| Agile Product Lifecycle Management Security Guide Release 9.3.3 E39280-02 |
|
 Previous |
You can set up SSL in your Agile PLM environment to work with the following:
SDK
Web Services
WebLogic Server
AutoVue Server
Tomcat Server
Before you refer to the sections in this appendix to set up SSL for the any specific environment, follow the steps described in the following section, Basic SSL Configuration.
Follow these basic steps for setting up SSL. The steps provide general guidelines on how to generate the SSL certificates before you can apply for the Agile PLM Application server and other Agile PLM components like SDK and WebService samples.
Generate and procure the security certificate for your setup as per your company's policies.
Create a keystore file, for example, mykeystore.jks, which can be located on any disk path and contains a private key and a self-signed public key.
a. Go to the WLS domain directory and run setENV.cmd.
b. Run the following keytool command under the path of the keystore that you want to generate.
C:\CSR>keytool -genkey -keyalg RSA -alias mykey -keystore mykeystore.jks -keysize 2048
Generate a Certificate Signing Request (CSR) and send it to Certifying Authority using the command: C:\CSR>keytool -certreq -keystore mykeystore.jks
The result should look similar to this example:
The CA returns with the certificate reply, RootCA, and sometimes an intermediateCA certificate. Installing the newly issued certificate normally involves installing it along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) VeriSign's public primary root CA (the trust anchor CA) and (b) of the issuing (intermediate) SSL CA before (c) your newly issued SSL certificate is installed.
In CA replying mails, we get the OraclePKI-SSLCA.zip file, newly issued SSL certificate
Assuming you get the certificates as a zip file, for example <Company>PKI-SSLCA.zip, it could contain the following set of certificates:
a. root CA certificate: VTN-PCA-3G3.pem (included in <Company>PKI-SSLCA.zip)
b. intermediate SSL CA certificate: <Company>_SSL_CA.pem (included in <Company>PKI-SSL CA.zip)
c. newly issued SSL certificate: at the bottom of the mail "Your Standard SSL Certificate Is Ready", copy"-----BEGIN CERTIFICATE----- … …-----END CERTIFICATE-----" into a text file, and save as a .pem file myCert.pem
Import the certificates into the keystore.
This can be done in two ways, either by importing the certificates in an order of RootCA, intermediateCA and then Certificate reply or by creating a certificate chain, clubbing them in order into a .pem file. In the following example, we create a certificate chain file CertChain.pem and import it into the identity keystore overriding the private key alias, which is mykey in this example.
|
Note: It is important to remember that the certificate can only be installed on the server that already has its corresponding private key present in its keystore. Additionally, it must be the same private key that was created during the CSR generation process described above). |
Open a text editor and paste the contents of each certificate. Paste the certificate C:myCert.pem, B:<Company>_SSL_CA.pem, A:VTN-PCA-3G3.pem from top to bottom and save as CertChain.pem.
-----BEGIN CERTIFICATE-----
C:<myCert.pem>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
B:<<Company>_SSL_CA.pem>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
A:<VTN-PCA-3G3.pem>
-----END CERTIFICATE-----
The server should be presenting the whole chain of certificates to its clients during the SSL handshake. Certificates are typically presented in the leaf to root order (C-B-A).
Import the certificates chain to the keystore by running following command:
C:\CSR>keytool -import -file CertChain.pem -alias mykey -keystore mykeystore.jks -storepass <password>
Create a trust keystore. Do this by importing your Root CA certificate into another keystore that constitutes the trust:
C:\CSR>keytool -import -file VTN-PCA-3G3.pem -alias rootca -keystore trust.jks -storepass <password>
Once you have completed the steps in "Basic SSL Configuration", continue with the following procedures to configure SSL on the WebLogic Server that hosts the Agile PLM Application.
To configure the Keystore,
Access http://<AgileApplicationServerName>:7001/console/login/LoginForm.jsp.
Log in to the Admin Console.
Select the server on which you want to configure the SSL certificate.
Server -> Click on the Keystore tab. By default it points to the Demo Certificates.
From the dropdown list, select the "Custom Identity and Custom Trust" option. Enter the identity and trust keystore details.
Click on the SSL tab and enter the alias of the private key, for example mykey, and the key passphrase, for example "Agile123".
Modify the following configuration files:
jndiurl.properties
Path: <AgileHomePath>\agileDomain\servers\<AgileServer>\tmp\_WL_user\AgilePLM\<RandomName>\APP-INF\classes
server1=t3s://<AgileApplicationServerName>:7002
agile.properties
Path:<AgileHomePath>\agileDomain\servers\<AgileServer>\tmp\_WL_user\AgilePLM\<RandomName>\APP-INF\classes
<AgileHomePath>\agileDomain\config
##### Common Web Security Settings ###########
# Specify whether to use the Secure flag to protect sensitive cookies
WebSecurity.ForceSecureCookies = true
ext.jnlp
Path: <AgileHomePath>\agileDomain\servers\<AgileServer>\tmp\_WL_user\AgilePLM\<RandomName>\JavaClient.war\wls
<jnlp spec="1.0+" codebase="https://<AgileApplicationServerName>:7002/JavaClient">
pcclient.jnlp
Path: <AgileHomePath>\agileDomain\servers\<AgileServer>\tmp\_WL_user\AgilePLM\<RandomName>\JavaClient.war\
<jnlp spec="1.0+" codebase="https://<AgileApplicationServerName>:7002/JavaClient">
<argument>serverURL=t3s://<AgileApplicationServerName>:7002</argument>
Once you have completed modifying the configuration files, restart the application server to make the settings effective.
Whenever user-sensitive cookies are generated in Agile PLM, the HTTPOnly flag is also included in the Set-Cookie HTTP Response Header. This helps mitigate the risk of a client-side script accessing the protected cookie (if the browser supports it).You can change the value to 'false' to retain legacy behavior. From a secure system perspective, Oracle recommends that customers keep this set to 'true'.
Additionally, Agile PLM does not mandate use of SSL, so setting the Secure flag will prevent non-SSL enabled customers from using Agile. The solution is to introduce a setting for secure mode and if enabled, then set the Secure Flag on all the sensitive cookies. This ensures that sensitive cookies are available in another application only via HTTPS. These cookies will not be available via HTTP, even if both the Agile PLM Application and the external application are deployed in the same domain. You can change the value to 'false' to retain legacy behavior. From a secure system perspective, Oracle recommends that customers keep this set to 'true'.
Once you have completed the steps in "Basic SSL Configuration", continue with the following procedures.
Add the following component to <AgileHomePath>\FileManager\conf\server.xml:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="<KeystorePath>" keystorePass="<KeystorePassword>"
clientAuth="false" sslProtocol="TLS"/>
Configure the Java Client File Manager node as follows:
Name: iFS
API Name: IFS
File Manager URL: https://<FileServerName>:8443/Filemgr/AttachmentServlet
Enabled: Yes
Primary file server: Yes
File Manager Internal Locator: https://<FileServerName>:8443/Filemgr/services/FileServer
Viewer Server URL: https://<FileServerName>:8443/Filemgr/VueServlet
Viewer Proxy URL: https://<FileServerName>:8443/Filemgr/VueLink
Viewer Content URL: https://<FileServerName>:8443/Filemgr/jVue
Configure <AgileHomePath>\agileDomain\config\server.conf
app.server.url =http://<AgileApplicationServerName>:7001/Agile/services/FSHelper
file.server.url =https://<FileServerName>:8443/Filemgr/services/FileServer
dms.server.url =http:// <AgileApplicationServerName>:7001/Agile/services/DmsService
Restart file manager server.
Access https:// <FileServerName>:8443/Filemgr/Configuration to check the File Manager configuration.
|
Note: You must restrict IP access between the VueLink/VueServlet and the AutoVue machine. For details, refer to the Security Features section "Configuring and Using Restrict IP Access" in the Oracle AutoVue Integration Software Development Toolkit Security Guide. |
This section describes how to configure SSL between the AutoVue Client and the VueServlet. We do not provide steps for configuring SSL between the File Server and Auto Vue Server, because this communication takes place behind the firewall and SSL is not commonly used.
Connect to the application sever via HTTPS protocol in order get the application server's certificate, for example, https://<AgileApplicationServerName>.
Import the certificate into Internet Explorer.
Export the certificate from Internet Explorer as a base-64 encoded format and save the certificate onto the local disk, for example, C:\certs.cer.
Import the certificate into the AutoVue server's JRE using Java's keytool command:
<Java Install Directory>\bin>keytool -import -alias <servername> -file c:\certs.cer -trustcacerts -v -keystore C:\Oracle\AutoVue\jre\lib\security\cacerts
Restart the AutoVue server.
Configure the web page that embeds the AutoVue applet to point to the https:// URL for the VueServlet.
To configure SSL for SDK, do the following:
Get the certification key, for example mykeystore.jks, that is generated using the steps in Appendix B, and keep the mykeystore.jks file in a folder located on the machine where you want to run SDK, such as "C:\SDKSSL".
Follow these steps to run SDK sample code with an SSL environment:
a. Download SDK sample files from OTN.
b. Go to "..\SDK_AIS_Samples\sdk\samples\api\Login".
c. Update URL, USERNAME and PASSWORD with SSL server information in Login.java.
Set URL as https://hostname:port/Virtualpath
d. Update the file run.bat:
Set JAVA_HOME & SDK_HOME
Update Java Command:
java -classpath .;c:\SSL\SDK\AgileAPI.jar -Djavax.net.ssl.trustStore=C:\SDKSSL\mykeystore.jks -Djavax.net.ssl.trustStorePassword=Agile123 Login
e. Execute run.bat.
To configure SSL for Web Services, do the following:
Get the certification key, for example mykeystore.jks, that is generated using the steps in Appendix B, and keep the file in a folder located on the machine where you want to run Web Services, for example "C:\SSL".
Follow these steps to run Web Services sample code in an SSL environment:
a. Download the Web Services sample files from OTN.
b. Copy AgileAPI.jar file into "C:\SSL\WS\".
c. Copy one of the sample Java files for creating an object, CreateObject.java in a location such as "C:\SSL\WS".
d. Compile the file as follows:
C:\SSL\WS>javac -classpath .;C:\SSL\WS\AgileAPI.jar CreateObject.java
e. Run the sample as follows:
C:\SSL\WS>java -classpath .;C:\SSL\WS\AgileAPI.jar -Djavax.net.ssl.trustStore=C:\SSL\mykeystore.jks -Djavax.net.ssl.trustStorePassword=Agile123 CreateObject
|
Note: The steps in this section do not make use of an Integrated Development Environment (IDE). Alternatively, you can set up SSL for Web Services using an IDE. |
|
 Copyright © 2010, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
