| Oracle® Retail Integration Bus Installation Guide Release 15.0.2 E90690-01 |
|
 Previous |
 Next |
This chapter explains how to securely configure Oracle Retail Integration Bus applications and related tools.
RIB Application Builder is a tool for building and deploying RIB applications on the WebLogic server. The rib-deployment-env-info.xml file is the single source of all values used in the RIB App Builder tools. It is the only (or should be the only) file that requires editing. The RIB Installer gathers the appropriate values from the user, constructs the file, and invokes the appropriate tools.
This file contains all the configuration information required for building RIB applications. Below is a sample for AQ configuration details:
<aq-jms-server jms-server-id="jms1"> <jms-server-home>linux1@linux1:/home/oracle/oracle/product/12.1.0.2/db_1</jms-server-home> <jms-url>jdbc:oracle:thin:@linux1:1521:ora12c</jms-url> <jms-port>1521</jms-port> <jms-user-alias>jms1_user-name-alias</jms-user-alias> </aq-jms-server>
This file does not contain the user name and password for connecting to the application server or databases. Rather, it contains the alias for each user name/password combination. This alias refers to the user name/password stored in a secured wallet file. The wallet file is created when the user runs the application assembly tool during the RIB application building process.
The syntax for the application assembly command is as follows:
./rib-app-compiler.sh -setup-security-credential
The argument, setup-security-credential, must be used when running the rib-app-compiler for the first time. It prompts the user to enter user names and passwords required to install RIB components. It stores details as credentials in a wallet file inside the rib-home/deployment-home/conf/security/ directory. The credentials are retrieved and used by the deployer when installing RIB components.
Only the operating system user who created the wallet file with the RIB application assembly tool has read and write access to the file. Other users do not have permission to access the file. The file permissions are set up during the post-deployment phase for RIB applications.
See the "Application Builder" chapter in the Oracle Retail Integration Bus Operations Guide for details about the RIB Application Builder.
|
Note: Users also can change user names and passwords for RIB applications after deploying them. Refer to the section, "setup-security-credential," under "RIB App Builder Tools" in the "Application Builder" chapter in Oracle Retail Integration Bus Operations Guide for how to change RIB user names and passwords after deployment. |
The RIB Deployment Configuration File Editor is an application used to configure the rib-deployment-env-info.xml file, following installation. It provides a user interface for adding, removing, and rearranging the elements of the RIB configuration.
This tool has fields for entering user names and passwords required for connecting to application server and databases. Values entered in the password field in the tool are displayed as a series of asterisks (one for each character). The values entered in this field are stored in the secured wallet file in the rib-home/deployement-home/conf/security/ directory.
For information about the RIB Deployment Configuration File Editor, see the section, "RIB Deployment Configuration File Editor," in the "Application Builder" chapter in the Oracle Retail Integration Bus Operations Guide.
Users can run the RIB application assembly tool to build RIB application .ear files. The generated .ear files contain deployment descriptors for data sources used by RIB runtime to connect to the application database and the error hospital database. The deployment descriptors contain the user name for accessing the database, but the passwords are not stored there. During the deployment process for the RIB application, the passwords are read from the wallet file and encrypted using a WebLogic utility. The encrypted passwords are added in a WebLogic deployment plan that is uploaded on the server along with the .ear file.
During the runtime process, the RIB application must make JMX calls to the JMX server. WebLogic instance user name and password are required to make connections to the JMX server. This information is stored in a secured wallet file, the path to which is stored in the rib-system.properties file.
For information about the properties in rib-system.properties file, see the "rib-system.properties" section in the "Backend System Administration and Logging" chapter of the Oracle Retail Integration Bus Operations Guide.
Only the operating system user who created them has read and write access to the properties files created during the RIB application deployment process. Other users do not have permission to access the files. Permissions are granted during the post deployment phase for RIB applications.
There are two categories of administrators in RIB: RIB System Administrators and RIB Application Administrators. The defined realms, roles, and users differ according to administrator type.
RIB System Administrators install, configure, and deploy defect fixes—and make sure that integration infrastructure is up and running properly.
RIB Application Administrators handle the business side of the integration system. Primarily, they bring RIB adapters up or down and fix data issues with message payloads through RIHA.
The WebLogic server has a default security realm. For each rib-<app>.ear deployed, RIB creates a user in the default security realm. By default, RIB creates a user that belongs to the ribAdminGroup and administrators groups. RIB system administrators can manage rib-<app> application users and access control through the WebLogic Server Administration Console. The default group and user that RIB creates must not be deleted or modified.
The user created in ribAdminGroup has access to the RIB administration GUI. When a RIB application administrator tries to access the RIB administration GUI, a basic authentication screen is displayed, where the user must provide a user name and password for authentication. The user name must be the same as the one created by RIB in ribAdminGroup. When the credentials are verified, the RIB administration GUI home page is displayed.
To create new users to logon to the RIB Administration GUI, follow these steps:
Login to the WebLogic console and navigate to Home >Summary of Security Realms >myrealm >Users and Groups location.
Create a new user, for example: testuser.
Navigate to the details of the new user.
On the Groups tab, choose the created group(ribAdminGroup) from list.
For example: Home > Summary of Security Realms > Summary of Deployments > Summary of Security Realms > myrealm > Users and Groups > testuser.
Oracle Retail Integration Bus Hospital Administration or RIB Hospital Administration (RIHA) is a tool to manage RIB messages in the RIB hospital error tables. It is a Web application that is deployable on the WebLogic server.
For how to set up security for RIHA, see the "Security Setup Guidelines" section in the Oracle Retail Integration Bus Hospital Administration Guide.
The RIB Diagnostic and Monitoring Took Kit (RDMT) is a collection of command line tools for controlling and monitoring RIB applications. When used from within rib-home, RDMT loads configuration information from the rib-deployment-env-info.xml file. For user name and password information, it reads the wallet file created during the RIB application assembly process.
For information about RDMT, see the "Diagnostic and Monitoring Tools" chapter in the Oracle Retail Integration Bus Operations Guide.
The plsql-api-stubs is an API simulator designed to act as though RIB is connected to the application, but it can process specific status and other parameters from a "stubbed" application. This set of tools is designed to emulate those applications exposing PL/SQL APIs to RIB, such as RMS, ORFM, and RWMS. The tool reads and writes the user name and password for connecting to the database in a secured wallet file.
The RIB Integration Gateway Services (IGS) component is a set of standard Simple Object Access Protocol (SOAP) based Web services that provide access to the RIB infrastructure. These Web services are generated using the Oracle Retail Service Enabler Tool. They should be secured after being deployed. For information, see "Secure IGS Web Services Using the Administration Console."
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and encrypting the data exchanged between the applications. Configuring SSL in WebLogic servers in production environments is recommended. See WebLogic documentation for how to configure SSL in WebLogic. Below is the link to documentation for configuring SSL in WeblLogic 12.2.1.2 server:
http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm#SECMG384
Deployment of RIB applications over SSL protocol is supported now by giving protocol values as https in deployment info xml.
Below are the steps for running RIB in SSL environment.
Configure SSL in the WebLogic server. (See WebLogic documentation for detailed steps.)
Keep the SSL ports of the WebLogic server instances open for RIB deployment.. Verify that the SSL port is open: In the WebLogic administration console, go to the Configuration > General page of the server instance. Verify that the "Listen Port Enabled" checkbox is checked and provide listen address to all managed servers/admin server.
Make sure that the rib-deployment-env-info.xml file has protocol specified as https and port numbers are https port numbers for WebLogic server instances.
While starting manages server provide admin server.
For example: startManagedServer.sh rib-oms-server https://host:port
Deploy the RIB applications.
If required, non-SSL ports can be disabled as follows. In the WebLogic administration console go to the Configuration > General page of the server instance. Uncheck the "Listen Port Enabled" checkbox and check the "SSL Listen Port Enabled" checkbox. This is an optional step and must be done only when all communications with the server are over HTTPS protocol.
|
Note: Due to known vulnerabilities, Oracle recommends disabling SSLv3 in all products. We recommend using the TLSv1.2 protocol. WebLogic server can be configured to use the TLSv1.2 protocol by adding the following line in the setDomainEnv.sh. Restart the server after making the change.JAVA_OPTIONS=" $JAVA_OPTIONS -DwebLogic.security.SSL.minimumProtocolVersion=TLSv1.2" |
