| Oracle® Retail Advanced Inventory Planning Security Guide Release 14.1 |
|
 Previous |
AIP supports the use of Oracle WebLogic Server 11g Release 1 (10.3.6). The WebLogic server must be secured using the security recommendations provided in the Oracle Fusion Middleware Information Roadmap for Oracle WebLogic Server 11g Release 1. This chapter provides additional specific guidance for securing the WebLogic server for use with AIP.
This chapter provides information on these topics:
Before you start setting up the database, ensure that you have installed all the critical patch updates (CPU) and patches for the WebLogic server. Critical patch updates and patch sets for Oracle products are made available on the My Oracle Support Web site along with documentation or instructions on how you can install them.
When setting up the WebLogic domain, set up the following configuration parameters to ensure a secured configuration:
In a secured configuration, the WebLogic server administrative user names and passwords must not use any default or predictable values, such as weblogic1, welcome1, weblogic, and so on. When setting up the WebLogic domain, ensure that you use non-standard user names and passwords.
When the WebLogic server and domains are installed and set up, ensure that they are not running under the root operating system user account. You can check for this by reviewing the permissions on the WebLogic server files and folders. None of these objects should be owned by the root operating system user.
Once the WebLogic domain for AIP is created, ensure that you manually disable the HTTP port and enable the HTTPS port. This ensures that only a secure channel is used for accessing AIP.
You must also ensure that the secure HTTPS port number is changed to a non-default value. This value must be environment-specific, non-standard, and not easily predictable.
For more information on configuring the listen ports, refer to the Oracle Fusion Middleware Administrator's Guide.
A Java keystore (JKS) is a secured database that stores keys and certificates for an organization. It is used to achieve authentication, integrity, and privacy within in a network. The WebLogic server uses JKS keystores for applications deployed in the WebLogic server.
By default, the WebLogic server is configured with a demo identity keystore and trust keystore. These keystores must not be used in a production environment. You must create your own keystores in the production environment and set up the WebLogic server to use them.
This section describes how you can create your own keystore and trust store. It also describes the necessary configuration steps to set up the WebLogic server with your JKS keystore.
This section provides information on these topics:
Use the following steps to set up your own keystore and trust store:
|
Note: In the following code snippets, the alias name (AIPselfsigned), keystore name (AIPkeystore), and trust store (AIPtrust) are used as examples. You may set up names of your own choosing |
Create a new directory named keystores in your AIP deployment and then navigate to this directory.
Run the following command to create your keystore and certificate:
keytool -genkey -keyalg RSA -alias AIPselfsigned -keystore AIPkeystore.jks -storepass password -validity 360 -keysize 2048
Run the following command to export your certificate from the keystore:
keytool -export -alias AIPselfsigned -keystore AIPkeystore.jks -rfc -file AIPselfsigned.cer
Run the following command to create a trust store and add your certificate to the list of trusted certificates:
keytool -import -alias AIPselfsigned -file AIPselfsigned.cer -keystore AIPtrust.ts -storepass password
Once completed, there are these three files in the keystores folder:
Keystore
Trust store
Certificate
To associate the keystore and trust store with the WebLogic server instance:
Log on to the WebLogic Server Administration Console.
From the Domain Configurations section, click Servers, under the Environment category. The Summary of Servers page opens.
On the Summary of Servers page, under the Configuration tab, click the relevant server used for AIP. The Settings page for the server opens.
On the Settings page, in the Configuration tab, click the Keystores tab.
In the Keystores tab, click Change.
|
Note: You may need to lock the configuration for editing. |
From the drop-down list, select Custom Identity and Custom Trust.
Click Save.
Enter relevant information in the following fields:
| Field | Description |
|---|---|
| Custom Identity Keystore | Specify the location of the keystore file (.jks). For example, /u00/oracle/AIP133/keystore/AIPkeystore.jks. |
| Custom Identity Keystore Type | Specify the type of the keystore. Enter the text: jks. |
| Custom Identity Keystore Passphrase | Specify the password associated with the keystore (set up when you created the keystore). |
| Confirm Custom Identity Keystore Passphrase | Specify the same password again to confirm. |
| Custom Trust Keystore | Specify the location of the trust store file (.ts). For example, /u00/oracle/AIP133/keystore/AIPtrust.ts. |
| Custom Trust Keystore Type | Specify the type of the trust store. Enter the text: jks. |
| Custom Trust Keystore Passphrase | Specify the password associated with the trust store (set up when you created the trust store). |
| Confirm Custom Trust Keystore Passphrase | Specify the same password again to confirm. |
Click Save to save the entries on the Keystores tab.
Click the SSL tab and enter the relevant values in the following fields:
| Field | Description |
|---|---|
| Private Key Alias | Specify the name of the keystore self-signed certificate. For example, AIPselfsigned. |
| Private Key Passphrase | Specify the private key password associated with the certificate (set up when you created the certificate). |
| Confirm Private Key Passphrase | Specify the password again to confirm. |
Click Save and activate your configuration changes.
Restart the WebLogic server for the changes to take effect.
To see the changes to the keystores, ensure that the SSL is already enabled.
