|
PDF · Mobi · ePub |
The administration server instance of Oracle Traffic Director hosts the administration console and command-line interface. So it is important to secure access to the administration server.
User access to the administration server interfaces is controlled through password-based authentication.
By default, the administration server enables only one administrator user account, which you specify while creating the administration server. For information about changing the administrator user name and password, see Section 11.1.1, "Changing the Administrator User Name and Password."
To allow multiple users to log in to the administration server, you can enable LDAP authentication. For more information, see Section 11.1.2, "Configuring LDAP Authentication for the Administration Server."
SSL authentication of the Oracle Traffic Director administration server with clients as well as with administration nodes is enabled, by default, through the use of two self-signed certificates—Admin-Client-Cert and Admin-Server-Cert.
The self-signed administration-server certificates are created automatically when you create the administration server and are valid for 12 months. For information about renewing the administration-server certificates, see Section 11.1.4, "Renewing Administration Server Certificates."
You can secure access to the software database containing the self-signed administration-server certificates by defining a password for the token named internal, which provides the interface to the certificates database. For more information, see Section 11.1.3, "Enabling the Pin for the Administration Server's PKCS#11 Token."
Note:
The CLI examples in this section are shown in shell mode (tadm>). For information about invoking the CLI shell, see Section 2.3.1, "Accessing the Command-Line Interface."
You can change the administrator user name and password by using either the administration console or the CLI.
Changing the Administrator User Name and Password Using the Administration Console
To change the administrator user name and password by using the administration console, do the following:
Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."
Click the Nodes button that is situated near the upper left corner of the page.
A list of available nodes is displayed.
From the list of nodes, select Administration Server.
In the navigation pane, select Authentication.
The Authentication page is displayed.
Specify the user name and password, and then click Save.
Note:
The user name can contain a maximum of 100 characters and must not contain spaces.
A message is displayed in the Console Messages pane indicating that the updated settings are saved.
Restart the administration server by clicking Restart in the Common Tasks pane.
Changing the Administrator User Name and Password Using the CLI
To change the administrator user name, run the set-admin-prop command.
tadm> set-admin-prop admin-user=user_name OTD-70213 The administration server must be restarted for the changes to take effect.
The user name can contain a maximum of 100 characters and must not contain spaces.
To change the password, do the following:
Run one of the following commands:
tadm> set-admin-prop --set-password
or
tadm> reset-admin-password
The following prompt is displayed:
Enter admin-password>
Enter the new password.
A prompt to re-enter the new password is displayed:
Enter admin-password again>
Re-enter the new password.
The following message is displayed.
OTD-70201 Command 'reset-admin-password' ran successfully.
For the new user name and password to take effect, you should restart the administration server as described in Section 2.4, "Stopping and Restarting the Administration Server."
For more information about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.
If you need more than one user to be able to log in to the administration server, you can store the user IDs and passwords in a directory server, and you can configure Oracle Traffic Director to access the directory server by using the Lightweight Directory Access Protocol (LDAP).
You can enable and configure LDAP authentication for the administration server by using either the administration console or the CLI.
Before you start configuring Oracle Traffic Director to use LDAP authentication, keep the following information ready. This information is required for constructing the ldap(s)://host:port/baseDN URL that Oracle Traffic Director should use to access the LDAP directory server and for the directory server to search for the required user record.
The name of the host on which the directory server runs.
The port number at which the directory server listens for requests from LDAP clients.
The base Distinguished Name (DN), which is the location within the directory information tree at which the directory server should start searching for the required user record.
The bind DN, which is the user ID and password that Oracle Traffic Director provides to authenticate itself to the LDAP directory server.
Note:
If your directory server allows searches by anonymous clients, you need not specify the bind DN.
The user groups whose members can access the administration server.
By default, the administration server allows only users belonging to the group wsadmin to log in. While enabling LDAP authentication, you can specify a list of groups other than wsadmin whose members can log in.
Configuring LDAP Authentication for the Administration Server Using the Administration Console
To configure LDAP authentication for the administration server by using the administration console, do the following:
Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."
Click the Nodes button that is situated near the upper left corner of the page.
A list of available nodes is displayed.
From the list of nodes, select Administration Server.
In the navigation pane, select Authentication.
The Authentication page is displayed.
Select LDAP Authentication.
Specify the mandatory parameters—host name, port, base DN, and allowed groups—and the optional parameters, as required.
On-screen help and prompts are provided for all of the parameters.
When you change the value in a field or tab out of a text field that you changed, the Save button near the upper right corner of the page is enabled.
At any time, you can discard the changes by clicking the Reset button.
After making the required changes, click Save.
A message is displayed in the Console Messages pane indicating that the updated settings are saved.
Restart the administration server by clicking Restart in the Common Tasks pane.
Configuring LDAP Authentication for the Administration Server Using the CLI
To enable LDAP authentication, run enable-admin-ldap-auth, as shown in the following example:
> tadm enable-admin-ldap-auth --ldap-url=ldap://ldap.example.com:3950/dc=example,dc=com --bind-dn=cn="Directory Manager" --allow-groups=sys,adm,mgr OTD-70213 The administration server must be restarted for the changes to take effect.
This command configures Oracle Traffic Director as an LDAP client for the directory server ldap.example.com:3950. Oracle Traffic Director authenticates itself to the directory server by using the bind DN cn="Directory Manager", and the directory server starts the search for the required user record at the base DN dc=example,dc=com.
To disable LDAP authentication, run disable-admin-ldap-auth, as shown in the following example:
> tadm disable-admin-ldap-auth
OTD-70213 The administration server must be restarted for the changes to take effect.
To view the currently configured LDAP authentication properties, run get-admin-ldap-auth-prop, as shown in the following example:
> tadm get-admin-ldap-auth-prop
enabled=true
ldap-url="ldap://ldap.example.com:3950/dc=example,dc=com"
search-filter=uid
group-search-filter=uniquemember
group-search-attr=CN
timeout=10
allow-group=sys,adm,mgr
For more information about the enable-admin-ldap-auth, disable-admin-ldap-auth, and get-admin-ldap-auth-prop CLI commands, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.
The administration server's self-signed certificates are stored in a Public-Key Cryptography Standards (PKCS) 11-compliant security database. Access to the certificates database is provided through a token named internal. To secure access to the administration server's certificates database, you can enable the pin for the internal token.
If you enable the pin for the internal PKCS#11 token in the administration server configuration, a prompt to enter the token pin is displayed when you perform the following tasks:
Start the administration server.
Renew the administration server certificates.
You can set, change, or disable the pin for the internal token by using either the administration console or the CLI.
Setting the PKCS#11 Token Pin for the Administration Server Using the Administration Console
To set the PKCS#11 token pin for the administration server by using the administration console, do the following
Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."
Click the Nodes button that is situated near the upper left corner of the page.
A list of the available nodes is displayed.
Select the Administration Server node.
The General Settings page is displayed.
In the Token Pin Management section, select the Edit Token Pin check box.
To set the pin, enter the pin and confirm it in the New Pin and New Pin Again fields respectively.
To change the pin, enter the current pin in the Current Pin field. Then, enter the new pin and confirm it in the New Pin and New Pin Again fields respectively.
To disable pin protection for the token, select Unset Pin.
When you change the value in a field or tab out of a text field that you changed, the Save button near the upper right corner of the page is enabled.
At any time, you can discard the changes by clicking the Reset button.
After making the required changes, click Save.
A message, confirming that the updated configuration was saved, is displayed in the Console Messages pane.
Stop the administration server by clicking Stop in the Common Tasks pane.
Start the administration server, by running the following command:
> $INSTANCE_HOME/admin-server/bin/startserv
At the prompt to enter the token pin, enter the pin that you specified in step 4.
Setting the PKCS#11 Token Pin for the Administration Server Using the CLI
Run the set-token-pin command, as shown in the following example:
tadm> set-token-pin --config=admin-server --token=internal
If the token is already protected with a pin, a prompt to enter the current pin is displayed. Enter the current pin, and when prompted, enter the new pin and confirm it.
Restart the administration server as described in Section 2.4, "Stopping and Restarting the Administration Server."
For more information about set-token-pin, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.
To extend the validity of the self-signed administration server certificates, run the renew-admin-certs CLI command.
For example, the following command sets the expiry date of the self-signed administration server certificates to 24 months after the current date.
tadm> renew-admin-certs --validity=24
OTD-70216 The administration server and the administration nodes need to be restarted for the changes to take effect.
If you do not specify the --validity option, the expiry date is set to 12 months after the current date.
The renew-admin-certs command also attempts to update the certificates on the running nodes that are currently accessible. If a node is offline—not running or not accessible due to network problems—during the certificates renewal process, you can subsequently pull the renewed certificates from the administration server by running the renew-node-certs command on that node.
For the renewed certificates take effect, you should restart the administration server and nodes
Note:
After renewing the administration server certificates, the first time you access the CLI or administration console, a message is displayed indicating that the server's identity cannot be verified because the certificate is from an untrusted source. To continue, you should choose to trust the self-signed certificate.
If the PKCS#11 token that provides the interface to the certificates database is protected with a pin (see Section 11.1.3), a prompt to enter the token pin is displayed.
For more information about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.
|
 Copyright © 2011, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|