21 Configuring Security Between the Proxy and the Data Source

Security configuration between the proxy and the remote LDAP servers can be configured as follows:

• During installation of the proxy by using the oud-proxy-setup GUI. For more information, see "Setting Up the Proxy Server by Using the GUI" in Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.

• After the proxy installation, by using the dsconfig command in interactive mode. For general information about using the dsconfig command, see Section 14.1, "Managing the Server Configuration With dsconfig".

For security management, network groups can be enabled to classify incoming client connections. You can use network groups to restrict operations that can be performed, based on how the connection has been classified. Use this functionality, for example, to restrict access to clients that connect from a specified IP address only. For more information, see Section 14.1.6, "Configuring Network Groups With dsconfig".

For secure client authentication between the proxy and remote LDAP servers, the certificate of the proxy must be imported into the truststore of each remote LDAP server. In this case, you must configure a keystore manually. For details, see Section 20.2, "Configuring Key Manager Providers".

The proxy security does not bypass the back-end ACI.

This chapter covers the following topics:

• Section 21.1, "How the Proxy Manages Secure Connections"

• Section 21.2, "Modes of Secure Connection"

• Section 21.3, "Configuring Security Between the Proxy and Data Source Using dsconfig"

21.1 How the Proxy Manages Secure Connections

The proxy manages the security with the client and with the directory server, and supports both SSL and StartTLS.

When you configure security, you must specify how the proxy connects to the remote LDAP server by indicating if the proxy should use SSL always, never, or user. If you specify always, the connection with the remote LDAP server will always be secured using SSL, regardless of how the client connects to the proxy. If you specify never, the connection between the proxy and the remote LDAP directory server will not be secured, regardless of whether the client connects to the proxy with a secure connection. If specify user, the security between the proxy and the remote LDAP directory servers will be the same as the security between the client and the proxy. For example, if the client connects over SSL, the connection with the remote LDAP server will also use SSL. One notable exception is if the client connects using StartTLS, in which case the proxy will connect to the remote LDAP servers using SSL.

For more information see Modes of Secure Connection.

21.2 Modes of Secure Connection

The proxy handles connections to the remote LDAP servers in three SSL security modes:

• always

• never

• user

You can view or edit these settings using the dsconfig --advanced command. Choose Extension from the main menu.

The remote-ldap-server-ssl-policy property manages the three SSL security modes.

When the remote-ldap-server-ssl-policy property is set to always or user, the proxy needs to trust the remote LDAP servers. To achieve this, you need to manually import the certificates of each remote LDAP server into the proxy's truststore.

21.2.1 The always Secure Mode

With the remote-ldap-server-ssl-policy property set to always, all connections made from the proxy to the remote LDAP servers are fully secure SSL connections, regardless how the client connects to the proxy.

In this mode, the pool size refers to one type of connection pool: secure LDAPS connections.

In the always secure mode, the certificate of each remote LDAP server must be imported into the proxy's truststore. If there is a large number of back-end LDAP servers that are not Oracle Unified Directory servers, and if certificates were not managed during installation, importing certificates into the truststore of the proxy can be a constraint. For test environment purposes, you can speed up this process by using the ssl-trust-all parameter. This parameter requests the proxy to trust all remote LDAP servers.

21.2.2 The never Secure Mode

With the remote-ldap-server-ssl-policy property set to never, none of the connections from the proxy to the remote LDAP servers are secure SSL connections.

In this mode, the monitoring connection by the proxy of the remote LDAP servers is never secure.

In this mode, the pool size refers to one type of connection pool: unsecure LDAP connections.

21.2.3 The user Secure Mode

With the remote-ldap-server-ssl-policy property set to user, incoming requests from clients to the proxy dictate whether the connection between the proxy and remote LDAP servers should be secure, regardless of how the client connects to the proxy.

If the incoming client request is secure, whether SSL or StartTLS, the connection from the proxy to the remote LDAP servers is a secure SSL connection.

If the incoming client request is not secure, the connection from the proxy to the remote LDAP servers is not a secure SSL connection.

In this mode, the monitoring connection between the proxy and the remote LDAP servers is never secure.

Two pools of connections are created, one secure and one unsecure. This is shown in Figure 21-1. In the scenario on the left, the client connects to the proxy using an unsecure connection, and the unsecure pool of connections from the proxy to the remote LDAP servers is used. In the scenario on the right, the client connects to the proxy using a secure connection, whether SSL or StartTLS, and the secure SSL pool of connections from the proxy to the remote LDAP servers is used.

Figure 21-1 Connections in the user Secure Mode

Description of "Figure 21-1 Connections in the user Secure Mode"

In the user mode, the certificate of each remote LDAP server must be imported into the proxy's truststore. If there is a large number of remote LDAP servers that are not Oracle Unified Directory servers, and if certificates were not managed during installation, importing certificates into the truststore of the proxy can be a constraint. In a test environment, you can speed up this process by using the ssl-trust-all parameter. This parameter requests the proxy to trust all remote LDAP servers.

When the remote-ldap-server-ssl-policy property is set to user, the pool size refers to two types of connection pools: unsecure LDAP connections and secure LDAPS connections. If for example the pool-initial-size is set to 5 connections, as shown in Figure 21-2, then when the LDAP Extension is initialized, there will be one pool of 5 LDAP connections and one pool of 5 LDAPS connections, or a total of 10 connections. Each pool evolves separately after this initialization, based on parameters set for that pool.

Note:

By default, pool-initial-size is set to 10 connections.

Figure 21-2 Multiple Pools of Connections

Description of "Figure 21-2 Multiple Pools of Connections"

21.3 Configuring Security Between the Proxy and Data Source Using dsconfig

The dsconfig tool accesses the server over a secured connection with certificate authentication. If you run dsconfig in non-interactive mode, as dsconfig -n, specification of the trust store parameters depends on whether you run the command locally or remotely. For more information on running the command locally or remotely, see Overview of the dsconfig Command.

21.3.1 To Configure Security Between the Proxy and Directory Servers Using dsconfig

This task highlights the main steps required to configure security for connections to remote LDAP servers. Where the process is similar to that provided for configuring security between the proxy and the client, pointers are given to the related procedure.

1. If the remote LDAP servers do not require client authentication to be passed from the proxy, proceed directly to step 2.

   If the remote LDAP servers require client authentication to be passed from the proxy, perform the following sub-steps:

   1. Configure a keystore for remote LDAP server connections.

      To do this, use the Java keytool command to generate a certificate on the proxy server. The keystore must be configured manually. For details, see Configuring Key Manager Providers.

      Self-sign the certificate or have the certificate signed by an external certificate authority. For details, see Configuring Key Manager Providers.

   2. Configure a key manager provider on the proxy for the keystore for remote LDAP server connections.

      For details, see Configuring Key Manager Providers. This key manager provider can be separate to that used for handling secure connections to clients.

   3. If the remote LDAP servers require client authentication, the certificate of the proxy must be imported into the truststore of each remote LDAP server.

      For information about importing and exporting certificates on Oracle Unified Directory, see Configuring Key Manager Providers.

2. For the proxy to establish secure connections with the remote LDAP servers, configure a truststore.

   All remote LDAP servers requiring a secure connection need to have their certificates imported into the proxy truststore. All of these remote LDAP server certificates can be imported into a single proxy truststore or distributed among multiple proxy truststores. You can have as many proxy truststores as there are remote LDAP server certificates to be imported.

   An LDAP proxy extension targeting a secured connection to a remote LDAP data source must reference in its configuration the appropriate truststore manager. This enables the LDAP proxy extension to access the imported remote LDAP server certificate, to accept the secure connection.

3. Each truststore requires a proxy trust manager provider.

   To list the proxy trust manager providers, use the dsconfig list-trust-manager-providers command. For example:

   $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager" -j pwd-file -X -n \
   list-trust-manager-providers
   

   To create a proxy trust manager provider, use the dsconfig create-trust-manager-provider command. For example:

   $ dsconfig -h localhost -p 4444 -D "cn=Directory Manager"  -j pwd-file -X -n \
   create-trust-manager-provider \
   --provider-name Backend\ Servers \
   --type file-based --set enabled:true \
   --set trust-store-file:/localhost/config/backend-servers-truststore \
   --set trust-store-type:JKS \
   --set trust-store-pin-file:/installPath/config/backend-servers-truststore.pin
   

4. Import the certificates of the remote LDAP servers into the proxy truststore.

21.3.2 Configurable LDAP Extension Properties Relevant to Security

When managing connections to remote LDAP servers using dsconfig, a number of configurable LDAP Extension security connection properties are available. For information about managing LDAP extensions, see Configuring Communication With Remote LDAP Servers. Configurable properties that either directly or indirectly relate to security considerations include the following:

remote-ldap-server-ssl-policy

This important value governs the overall security mode of the connections between the proxy and remote LDAP servers. Its use is covered in the section Modes of Secure Connection.

pool-increment

If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the incremental change of size of each pool is set to pool-increment. For more information on this property, see To Modify the Advanced Properties of an LDAP Server Extension.

pool-initial-size

If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the initial size, and minimum size, of each pool is set to pool-initial-size. In this case, therefore, there will initially be twice the total number of connections indicated in pool-initial-size. For details, see To Modify the Advanced Properties of an LDAP Server Extension.

pool-max-size

If the remote-ldap-server-ssl-policy property is set to user, two pools of connections are created and the maximum size of each pool is set to pool-max-size.

The default value is 1000 connections. For more information on this property, see To Modify the Advanced Properties of an LDAP Server Extension.

remote-ldap-server-ssl-port

The port number for SSL connections from the proxy to the remote LDAP server.

ssl-client-alias

When a keystore is created for client authentication, several keys can be stored in it. Use this property to specify which key to use. For more information about keystores, see Getting SSL Up and Running Quickly. See also Configuring Key Manager Providers.

ssl-key-manager-provider

Specifies a key manager provider to use for the LDAP Server Extension. The key manager provider is not mandatory and can be used if the remote LDAP server is configured for client authentication. The referenced key manager provider must be enabled. For more information about key manager providers, see Configuring Key Manager Providers.

ssl-trust-all

If this parameter is set to true, all remote LDAP servers are trusted. The default value is false. Setting this value to true avoids having to import certificates from remote LDAP servers but is insecure.

Note that although the interactive dsconfig --advanced command offers Blind Trust as a possible trust manager provider, Blind Trust is not supported for the proxy server. Instead, if you want to avoid the import of certificates, set the ssl-trust-all parameter to true. This presents an insecure deployment and is not recommended for production environments, only for testing purposes.

If the remote-ldap-server-ssl-policy is set to never, then the value of the ssl-trust-all parameter is irrelevant. All connections between the proxy will be insecure (unencrypted) in this case. For more information on the remote-ldap-server-ssl-policy, see Modes of Secure Connection.

ssl-trust-manager-provider

Specifies which trust manager provider to use for the LDAP Server Extension. The trust manager provider is mandatory unless the ssl-trust-all parameter is set to true. The referenced trust manager provider must be enabled.