Oracle Agile Engineering Data Management Security Guide Release e6.2.1.0 E69102-01 |
|
Previous |
Next |
Oracle wallet is used to improve the security of passwords and tickets and is customer specific. The wallet is created by the Agile e6 installer during the installation.
The following graphic depicts all wallets created during the installation and deployed to different components.
Agile EDM Server Wallet
This Oracle wallet is the main wallet of the Agile e6 installation and is generated during the installation of the Agile EDM Server.
There are two types of Oracle wallet:
Private Wallet
The private wallet includes the private and public key.
This wallet is used by the Agile EDM server installation and by WebLogic Server.
The Agile EDM server uses this wallet to encrypt the database password in the configuration file.
In addition, the wallet is used to create FMS tokens and tickets.
The Java Daemon also uses this wallet to secure the Java Daemon administration password.
The Business services (deployed in WebLogic) use the wallet to encrypt the mail SMTP password in the configuration file.
Public Wallet
The public wallet contains only the public key.
This wallet is used for the DFM installation on remote locations to verify tokens and tickets generated by the Agile EDM Server.
Agile EDM SSO Wallet
This Oracle wallet is used to create a trusted relationship between the Agile EDM Server which delegates the SSO authentication to the Business service.
Agile EDM WS-SSO Wallet
This Oracle wallet is used to verify WS-SSO tickets created by the Core WebService during login to the Agile EDM Server.
Agile FMS Wallet
This Oracle wallet is locally generated for each DFM location. The FMS Java Daemon uses this wallet to secure the access to the internal FMS interface.
The Agile e6 installer creates 2 ZIP files.
The first ZIP file contains the private wallets and is used during the installation of additional Agile EDM Servers or J2EE servers.
The second ZIP file contains the public Agile EDM Server wallet. This package has to be used on remote DFM locations.
There are some use cases which make it necessary to create a Oracle wallet manually.
Update of the Oracle wallet infrastructure for security reasons
The needed oracle wallet is not created during the installation, for the following components you need to create the Oracle wallet manually:
Batch Client
OfficeSuite PDF generator service
AutoVue Offline Metafile cache service
To create a new wallet, use the epkeytool, which is available in the e6 server installation. This tool allows you to create Oracle wallets for the following components:
adminclient, used by the Admin client which is used to manage your applications
batch, used by the Batch Client, OfficeSuite PDF generator service and the AutoVue Offline Metafile cache service
fms, used by the FMS Java daemon
server, used by the e6 server
sso, used for Java Client SSO
ws, used for WebService SSO
upt, used by the upgrade tool
The epkeytool needs to know the location of the wallet root path.
The standard root path is %ep_root%/init/wallet.
Note: The Oracle wallet must be protected so that only the services that are using the wallet can access it! No one else must have access to it because it contains the private key used to decrypt any encrypted data. |
Note: The epkeytool never overwrites an existing Oracle wallet. If you want to update your Oracle wallet infrastructure, then you must first move the old wallets out of the root wallet location. |
The following sections show how you can create and update your Oracle wallet structure for different components.
The initial Oracle wallet is created during the installation. Each admin client installation has a unique Oracle wallet.
The Oracle wallet root path for the admin client is located at
Windows: %ALLUSERSPROFILE%\agile\installer\6.2.1\wallets
UNIX: ${HOME}/.agile/installer/6.2.1/wallets
To update the wallets, move the existing wallets from that location and then call the epkeytool to create a new one.
epkeytool -w adminclient -c -r C:/ProgramData/agile/installer/6.2.1/wallets/adminclient
Output:
Created private wallet with type ADMINCLIENT at C:/ProgramData/agile/installer/6.2.1/wallets/private/adminclient --- Content of wallet at C:\ProgramData\agile\installer\6.2.1\wallets\private\adminclient: Requested Certificates: User Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMADMINCLIENT Trusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMADMINCLIENT
Note: After updating the Oracle wallet for the admin client, you must re-encrypt the admin user password. See the Administration Guide for information about how to change the password. |
To encrypt a user password, the Batch Client needs an Oracle wallet. This Oracle wallet contains the private and public key for the encryption.
A Batch Client installation needs to create a new installation specific Oracle wallet which needs to be protected against unauthorized file access!
If there is more than one batch client installed on your server, then:
You can choose to create a separate Oracle wallet for each batch client.
If you use a separate Oracle wallet for each batch client installation, then use the following path as the wallet root location:
%batch_root%/init/wallet
Or, the batch clients can share the same Oracle wallet.
If the batch clients shares the same Oracle wallet, then use a dedicated path which can be accessed by all batch client installations.
The batch client installation package contains a script to simplify the usage of the epkeytool.
Create a wallet root directory.
The default location is:
%BATCHCLIENT_ROOT%\init\wallet
Protect the created wallet root directory against unauthorized file access!
Prepare the batchkeytool.cmd script (%BATCHCLIENT_ROOT%\axalant\cmd
) and configure the JAVA_HOME setting.
Call the batchkeytool to create the Oracle wallet:
batchkeytool -c
The following output must appear:
Created private wallet with type BATCH at D:\dev\batchclient\axalant\cmd\..\..\init\wallet\private\batch --- Content of wallet at D:\dev\batchclient\axalant\cmd\..\..\init\wallet\private\batch: Requested Certificates: User Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMBATCH Trusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMBATCH
The Oracle wallet is used by the batchkeytool to allow to encrypt user passwords, which must be used to store the password in the batch scenario properties file.
The batch client itself uses the Oracle wallet to decrypt the password to connect to the EDM server.
Note: The password is encrypted during the login to the Agile EDM Server by using an automatically securely generated session key which is protected by Agile EDM Server certificates. |
To create the Oracle wallet for the FMS Java Daemon, call the epkeytool like the below example:
epkeytool -w fms -c -r d:/plm/init/wallet
Output:
Created private wallet with type BATCH at d:\plm\init\wallet\private\batch --- Content of wallet at d:\plm\init\wallet\private\batch: Requested Certificates:User Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMFMSTrusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMFMS
The FMS Java Daemon does not encrypt any permanent passwords, the wallet is only used to secure dynamic sessions.
To update the e6 server wallet is a bit more complex, because all e6 servers must use the same Oracle wallet and the public server wallet must also be deployed to all J2EE and DFM installations.
Create the Oracle wallet, as in the below example:
epkeytool -w server -c -r d:/plm/init/wallet -p
Output:
Created private wallet with type SERVER at d:\plm\init\wallet\private\server --- Content of wallet at d:\plm\init\wallet\private\server: Requested Certificates: User Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDM Trusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDM Created public wallet with type SERVER at d:\plm\init\wallet\public\server --- Content of wallet at d:\plm\init\wallet\public\server: Requested Certificates: User Certificates: Trusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDM
As you can see two wallets are created, one in the private folder and one in the public folder.
If your WebLogic server deployment is on the same server as the e6 server you can just re-deploy the BusinessService.
If you have a component based installation, then copy the private server wallet into the corresponding folder of your Weblogic server installation.
Then re-deploy the BusinessService.
Note: If you are using Workflow Mailing, you need to re-encrypt the password. |
For DFM locations, just copy the Oracle wallet from the public folder to the corresponding folder in your DFM installation.
To update the Java Client SSO wallet, execute the following steps.
Create the Oracle wallet, as in the below example:
epkeytool -w sso -c -r d:/plm/init/wallet
Output:
Created private wallet with type SSO at d:\plm\init\wallet\private\sso --- Content of wallet at d:\plm\init\wallet\private\sso: User Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMSSO Trusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMSSO
If your Weblogic Server deployment is on the same server as the e6 server, then you can just re-deploy the BusinessService.
If you have a component based installation, then copy the private server wallet into the corresponding folder of your Weblogic Server installation.
Then re-deploy the BusinessService.
The wallet is not used to encrypt permanent passwords so you have no follow up actions.
To update theWebService SSO wallet, execute the following steps.
Create the Oracle wallet like this example:
epkeytool -w ws -c -r d:/plm/init/wallet
Output:
Created private wallet with type WEBSERVICE at d:\plm\init\wallet\private\ws --- Content of wallet at d:\plm\init\wallet\private\ws: Requested Certificates: User Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMWS Trusted Certificates: Subject: C=US,ST=California,L=Redwood City,O=Oracle,OU=Agile PLM,CN=EDMWS
If your Weblogic Server deployment is on the same server as the e6 server. then you can just re-deploy the CoreWebServices
If you have a component based installation, then copy the private server wallet into the corresponding folder of your Weblogic Server installation.
Then re-deploy the CoreWebServices.�
The wallet is not used to encrypt permanent passwords so you have no follow up actions.
The Upgrade tool creates wallets as part of the standard configuration procedure. Please refer to the Upgrade Tool documentation Chapter, "Configuring New Database Environment Connections” for more information about how to create or update the Oracle wallet and how to re-encrypt the password.