| Oracle Agile Engineering Data Management Security Guide Release e6.2.1.0 E69102-01 |
|
 Previous |
 Next |
| Oracle Agile Engineering Data Management Security Guide Release e6.2.1.0 E69102-01 |
|
Previous |
Next |
This chapter describes the requisites to setup a secure environment and how you go about setting it up.
Before starting to setup a secure environment, make sure your standard installation works without issues.
|
Note: For information about the installation, refer to the Server Installation Guide on Windows and UNIX for Agile e6.2.1.0, or the Client Installation Guide on Windows for Agile e6.2.1.0. |
In the secure environment we will make some modifications to a standard environment. To configure the secure environment, you need a certificate from a trusted certificate authority.
|
WARNING: We DO NOT recommend the use of Self Signed Certificates in production environments. |
Setup of a secure productive environment needs expertise in network security setup. The following example shows a simple setup showing the Agile e6 requirements. In productive use, customers need to extend the setup with their networking security infrastructure requirements.
In Agile e6 system, it is possible to setup external access to the Agile e6 environment with the Java Client or a web browser using the Web Client. It is possible to setup the complete external communication over Internet using the HTTP/S protocol. Internal intranet communication will still be via HTTP and RPC calls.
|
Note: For Agile e6, Java Client is the main client. |
This section describes how to setup a secure environment for this use case.
Secure external communication means the communication in the internet from a Java and Web Client over the internet to a server in the DMZ which acts as the End Point for the Java and Web Client. In case of Agile e6, the End Point is Apache HTTPD, configured as a reverse proxy in the DMZ.
A certificate needs to be installed for Apache in the DMZ in this scenario.
Secure communication is only possible by enabling PLM-API for the Java Client. Otherwise the communication from the Java Client to the EDM Server process is not secure. For more details, refer to Administration Guide e6.2.1.0. The Chapter 4, Advanced Administration Tasks > About PLM-API / HTTP(S) Support.
Using the Web Client with HTTP/S and Web Fileservice with HTTP/S protocol is also secure.
The communication between the servers in the "secured" LAN is unencrypted. Customers need to take care that network traffic in this area cannot be read by unauthorized persons.
The following graphic illustrates an example of communication.
As shown in the graphic above, the external Java and Web Client connect to the Proxy Server over HTTP/S. The internal Java and Web Client connect directly to the Oracle WebLogic server.
The proxy server is configured to pass the incoming requests from the internet to the end points on the Oracle WebLogic Server in the intranet.
All endpoints are through HTTP or HTTP/S:
PLM-API for Java Client
Java Client WebStart for Java Client download
Web Presentation Service for the Web Client
Web Fileservice for file transfer
AutoVue proxy for AutoVue
AutoVue viewer WebStart for AutoVue viewer download
Core Web Service for business communication
Streaming File Services for file transfer over Web Services
For this scenario, you have to adapt the Java Client to use HTTP/S protocol and configure the proxy server to pass the incoming requests and accept HTTP/S connections.
|
Note: Setting up the firewalls or other DMZ infrastructure is not part of this document. |
To setup a secure EIP, the embedded Tomcat must be setup to support the HTTPS protocol. To do so, the embedded Tomcat must be set up to use Java Secure Socket Extension (JSSE), which means it needs a certificate keystore which contains the certificate. For more information on how to create such a keystore and certificate, refer the Tomcat documentation.
The embedded Tomcat in EIP must then be configured to use this keystore. This is described in the EIP Administration Guide for Agile e6.2.1.0 in section "Configuration File eai_ini.xml" "Controller Section".
This document describes only the minimal Apache configuration which is required, but, it is not sufficient for securing production environments. Refer to the Apache HTTP Server Version 2.4 Documentation at http://httpd.apache.org/docs/2.4/
This scenario is based on Apache HTTP Server (HTTPD) 2.4.x.
The next steps require an installed Apache, which does not need to be fully configured.
|
Note: On Windows it is not recommended to install the Apache HTTPD Server below "C:\Program Files" or "C:\Program Files (x86)" because these directories require special permissions to write files by the HTTPD server. We use C:/App/Apache24 for this description.You should consistently use forward slashes (not backslashes) in configuration files for path names, because Apache may interpret backslashes as an "escape character" sequence. |
Replace the following tokens with the values in the following configuration examples.
| Token | Description |
|---|---|
| <proxy_server> | The hostname of the Apache HTTPD server |
| <wl_server> | The hostname of the Oracle WebLogic server |
| <view_proxy> | The hostname of the Oracle AutoVue server |
For the Modules, enable or add the following lines:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule substitute_module modules/mod_substitue.so LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
For the Reverse Proxy, add a the following:
# Proxy configuration Include conf/extra/httpd-proxy.conf
Create the file httpd-proxy.conf in the conf/extra folder.
Add the proxy configuration (you must substitute the tokens with the real server hostnames)
<IfModule proxy_module>
ProxyRequests Off
SSLProxyEngine On
#
# JNLP
#
<Proxy "*.jnlp">
SetOutputFilter SUBSTITUTE
Substitute s#https://<wl_server>:7104/Jacc#https://<proxy_server>/Jacc#i
Substitute s#https://<wl_server>:7104/JVue#https://<proxy_server>/JVue#i
</Proxy>
#
# WSDL
#
<Location />
AddOutputFilterByType SUBSTITUTE text/xml
Substitute "s|https://<wl_ server>:7104/StreamingFileService|https://<proxy_server>/StreamingFileService|ni"
Substitute "s|https://<wl_server>:7108/CoreServices|https://<proxy_server>/CoreServices|ni"
</Location>
# # AutoVue #
ProxyPass /autovueproxy https://<view_proxy>:8443/servlet/VueServlet
ProxyPassReverse /autovueproxy https://<view_ proxy>:8443/servlet/VueServlet
ProxyPass /vuelink https://<wl_server>:7104/VueLink/Vuelink ProxyPassReverse /vuelink https://<wl_server>:7104/VueLink/Vuelink
# # WebStart applications #
ProxyPass /Jacc https://<wl_server>:7104/Jacc ProxyPassReverse /Jacc https://<wl_server>:7104/Jacc ProxyPass /JVue https://<wl_server>:7104/JVue ProxyPassReverse /JVue https://<wl_server>:7104/JVue
# # Services # ProxyPass /plmapi https://<wl_server>:7104/plm-api-axis/services ProxyPassReverse /plmapi https://<wl_server>:7104/plm-api-axis/services ProxyPass /FileService https://<wl_server>:7104/FileService ProxyPassReverse /FileService https://<wl_server>:7104/FileService ProxyPass /AgilePlmWps https://<wl_server>:7104/AgilePlmWps ProxyPassReverse /AgilePlmWps https://<wl_server>:7104/AgilePlmWps ProxyPass /StreamingFileService https://<wl_server>:7104/StreamingFileService ProxyPassReverse /StreamingFileService https://<wl_server>:7104/StreamingFileService ProxyPass /CoreServices https://<wl_server>:7108/CoreServices ProxyPassReverse /CoreServices https://<wl_server>:7108/CoreServices</IfModule>
For SSL, activate the following line:
Include conf/extra/http-ssl.conf
Add the hostname of your proxy server in the SSL configuration file to avoid getting an error while using the Java Client Webstart.
The following entries have to be added in the section <VirtualHost *:443>.
ServerName <proxy server:ssl port>
The ServerName directive sets the request scheme, hostname, and port that the server uses to identify itself.
SLCertificateFile <full qualified filename>
This directive points to the PEM-encoded Certificate file for the server and optionally also to the corresponding RSA or DSA Private Key file for it (contained in the same file).
SSLCertificateKeyFile <full qualified filename>
This directive points to the PEM-encoded Private Key file for the server. If the Private Key is not combined with the Certificate in the SSLCertificateFile, use this additional directive to point to the file with the stand-alone Private Key.
SSLCertificateChainFile <full qualified filename>
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.
|
Note: For more information about SSL, refer to the Apache mod_ssl documentation. |
The reverse proxy is accessible and the default Apache website appears:
https://<proxy_server>
Following links must be accessible without error:
https://<proxy_server>/FileService
https://<proxy_server>/plmapi
https://<proxy_server>/Jacc
https://<proxy_server>/AgilePlmWps
Following links must be accessible without error if you use AutoVue:
https://<proxy_server>/autovueproxy
https://<proxy_server>/JVue
https://<proxy_server>/vuelink
Following links must be accessible without error if you use Web Services:
https://<proxy_server>/CoreServices/BusinessObjectService?WSDL
https://<proxy_server>/StreamingFileService/DocumentFileService?WSDL
The demonstration digital certificates, private keys, and trusted CA certificates must be used in a development environment only. They must NOT be used in a production environment.
They are provided by default during WebLogic installation/domain setup.
For a production environment follow the steps in the WebLogic documentation to use non-demonstration digital certificates, private keys, and trusted CA certificates instead.
|
Note: A demonstration certificate of the WebLogic server will not be accepted by the Apache HTTPD reverse proxy. This usually results in the proxy error "Error during SSL Handshake with remote server" while accessing the WebLogic server over the proxy server. |
The Administration client will be installed automatically with the installer when installing a server component. It is a web based application and is deployed in an Apache Tomcat servlet container. To prevent sensitive data from being compromised, secure data transfer by using HTTPS is recommended.
For more information on setting up the Administration Client/ Tomcat secure refer to the Tomcat documentation "SSL/TLS Configuration How-TO" (https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html) which describes the steps to configure SSL/TLS support on Tomcat.
To enable HTTP/S support in the Java Client, you have to activate/change the HTTP/S support setting.
Download Java Client WebStart.
Open https://<proxy_server>/Jacc and select the download link.
After downloading the application, a warning appears that the digital signature of the application cannot be verified. "This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the location and publisher above.” Select ”Do not show this again for apps from the publisher and location above”
The Java Client starts.
Open the Java Client Preferences mask.
Enable the HTTP/S support and change/add the Server URL and Service name.
For external clients to:
Server URL: https://<fully qualified <proxy_server>
Service name: plmapi
For internal clients to:
Server URL: https:// fully qualified <wls_server> <SSl port>
Service name: plm-api-axis/services
The following screen shows an example configuration for an external client:
To enable HTTP/S support for the Web Fileservice, the web address in the vault configuration has to be changed.
|
Note: As you can see in the following screenshot, you can only define one web address per vault. This means the web address is the same for internal and external Java/Web Client. If you want to use this vault for internal and external Java/Web Clients, the <proxy_server> must be reached under his name from external and also from internal. |
|
Note: Local FMS is not working in Secure Environment. Only Web Fileservice can be used in Secure Environment |
Start the Agile e6 Java Client with a manager user.
Select Manager > File Management > Vaults.
Protocol: https Host: <proxy server> Port: 443 Path: /FileService
The following screenshot shows the configuration:
The general setup of the Batch Client is described in the manual Batch Client for Agile e6.2.1.0
To use the Batch Client with http(s), you need to disable the native FMS file transfer using the RPC (Port 111) by deleting the native FMS Client executable in the bin directory of the batch client environment.
|
Note: If the Batch Client cannot find the native FMS Client, the internal or HTTPS FMS Client is used. |
This dependence on the Vault configuration and Protocol setting is depicted in the above screenshot.
General setup of AutoVue is described in the "AutoVue Integration Installation and Administration Guide for Agile e6.2.1.0”.
|
Note: SSL has to be activated for the servlet container of the AutoVue deployment. |
|
Note: Perform these steps only if you are using AutoVue. |
Setup the AutoVue tunneling servlet that it can be accessed via HTTP/S.
For example, tomcat is configured with HTTP/S.
Start an Agile e6 Java Client with a manager user.
Select System > AutoVue > Configuration.
To enable secure communication, the following values must be changed:
EDB-PVM-AV-PROXY:
Value (for example): https://<proxy_server>/autovueproxy
Description: The URL where the AutoVue tunneling servlet can be accessed via HTTP/S.
EDB-PVM-AV-USE-PROXY:
Value: true
Description: Default is set to TRUE to use HTTP/S communication.
EDB-PVM-AV-DMS:
Value (for example): https://<weblogic_server>:<weblogic port>/VueLink/Vuelink
Description: The Oracle Agile DMS servlet address, where the AutoVue server can access the DMS servlet.
No configuration changes have to be done if you want to use the Web Client with HTTP/S.
|
Note: Only use the HTTP/S protocol and port in your browser. |
In the dump, the Web Fileservice adaptations also have to be done (see above) to use file checkin/out in the Web Client with HTTP/S. Proxy configuration will be used from the browser.
Obtain the appropriate certificate for your organization. This must be placed within your installation, and referenced from the file server_web.xml.
In the following, you can find an example of the SSL section in the server_web.xml file.
Change the value of the "keystore" parameter to match the location of the certificate.
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port"
value="8443"/>
<Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory" />
<Parameter name="keystore"
value="[example: c:/<Agile_root>/tomcat/conf/keystore]" />
<Parameter name="keypass" value="password"/>
</Connector>
If users do not use the Web Client, we recommend to deactivate the Web Client.
To deactivate, follow these steps:
Open the WebLogic installation console.
Login with your WebLogic administrator user.
Open the Deployments.
Select the WebPresentationService.
Click Stop.
This opens a selection menu. We recommend to use one of the following two options:
When work completes
Force Stop Now
The attribute Report_Service_URL has to be changed in all application configuration files in <ep_root>/init/<application>.xml.
Search the following text:
<PLMPresentationServices Report_Service_URL="…"/>
Adapt the Report_Service_URL to:
https://<proxy_server>/AgilePlmWps/reporter/report
If you change this line, the change is valid for the complete application. An internal client will also use this URL.
The workflow mailing and the server side external mailing provide SSL and authentication for mailing.
In the file ABS_<application>.ini, these configuration parameters can be found:
| Configuration Parameter | Description |
|---|---|
| PORT= | Standard SMTP (mail server) port for SSL = 587, without SSL = 25 |
| ConnectTimeOut=60 | Value in seconds; default 1 minute=60 seconds |
| useSSL=false | SSL can be used without additional authentication. If this entry is deleted, the default is true. |
| useAuthentication=false | If this entry is deleted, the default is true. This means active SSL is used and SMTPUserName and SMTPPassword must be set! |
| SMTPUserName= | The user name, account name of the SMTP account.
Note: Always use<account-name>@<domain-name> |
| SMTPPassword= | Password encrypted with epkeytool)
Note: Unencrypted passwords are never accepted, even if authentication is switched off! |
|
Note: These configuration parameters can be filled during installation, but can be changed afterwards. To make changes active, please redeploy the business service. |
|
Note: Empty password is possible as long as authentication is off. |
