6 Configuring SSL

This chapter describes how to configure SSL in Agile PLM, in Agile PLM File Manager(s), and AutoVue.

The following diagram introduces the required keystores/keys for SSL configurations.

Figure 6-1 Required Keystores/keys for SSL

You can set up SSL in your Agile PLM environment to work with the following:

• SDK

• Web Services

• Application Server (WebLogic)

• File Manager Server (Tomcat)

• AutoVue Server

WARNING: Once you enable SSL for one of the components listed in the previous step, you must enable SSL for all components listed.

Note: For instructions on how to mitigate vulnerabilities related to SSL 3.0 and SHA-2 certificate, see Appendix B, "Checklist for Configuring Web Services Security".

Tip: If you are planning on configuring SSL and Web Services Security, use the checklist in Appendix B, "Checklist for Configuring Web Services Security" to help keep track of your progress.

To set up SSL, you need three keystores. In this document, they will be named as follows:

• Agile Server SSL keystore: agile-keystore.jks

• Agile Server SSL truststore: agile-truststore.jks

• File Manager SSL keystore: fm-keystore.jks

6.1 Securing Agile PLM Application Using SSL

The following sections describe how to enable SSL for security in Agile PLM.

6.1.1 Generating WebLogic SSL Signature Key and Certificate Signing Request

To generate the WebLogic SSL Signature Key and Certificate Signing Request, do the following:

1. Generate SSL keystore, agile-keystore.jks.

   • Alias: ssl

   • Keysize: 2048

   • Algorithm: RSA

2. Generate Certificate Signing Request with the SSL keystore above and send to the Certifying Authority.

6.1.2 Importing CA Certificate To WebLogic SSL Keystore

The Certifying Authority returns the newly issued certificate, the Root CA and an intermediate CA certificate. Importing the newly issued certificate normally involves installing it, along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) The Root CA (our trust anchor CA) and of (b) intermediate SSL CA before (c) your newly issued SSL certificate is installed.

6.1.3 Generating WebLogic SSL Truststore

Generate the Weblogic SSL truststore, agile-truststore.jks. To generate this truststore, import your Root CA, Intermediate SSL CA, and Issued CA certificates into the keystore, agile-truststore.jks, that constitutes the trust.

6.1.4 Configuring SSL on WebLogic Server

Once you have imported the CA certificate to WebLogic SSL keystore and generated the WecbLogic SSL truststore, ontinue with the following procedures to configure SSL on the WebLogic Server that hosts the Agile PLM Application.

6.1.4.1 Configuring the Keystore on the Weblogic Server

To configure the keystore:

1. In a browser, launch http://<AgileApplicationServerName>:7001/console/login/LoginForm.jsp.

2. Log in to the Admin Console.

3. Expand Environment, click on Servers, and click on the server name on the right panel.

4. In AgileServer > Configuration > Keystores, use Custom Idenitity and Custom Trust for keystores.

   • In the Identity Section provide the following:

     • Enter the location in the Custom Identity Keystore field.

     • Enter "JKS" as the Custom Identity Keystore Type.

     • Enter the password in the Custom Identity Keystore Passphrase field.

   • In the Trust Section provide the following:

     • Enter the location in the Custom Trust Keystore field.

     • Enter "JKS" as the Custom Keystore Type.

     • Enter the password in the Custom Trust Keystore Passphrase

   • Click Save.

6.1.4.2 Configuring the Identity of the WebLogic Server

Go to AgileServer > Configuration > SSL. In this example, we use "ssl" is the key, and the password.

6.1.4.3 Configuring SSL Listen Port for WebLogic Server

1. Navigate to AgileServer > Configuration > General and select the SSL Listen Port Enabled checkbox. The default SSL port is 7002.

2. Click Save to activate the changes in WebLogic Console.

6.1.4.4 Verify SSL Configuration on WebLogic Server

1. Connect to https://<hostname>:7002/Agile/PLMServlet and confirm that you can access Agile Web Client successfully.

2. Log in to Agile.

The SSL setup is now complete and running on your WebLogic server.

6.1.4.5 Cluster Environment: Additional Configurations

You need to configure SSL for each WLS server in the cluster. You also need to configure SSL on Load Balancer (LB), and update the LB URI into Agile PLM Application SSL Configurations. Meanwhile, you have to import the LB SSL certificate into the trust keystore for every WLS server, and import all the WLS server's SSL certificates into LB trust keystore.

6.1.5 Configuring SSL in the Agile PLM Application Server

Modify the following configuration files for the SSL environment:

1. jndiurl.properties

   Path: <AGILE_HOME>\agileDomain\application\application.ear\APP-INF\classes

   server1=t3s://<app_server_alias>:7002

2. agile.properties

   Path: <AGILE_HOME>\agileDomain\config

   ##### Common Web Security Settings ###########

   # Specify whether to use the Secure flag to protect sensitive cookies

   WebSecurity.ForceSecureCookies = true

3. ext.jnlp

   Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war\wls

   <jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient">

4. pcclient.jnlp

   Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war

   <jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient"><argument>serverURL=t3s://<server_url>:7002</argument><argument>jvuecodebase=https://<fm_server_alias>:8443/Filemgr/jVue</argument><argument>jvueserver=https://<app_server_alias>:7002/Agile/VueServlet</argument>

5. custom.jnlp

   Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war

   <jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient">

Once you have completed modifying the configuration files, restart the application server to make the settings effective.

6.1.5.1 HTTPOnly and SecureFlag Flags in agile.properties

Whenever user-sensitive cookies are generated in Agile PLM, the HTTPOnly flag is also included in the Set-Cookie HTTP Response Header. This helps mitigate the risk of a client-side script accessing the protected cookie, if the browser supports it.You can change the flag's value to false to retain legacy behavior. From a secure system perspective, however, Oracle recommends that customers keep the HTTPOnly flag set to true.

Additionally, Agile PLM does not mandate use of SSL, so setting the Secure flag prevents non-SSL enabled customers from using Agile. The solution is to introduce a setting for secure mode and if enabled, then set the Secure Flag on all the sensitive cookies. This ensures that sensitive cookies are available in another application only through HTTPS. These cookies are not available through HTTP, even if both the Agile PLM Application and the external application are deployed in the same domain. You can change the value to false to retain legacy behavior. From a secure system perspective, however, Oracle recommends that customers keep this flag set to true.

6.2 Securing Agile PLM File Manager(s) Using SSL

The following section describes how to configure SSL on a File Manager.

Note: When SSL is enabled, you must ensure that the Tomcat Server configuration file (AGILE_HOME\FileManager\conf\server.xml) is protected using File Access Permissions. Visibility/accessibility should be limited to only users with root or elevated privileges. This file contains sensitive password data.

6.2.1 Generating SSL Signature Key and Certificate Signing Request for File Manager

To generate the SSL signature key and Certificate Signing Request for File Manager, do the following:

1. Generate SSL keystore fm-keystore.jks.

   • Alias: fm

   • Keysize: 2048

   • Algorithm: RSA

2. Generate the Certificate Signing Request with the SSL keystore above and send it to the Certifying Authority.

6.2.2 Importing CA Certificate To File Manager SSL Keystore

The Certifying Authority returns the newly issued certificate, the Root CA and an intermediate CA certificate. Importing the newly issued certificate normally involves installing it, along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) The Root CA (our trust anchor CA) and of (b) intermediate SSL CA before (c) your newly issued SSL certificate is installed.

6.2.3 Configuring SSL on the File Manager

Once you have imported the CA certificate to the File Manager SSL keystore, continue with the following procedures.

1. Export the File Manager SSL certificate from fm-keystore.jks, which we named as fm-ssl-cert.cer. Import File Manager SSL certificate into Agile Server SSL Trust Keystore.

2. Export Agile Server certificate from agile-keystore.jks, which we named as agile-ssl-cert.cer. Import agile-ssl-cert.cer into File Manager key store.

3. Open <AGILE_HOME>\FileManager\conf\server.xml and add a new connector. The file manager SSL port is 8443. Place the connector code after the code for the connector of port 8080, as shown in the following example:

   <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"redirectPort="8443" /><Connector protocol="org.apache.coyote.http11.Http11Protocol"port="8443" maxThreads="200"scheme="https" secure="true" SSLEnabled="true"keystoreFile="<certificate path>\fm-keystore.jks" keystorePass=<keystore_password> keyAlias="fm"clientAuth="false" sslProtocol="TLS"/>

4. To configure SSL on the File Manager application, change <AGILE_HOME>\agileDomain\config\server.conf as follows:

   app.server.url=https://<app_server_ alias>:7002/Agile/FSHelper/FSHelperWSServicefile.server.url=https://<fm_server_alias>:8443/Filemgr/services/FileServerdms.server.url=https://<app_server_ alias>:7002/Agile/DmsService/DmsViewerAPIService

5. To configure the Java Client File Manager node, log in to Java Client, navigate to Admin >Server Settings > Locations, and do the following:

   • Change General Information > Web Server URL to https://<app_server_ alias>:7002/Agile/PLMServlet

   • Change Java Client URL to https://<app_server_ alias>:7002/JavaClient/start.jsp

   • Change File Manager > iFS to https://<fm_server_ alias>:8443/Filemgr/AttachmentServlet

6. Restart the file manager server and access https:// <fm_server_ alias>:8443/Filemgr/Configuration to check the File Manager configuration.

SSL is now configured on File Manager. Restart the File Manager and it should work as expected.

6.3 Configuring SSL on AutoVue Server

AutoVue server should be configured to point to SSL protected VueServlet which is hosted on File Manager.

1. Import both the Application server and File Manager server certificates into the AutoVue Server's JRE (<AGILE_HOME\jre\lib\security\cacerts>) using Java's keytool command:

   
   

   Note: The certificates have already been generated in steps 1 and 2 of "Configuring SSL on the File Manager".

   
   

2. Restart the AutoVue server.

6.4 Configuring SSL on Distributed File Managers(DFMs)

If there are multiple DFM nodes deployed, you need to do the following configurations on each node.

• Set up DFMs.

• Follow the steps on section Securing Agile PLM File Manager(s) Using SSL.

• Export DFMs SSL certificate.

• Import DFMs SSL certificate into Agile Server trust store (agile-truststore.jks) and File Manager keystore (fm-keystore.jks).

• Restart the file manager server and access https:// <fm_server_ alias>:8443/Filemgr/Configuration to check the File Manager configuration.