Installing Oracle Utilities Application Framework
This section outlines the steps for installing the Application Framework. It includes the following:
Installation Process (Brief Description)
1. Login as the Oracle Utilities Framework administrator (the default is cissys on UNIX) or as a user with Administrator privileges (on Windows).
3. Change directory to the <TEMPDIR>/FW-V4.5.0.1.1 directory.
4. Set the following path:
export PATH=/<JAVA_HOME>/bin:/<JAVA_HOME>/lib:$PATH
Note: The above command is only applicable on a Unix platform. <JAVA_HOME> is the location where the JDK has been installed.
5. Start the application installation utility by executing the appropriate script:
UNIX:
ksh ./install.sh
Windows:
install.cmd
6. Follow the messages and instructions that are produced by the application installation utility. Use the completed worksheets in
Planning the Installation to assist you.
7. Installation of Oracle Utilities Framework Application Server is complete if no errors occurred during installation.
Installation Process (Detailed Description)
1. Login to the host server as Oracle Utilities Application Framework administrator.
Login as cissys (on UNIX) or as a user with Administrator privileges (on Windows).
2. Configure application server and third-party software.
3. Change directory to the <TEMPDIR>/FW-V4.5.0.1.1 directory and start the application installation utility by executing the appropriate script:
Unix:
ksh ./install.sh
Windows:
install.cmd
4. On the Environment Installation Options menu, select item 1: Environment ID, Roles, Third Party Software Configuration.
5. Select menu item 2: Keystore Options.
6. Select menu item 50: Environment Installation Options.
Note: You must create the directory for output (the Log Mount Point). The installation process fails if this directory does not exist.
• Specify the environment mount point, log files mount point, name and the environment directory names for a new installation on a menu screen.
• Specify the web application server type your environment will run with (the default will be WebLogic).
• Specify if you want to install the application viewer module.
• Specify if you want to install the demo certificate generation scripts.
• Specify if you want to install sample custom code.
• Enter P to accept the selected options.
• During this step, the specification of a new environment is checked for validity against /etc/cistab and the permissions on mount points and directories.
7. Configure the environment parameters.
• During this step you will configure environment parameters such as web server hosts and ports, database name, and user ID.
• The application installation utility shows default values for some configuration options.
• Use the completed Environment Configuration Worksheet to assist you.
Note: Some options require a value for a successful install. It is important to provide these values as described in the previous sections.
• When you are done with the parameters setup, proceed with the option P.
• All of the options will be written in the following File: $ SPLEBASE/etc/ENVIRON.INI.
• You will be warned if you did not edit a section. You may proceed if you want to keep the default settings.
• The application installation utility copies the installation media to a new environment.
• The application installation utility generates environment configuration parameters.
The application installation utility automatically executes the script initialSetup.sh (on UNIX) or initialSetup.cmd (on Windows), located in $SPLEBASE/bin (%SPLEBASE%\bin on Windows) directory. This script populates different application template configuration files with the new environment variables values and completes the rest of the installation steps.
8. Set up environment variables.
Once the ENVIRON.INI file is created and contains the correct environment parameters, the application installation utility starts a sub shell to the current process by executing the splenviron.sh (on UNIX) or splenviron.cmd (on Windows) script, located in $SPLEBASE/bin (or %SPLEBSE%\etc for Windows) directory. This script sets up all the necessary environment variables and shell settings for the application server to function correctly.
From this point, a number of environment variables have been set up. Some key ones are:
• $PATH - an adjustment to $PATH is made so that all of the environment scripts and objects will be in the path.
• $SPLEBASE (%SPLEBASE%) - stands for <SPLDIR>/<SPLENVIRON> directory
• $SPLOUTPUT (%SPLOUTPUT%) - stands for <SPLDIROUT>/<SPLENVIRON> directory
• $SPLENVIRON (%SPLENVIRON%) - environment name
For future operations or any post installation steps, you need to first execute the following command to setup your session to the new environment:
UNIX:
$SPLEBASE/bin/splenviron.sh -e <SPLENVIRON>
Windows:
%SPLEBASE%\bin\splenviron.cmd -e <SPLENVIRON>
You need to execute this script each time you want to be connected to the specific environment before performing manual operations such as shutdown, startup or performing an additional application product installation.
When you have finished the install process, your current online session will be connected to the new environment.
Refer to
Planning the Installation for settings and configuration.
Detailed Description for Configuring the OUAF Keystore
The following section details the steps required to configure the OUAF keystore.
OUAF Keystore
The OUAF Keystore feature secures sensitive data such as passwords and prevents tampering of long login IDs via direct updates to the database. The application server uses an external keystore to store keys for system password and other sensitive system data including user “hashes” that are used to verify the validity of email long login IDs. In order to run the application correctly, the keystore used by the application server must match the data encrypted in the database. If they do not match, the application will not be able to decrypt passwords correct, nor will users be able to log on due to a mismatch of user security hashes.
To help manage the keystore and ensure that the keystore matches the database-encypted data, there is a system check at startup of the application that display warning messages when the system detects that the keystore in use does not match the encrypted data in the database. Thus after any keystore operation, fresh installation of the application, or reconfiguration to point to a different database, the keystore will need to be synchronized with the database. Synchronization of the keystore happens any time ChangeCryptographyKey or ResetCryptography key programs are run.
After running the cryptography programs, it is necessary to reset the database credentials used by the database patching utility with the nvokeDBUpdatePatch.sh|cmd script.
Note: The database utility ORADBI does not require the keystore files. Refer to the database documentation for more details.
The following lists the common administrative activities related to the keystore.
Determining Keystore in Use
You can determine if an existing application server uses a keystore through the existence of the files in the following location. (Use the ls -a option in Unix systems to list all files):
<SPLEBASE>/ks/.ouaf_keystore
<SPLEBASE>/ks/.ouaf_storepass
If there are no files in this location, then the system is not using a keystore. Starting from V4.2.0.2.0, a keystore should be in use.
Configuring the Keystore Options
If you would like to customize the keystore options, the Install Menu includes a section for keystore options as shown below. You can access the Install Menu later through (execute configureEnv.sh|cmd -i):
2. Keystore options
Import Keystore Directory:
Store Type: JCEKS
Alias: ouaf.system
Alias Key Algorithm: AES
Alias Key Size: 128
HMAC Alias: ouaf.system.hmac
Padding: PKCS5Padding
Mode: CBC
Importing an Existing Keystore
This will import a keystore from an existing environment to the current one. Use this when upgrading from 4.2.0.2.0 or when reconfiguring environments using different keystores and you want them to point to the same database schema (e.g. you want to have more than one application server pointing to the same database schema).
Follow these steps:
1. Enter the keystore options from the the install menu or from the configureEnv.sh|cmd –i as above.
2. Run initialSetup.sh|cmd –s so that the keystore is imported and appropriate property files are updated.
3. Run configureEnv.sh|cmd and re-enter the passwords so they are encrypted with the imported keystore.
4. Run initialSetup.sh|cmd again to update property files with the encrypted data.
5. Run the following:
perl $SPLEBASE/bin/run_java_standalone.plx com.splwg.shared.common.ChangeCryptographyKey -l -h
6. Run $SPLEBASE/bin/nvokeDBUpdatePatch.sh|cmd and follow the prompts.
You can use the –h option to obtain help.
Upgrading from the Legacy Keystore
This process:
• Synchronizes the keystore to the database
• Regenerates the user hashes
• Re-encrypts any passwords (from the legacy-encrypted passwords) using the current keystore.
• Is used only when upgrading from a framework prior to version 4.2.0.2.0.
Follow these steps:
1. Run the following command:
perl $SPLEBASE/bin/run_java_standalone.plx com.splwg.shared.common.ChangeCryptographyKey -l -h
2. Run $SPLEBASE/bin/nvokeDBUpdatePatch.sh|cmd and follow the prompts. You can use the –h option to obtain help.
Forcing the Environment to Use the Current Keystore
This process will:
• Prompt for and encrypt application server-stored passwords
• Synchronize the keystore to the database
• Regenerate the user hashes
• Invalidate any database-stored passwords
• Use this option when, for example, a keystore has been lost, and thus, the system will not be able to decypt the passwords stored in the configuration files or database. All passwords will need to be reentered.
Follow these steps:
1. Using configureEnv.sh|cmd, re-enter the menu passwords to encrypt the data.
2. Run initialSetup.sh|cmd to update property files with the encrypted data.
3. Run the following commands:
perl $SPLEBASE/bin/run_java_standalone.plx com.splwg.shared.common.ResetCryptographyKey
4. Run $SPLEBASE/bin/nvokeDBUpdatePatch.sh|cmd and follow the prompts. You can use the –h option to obtain help.
5. Re-enter stored password information using the application (example: passwords for reports).
Synchronizing the Keystore
This process will:
• Synchronize the keystore to the database
• Regenerate the user hashes
• Follow these instructions only when you are sure the data in the database is encrypted with the current keystore. This is used to synchronize the keystore to the database.
Follow these steps:
1. Run the following:
perl $SPLEBASE/bin/run_java_standalone.plx com.splwg.shared.common.ResetCryptographyKey
2. Run $SPLEBASE/bin/nvokeDBUpdatePatch.sh|cmd and follow the prompts. You can use the –h option to obtain help.
Creating a New Keystore
This process will:
• Prompt for and encyrpt new application server-stored passwords
• Synchonize the keystore to the database
• Regenerate user hashes
• Decrypt the passwords using the old keystore and encrypt them using the new keystore.
Follow these steps:
1. Copy the old keystore to a temporary directory as a backup measure.
2. Run initialSetup.sh|cmd –k to generate the new keystore.
3. Using configureEnv.sh|cmd, re-enter the menu passwords to encrypt the data.
4. Run initialSetup.sh|cmd to update property files with the encrypted data.
5. Run the following:
perl $SPLEBASE/bin/run_ java_standalone.plx
-Dcom.oracle.ouaf.system.old.keystore.file={property-value}
-Dcom.oracle.ouaf.system.old.keystore.passwordFileName={property-value}
-Dcom.oracle.ouaf.system.old.keystore.type={property-value}
-Dcom.oracle.ouaf.system.old.keystore.alias={property-value}
-Dcom.oracle.ouaf.system.old.keystore.padding={property-value}
-Dcom.oracle.ouaf.system.old.keystore.mode={property-value}
com.splwg.shared.common.ChangeCryptographyKey
where {property-value}is related to the old keystore
6. Run $SPLEBASE/bin/nvokeDBUpdatePatch.sh|cmd and follow the prompts. You can use the –h option to obtain help.