This chapter describes how to configure SSL in Agile PLM, in Agile PLM File Manager(s), and AutoVue.
The following diagram introduces the required keystores/keys for SSL configurations.
You can set up SSL in your Agile PLM environment to work with the following:
SDK
Web Services
Application Server (WebLogic)
File Manager Server (Tomcat)
AutoVue Server
WARNING: Once you enable SSL for one of the components listed in the previous step, you must enable SSL for all components listed. |
Note: For instructions on how to mitigate vulnerabilities related to SSL 3.0 and SHA-2 certificate, see Appendix B, "Checklist for Configuring Web Services Security". |
Tip: If you are planning on configuring SSL and Web Services Security, use the checklist in Appendix B, "Checklist for Configuring Web Services Security" to help keep track of your progress. |
To set up SSL, you need three keystores. In this document, they will be named as follows:
Agile Server SSL keystore: agile-keystore.jks
Agile Server SSL truststore: agile-truststore.jks
File Manager SSL keystore: fm-keystore.jks
The following sections describe how to enable SSL for security in Agile PLM.
To generate the WebLogic SSL Signature Key and Certificate Signing Request, do the following:
Generate SSL keystore, agile-keystore.jks.
Alias: ssl
Keysize: 2048
Algorithm: RSA
Generate Certificate Signing Request with the SSL keystore above and send to the Certifying Authority.
The Certifying Authority returns the newly issued certificate, the Root CA and an intermediate CA certificate. Importing the newly issued certificate normally involves installing it, along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) The Root CA (our trust anchor CA) and of (b) intermediate SSL CA before (c) your newly issued SSL certificate is installed.
Generate the Weblogic SSL truststore, agile-truststore.jks. To generate this truststore, import your Root CA, Intermediate SSL CA, and Issued CA certificates into the keystore, agile-truststore.jks, that constitutes the trust.
Once you have imported the CA certificate to WebLogic SSL keystore and generated the WecbLogic SSL truststore, ontinue with the following procedures to configure SSL on the WebLogic Server that hosts the Agile PLM Application.
To configure the keystore:
In a browser, launch http://<AgileApplicationServerName>:7001/console/login/LoginForm.jsp.
Log in to the Admin Console.
Expand Environment, click on Servers, and click on the server name on the right panel.
In AgileServer > Configuration > Keystores, use Custom Idenitity and Custom Trust for keystores.
In the Identity Section provide the following:
Enter the location in the Custom Identity Keystore field.
Enter "JKS" as the Custom Identity Keystore Type.
Enter the password in the Custom Identity Keystore Passphrase field.
In the Trust Section provide the following:
Enter the location in the Custom Trust Keystore field.
Enter "JKS" as the Custom Keystore Type.
Enter the password in the Custom Trust Keystore Passphrase
Click Save.
Go to AgileServer > Configuration > SSL. In this example, we use "ssl" is the key, and the password.
Navigate to AgileServer > Configuration > General and select the SSL Listen Port Enabled checkbox. The default SSL port is 7002.
Click Save to activate the changes in WebLogic Console.
Connect to https://<hostname>:7002/Agile/PLMServlet and confirm that you can access Agile Web Client successfully.
Log in to Agile.
The SSL setup is now complete and running on your WebLogic server.
You need to configure SSL for each WLS server in the cluster. You also need to configure SSL on Load Balancer (LB), and update the LB URI into Agile PLM Application SSL Configurations. Meanwhile, you have to import the LB SSL certificate into the trust keystore for every WLS server, and import all the WLS server's SSL certificates into LB trust keystore.
Modify the following configuration files for the SSL environment:
jndiurl.properties
Path: <AGILE_HOME>\agileDomain\application\application.ear\APP-INF\classes
server1=t3s://<app_server_alias>:7002
agile.properties
Path: <AGILE_HOME>\agileDomain\config
##### Common Web Security Settings ###########
# Specify whether to use the Secure flag to protect sensitive cookies
WebSecurity.ForceSecureCookies = true
ext.jnlp
Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war\wls
<jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient">
pcclient.jnlp
Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war
<jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient"><argument>serverURL=t3s://<server_url>:7002</argument><argument>jvuecodebase=https://<fm_server_alias>:8443/Filemgr/jVue</argument><argument>jvueserver=https://<app_server_alias>:7002/Agile/VueServlet</argument>
custom.jnlp
Path: <AGILE_HOME>\agileDomain\application\application.ear\JavaClient.war
<jnlp spec="1.0+" codebase="https://<app_server_alias>:7002/JavaClient">
Once you have completed modifying the configuration files, restart the application server to make the settings effective.
Whenever user-sensitive cookies are generated in Agile PLM, the HTTPOnly flag is also included in the Set-Cookie HTTP Response Header. This helps mitigate the risk of a client-side script accessing the protected cookie, if the browser supports it.You can change the flag's value to false to retain legacy behavior. From a secure system perspective, however, Oracle recommends that customers keep the HTTPOnly flag set to true.
Additionally, Agile PLM does not mandate use of SSL, so setting the Secure flag prevents non-SSL enabled customers from using Agile. The solution is to introduce a setting for secure mode and if enabled, then set the Secure Flag on all the sensitive cookies. This ensures that sensitive cookies are available in another application only through HTTPS. These cookies are not available through HTTP, even if both the Agile PLM Application and the external application are deployed in the same domain. You can change the value to false to retain legacy behavior. From a secure system perspective, however, Oracle recommends that customers keep this flag set to true.
The following section describes how to configure SSL on a File Manager.
Note: When SSL is enabled, you must ensure that the Tomcat Server configuration file (AGILE_HOME\FileManager\conf\server.xml) is protected using File Access Permissions. Visibility/accessibility should be limited to only users with root or elevated privileges. This file contains sensitive password data. |
To generate the SSL signature key and Certificate Signing Request for File Manager, do the following:
Generate SSL keystore fm-keystore.jks.
Alias: fm
Keysize: 2048
Algorithm: RSA
Generate the Certificate Signing Request with the SSL keystore above and send it to the Certifying Authority.
The Certifying Authority returns the newly issued certificate, the Root CA and an intermediate CA certificate. Importing the newly issued certificate normally involves installing it, along with its certificate trust chain, which basically means installing (or verifying prior installation of) the certificates of (a) The Root CA (our trust anchor CA) and of (b) intermediate SSL CA before (c) your newly issued SSL certificate is installed.
Once you have imported the CA certificate to the File Manager SSL keystore, continue with the following procedures.
Export the File Manager SSL certificate from fm-keystore.jks, which we named as fm-ssl-cert.cer. Import File Manager SSL certificate into Agile Server SSL Trust Keystore.
Export Agile Server certificate from agile-keystore.jks, which we named as agile-ssl-cert.cer. Import agile-ssl-cert.cer into File Manager key store.
Open <AGILE_HOME>\FileManager\conf\server.xml and add a new connector. The file manager SSL port is 8443. Place the connector code after the code for the connector of port 8080, as shown in the following example:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000"redirectPort="8443" /><Connector protocol="org.apache.coyote.http11.Http11Protocol"port="8443" maxThreads="200"scheme="https" secure="true" SSLEnabled="true"keystoreFile="<certificate path>\fm-keystore.jks" keystorePass=<keystore_password> keyAlias="fm"clientAuth="false" sslProtocol="TLS"/>
To configure SSL on the File Manager application, change <AGILE_HOME>\agileDomain\config\server.conf as follows:
app.server.url=https://<app_server_ alias>:7002/Agile/FSHelper/FSHelperWSServicefile.server.url=https://<fm_server_alias>:8443/Filemgr/services/FileServerdms.server.url=https://<app_server_ alias>:7002/Agile/DmsService/DmsViewerAPIService
To configure the Java Client File Manager node, log in to Java Client, navigate to Admin >Server Settings > Locations, and do the following:
Change General Information > Web Server URL to https://<app_server_ alias>:7002/Agile/PLMServlet
Change Java Client URL to https://<app_server_ alias>:7002/JavaClient/start.jsp
Change File Manager > iFS to https://<fm_server_ alias>:8443/Filemgr/AttachmentServlet
Restart the file manager server and access https:// <fm_server_ alias>:8443/Filemgr/Configuration to check the File Manager configuration.
SSL is now configured on File Manager. Restart the File Manager and it should work as expected.
AutoVue server should be configured to point to SSL protected VueServlet which is hosted on File Manager.
Import both the Application server and File Manager server certificates into the AutoVue Server's JRE (<AGILE_HOME\jre\lib\security\cacerts>) using Java's keytool command:
Note: The certificates have already been generated in steps 1 and 2 of "Configuring SSL on the File Manager". |
Restart the AutoVue server.
If there are multiple DFM nodes deployed, you need to do the following configurations on each node.
Set up DFMs.
Follow the steps on section Securing Agile PLM File Manager(s) Using SSL.
Export DFMs SSL certificate.
Import DFMs SSL certificate into Agile Server trust store (agile-truststore.jks) and File Manager keystore (fm-keystore.jks).
Restart the file manager server and access https:// <fm_server_ alias>:8443/Filemgr/Configuration to check the File Manager configuration.