| Oracle® Retail Integration Bus Security Guide Release 15.0.2 E90647-01 |
|
 Previous |
 Next |
This chapter explains how to securely configure Oracle Retail Integration Bus applications and related tools. For installation instructions, see the Installation Guide that accompanies each product.
RIB Application Builder is a tool for building and deploying RIB applications on the WebLogic server. The rib-deployment-env-info.xml file is the single source of all values used in the RIB App Builder tools. It is the only (or should be the only) file that requires editing. The RIB installer gathers the appropriate values from you, constructs the file, and invokes the appropriate tools.
<aq-jms-server jms-server-id="jms1"> <jms-server-home>linux1@linux1:/home/oracle/oracle/product/12.1.0/db_1</jms-server-home> <jms-url>jdbc:oracle:thin:@linux1:1521/pdborcl</jms-url> <jms-port>1521</jms-port> <jms-user-alias>jms1_user-name-alias</jms-user-alias> </aq-jms-server>
This file does not contain the username and password for connecting to the application server or the databases. Rather, it contains the alias for each user name/password combination. This alias refers to the user name/password stored in a secured wallet file. The wallet file is created when the user runs the application assembly tool during the RIB application building process.
The syntax for the application assembly command is as follows:
rib-app-compiler.sh -setup-security-credential
The argument, -setup-security-credential, must be used when running the rib-app-compiler for the first time. It prompts the user to enter all usernames and passwords required to install RIB components. It stores details as credentials in a wallet file inside the rib-home/deployment-home/conf/security/ directory. The credentials are retrieved and used by the deployer script when installing RIB components.
Only the operating system user who created the wallet file with the RIB application assembly tool has read and write access to the file. Other users do not have permission to access the file. The file permissions are set up during the post-deployment phase for RIB applications.For more information about RIB Application Builder, see the Oracle Retail Integration Bus Operations Guide.
|
Note: You can also change usernames and passwords for the RIB applications after deploying them. Refer to the section "setup-security-credential," under "RIB App Builder Tools" in the "Application Builder" chapter in Oracle Retail Integration Bus Operations Guide for information on changing RIB usernames and passwords after deployment. |
The RIB Deployment Configuration File Editor is an application used to configure the rib-deployment-env-info.xml file, following installation. It provides a user interface for adding, removing, and rearranging the elements of the RIB configuration.This tool has fields for entering usernames and passwords required for connecting to application server and databases. Values entered in the password field in the tool are displayed as a series of asterisks (one for each character). The values entered in this field are stored in the secured wallet file in the rib-home/deployment-home/conf/security/ directory.For information about the RIB Deployment Configuration File Editor, see the section "RIB Deployment Configuration File Editor," in the "Application Builder" chapter in the Oracle Retail Integration Bus Operations Guide.
You can run the RIB application assembly tool to build RIB application ear files. The generated .ear files contain deployment descriptors for data sources used by RIB runtime to connect to the application database and the error hospital database. The deployment descriptors contain the username for accessing the database, but the passwords are not stored there. During the deployment process for the RIB application, the passwords are read from the wallet file and encrypted using a WebLogic utility. The encrypted passwords are added in a WebLogic deployment plan that is uploaded on the server along with the .ear file.
During the runtime process, the RIB application must make calls to the JMX server. WebLogic instance username and password are required to make connections to the JMX server. This information is stored in a secured wallet file, the path to which is stored in the rib-system.properties file.For information about the properties in rib-system.properties file, see the "rib-system.properties" section in the "Backend System Administration and Logging" chapter of the Oracle Retail Integration Bus Operations Guide.Only the operating system user who created them has read and write access to the properties files created during the RIB application deployment process. Other users do not have permission to access the files. Permissions are granted during the post deployment phase for RIB applications.
|
Note: Due to known vulnerabilities, Oracle recommends disabling SSLv3 in all products. We recommend using the TLSv1.2 protocol. WebLogic server can be configured to use the TLSv1.2 protocol by adding the following line in the setDomainEnv.sh. Restart the server after making the change.
|
For more information on RIB administration security, see the Oracle Retail Integration Bus Implementation Guide.
Oracle Retail Integration Bus Hospital Administration or RIB Hospital Administration (RIHA) is a tool to manage RIB messages in the RIB error hospital tables. It is a Web application that is deployable on the WebLogic server.For more information on setting up security for RIHA, see the "Installation and Setup” section in the Oracle Retail Integration Bus Hospital Administration Guide.
The RIB Diagnostic and Monitoring Toolkit (RDMT) is a collection of command line tools for controlling and monitoring RIB applications. When used from within rib-home, RDMT loads configuration information from the rib-deployment-env-info.xml file. For username and password information, it reads the wallet file created during the RIB application assembly process.For information about RDMT, see the "Diagnostic and Monitoring Tools" chapter in the Oracle Retail Integration Bus Operations Guide.
The plsql-api-stub is an API simulator designed to act as though the RIB is connected to the application, but it can process specific status and other parameters from a "stubbed" application. This set of tools is designed to emulate those applications exposing PL/SQL APIs to RIB, such as RMS and RWMS. The tool reads and writes the username and password for connecting to the database in a secured wallet file.
The RIB Integration Gateway Services (IGS) component is a set of standard Simple Object Access Protocol (SOAP) based Web services that provide access to the RIB infrastructure. These Web services are generated using the Oracle Retail Service Enabler Tool. They should be secured after being deployed. For more information, see Chapter 3 - Secure IGS Web Services Using the Administration Console in this guide.
Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network to authenticate each other's identity and encrypting the data exchanged between the applications. Configuring SSL in WebLogic servers in production environments is recommended. For more information, see the WebLogic documentation on configuring SSL in WebLogic 12c server at http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm#SECMG384
Deployment of RIB applications over SSL protocol are supported by entering protocol values as https in deployment info xml file. After the applications are deployed, they run on the SSL protocol.
The following are high level steps for running the RIB in SSL environment:
Configure SSL in the WebLogic server. (See WebLogic documentation for detailed steps.)
Keep the SSL ports of the WebLogic server instances open for RIB deployment. Verify that the SSL port is open: In the WebLogic administration console, go to the Configuration > General page of the server instance. Verify that the SSL Listen Port Enabled checkbox is checked and provide a unique listen address to each managed server and the admin server.
Make sure that the rib-deployment-env-info.xml file has protocol specified as https and port numbers are https port numbers for WebLogic server instances.
Start the managed server with SSL port enabled. For example, startManagedServer.sh rib-oms-server <AdminServerUrl>. Deploy the RIB applications.If required, non-SSL ports can be disabled as follows. In the WebLogic administration console, go to the Configuration > General page of the server instance. Uncheck the Listen Port Enabled checkbox and check the SSL Listen Port Enabled checkbox. This is an optional step and must be done only when all communications with the server are over HTTPS protocol.
The RIB integrates with the Web service providers (example: OMS) using an injector service. This section contains details about the security configuration required on RIB side.End application (OMS) Web services can be secured with policyA or policyB. For more details on application service security, see the Oracle Retail Service Backbone Security Guide.
Provide the RibOmsToRsbOmsRoutingService URL, user-alias, and ws-policy-name information in rib-deployment-env-info.xml file present under rib-home/deployment-home/conf. The endpoint URL should be the secured injector service URL and user alias should be in <rib-app>_ws_security_user-name-alias format i.e. rib-oms_ws_security_user-name-alias. The ws-policy name should be either policyA or policyB depending on the OMS application Web service configuration.
For more information on installing the RIB-OMS application, see the Oracle Retail Integration Bus Installation Guide.
Security policies needs to be applied on each layer listed below:
Application Web services secured with policyA or policyB.
Decorators, which are proxy to actual application service, will also have security policies applied.
Injector service which is a bridge between the RIB and the RSB will also have security policies applied.
For more information on applying security policies to decorator services, see Oracle Retail Service Backbone Security Guide.
Take the following steps to apply security policies in a routing service:
Click the routing service proxy RibOmsToRsbOmsRoutingService. The following window appears. Click Create button on Service Bus Console.
Click Transport Details and select the HTTPS required option.
Click on Security Tab and select "From OWSM Policy Store".
Click the Attach Policies button. The following window appears.
Select ”oracle/wss_username_token_over_ssl_service_policy”, click Attach button and then click OK button.
Click Save to save changes.
Click Activate and Submit to save the session.
The above steps complete securing the injector service using the OSB Console.
