|
Oracle® Application Server Web Cache Administrator's Guide
10g Release 2 (10.1.2) B14046-04 |
|
 Previous |
 Next |
|
Oracle® Application Server Web Cache Administrator's Guide
10g Release 2 (10.1.2) B14046-04 |
|
|
Previous |
Next |
To provide more security for your Web site, you can configure OracleAS Web Cache to receive HTTPS protocol client requests and send HTTPS requests to the origin server. HTTPS uses the Secure Sockets Layer (SSL) to encrypt and decrypt user page requests as well as the pages that are returned by the OracleAS Web Cache and origin servers. You can also configure OracleAS Web Cache to send traffic to the origin server through an HTTPS listening port.
To configure HTTPS support, perform these tasks:
Task 4: Configure HTTPS Port and Wallet Location for the Origin Server
Task 8: (Optional) Permit Only HTTPS Requests for a URL or Set of URLs
You can automate Tasks 2-6 and Task 9 by using the SSLConfigTool script.
To support HTTPS for OracleAS Web Cache, you must create a wallet on the OracleAS Web Cache server for each supported site. Wallets are needed to support the following HTTPS requests:
Client requests for sites hosted by OracleAS Web Cache
Administration, invalidation, and statistics monitoring requests to OracleAS Web Cache
OracleAS Web Cache requests to origin servers, as well as admin server process requests for requests to invalidation and statistics monitoring ports enabled for SSL
A dummy wallet for the origin server is located in $ORACLE_HOME/webcache/wallets/default on UNIX and ORACLE_HOME\webcache\wallets\default on Windows. This wallet is intended for testing purposes. For a production environment, you must create a new wallet.
For each site that OracleAS Web Cache supports, configure at least one wallet. You specify the location of the wallet for each of the OracleAS Web Cache HTTPS listening and operations ports (to support incoming HTTPS requests), and the origin server (to support outgoing HTTPS requests). You can share one wallet, or you can create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.
The following provides the basic steps for creating a wallet for use by OracleAS Web Cache. For detailed instructions, see the Oracle Application Server Administrator's Guide.
Invoke Oracle Wallet Manager:
On UNIX, run owm from $ORACLE_HOME/bin.
On Windows, choose Start > Programs > Oracle - Oracle_homename > Network Administration > Wallet Manager.
Create the wallet (Wallet > New), entering a password as prompted.
You are prompted whether or not to create a certificate request. Click Yes. Then, enter the information in the dialog box. For Common Name, specify the name or alias of the site that will be configured for HTTPS support.
Submit the certificate to a Certificate Authority (CA) for signature.
Import the CA's root certificate into the wallet (Operations > Import Trusted Certificate).
Enable Auto-login, which enables PKI-based access to services without a password. Select the wallet and choose Wallet from the menu bar. Check Auto Login.
Save the wallet. Select the wallet and choose Wallet > Save.
When you receive the signed certificate from the CA, import it into the wallet (Operations > Import User Certificate) and save the wallet.
By default, Oracle Wallet Manager stores wallets in the following locations:
/etc/ORACLE/WALLETS/user_name on UNIX
%USERPROFILE%\ORACLE\WALLETS on Windows operating systems
To configure HTTPS protocol support between client and OracleAS Web Cache, you must configure an HTTPS listening port for OracleAS Web Cache.
To configure an HTTPS listening port in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Ports.
|
See Also: "Configuring Listen Ports" in Enterprise Manager Online Help for instructions |
To configure an HTTPS listening port in OracleAS Web Cache Manager:
From the navigator frame in OracleAS Web Cache Manager, select Ports > Listen Ports.
Select a cache, and then click Add.
Specify the information for the port, selecting HTTPS for the Protocol. You must specify a port
Enable or disable client-side certificates. Select Require Client-Side Certificate to enable OracleAS Web Cache to require client browsers to provide SSL certificates.
A client-side certificate is a method for verifying the identity of the client. It binds information about the client user to the user's public key and must be digitally signed by a trusted CA.
In the Wallet field, enter the directory location of the wallet. This directory must contain an existing wallet.
This wallet is used for client requests for sites hosted by OracleAS Web Cache.
You can share one wallet among all the HTTPS listening ports for a site and the origin server, or create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.
Click Submit.
|
See Also:
|
To configure HTTPS ports to listen for administration, invalidation, or statistics monitoring requests in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Ports.
|
See Also: "Configuring Operation Ports" in Enterprise Manager Online Help for instructions |
To configure HTTPS ports to listen for administration, invalidation, and statistics monitoring requests in OracleAS Web Cache Manager:
Select a cache, and then click Edit Selected.
Specify the information for the port, selecting HTTPS for the Protocol.
Enable or disable client-side certificates.
Select Require Client-Side Certificate to enable OracleAS Web Cache to require client browsers to provide SSL certificates.
A client-side certificate is a method for verifying the identity of the client. It binds information about the client user to the user's public key and must be digitally signed by a trusted CA.
In the Wallet field, enter the directory location of the wallet. This directory must contain an existing wallet.
This wallet is used for administration, invalidation, and statistics monitoring of HTTPS requests for sites hosted by OracleAS Web Cache.
You can share one wallet among all the HTTPS listening ports for a site and the origin server, or create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.
Oracle recommends entering the location, even if the default is being used.
Click Submit.
If you set an HTTPS invalidation or statistics monitoring port, you must configure a valid origin server wallet, as described in "Task 4: Configure HTTPS Port and Wallet Location for the Origin Server". The admin server process requires this wallet to send HTTPS requests to invalidation and statistics monitoring ports enabled for SSL.
If you change the statistics protocol to HTTPS, it is not possible to view performance statistics in Enterprise Manager until a certificate is uploaded in Base64 format to b64InternetCertificate.txt to $ORACLE_HOME/sysman/config on UNIX and ORACLE_HOME\sysman\config on Windows.
|
See Also:
|
You can configure HTTPS protocol support between OracleAS Web Cache and origin servers. When you use the Oracle HTTP Server as the origin server, requests from an OracleAS Web Cache server configured with an HTTPS listening port are passed on a secure (SSL) connection. It is not necessary to configure an HTTPS port for an Oracle HTTP Server. However, for other origin servers, you must configure an HTTPS port to secure the connection from OracleAS Web Cache to the origin server.
Then, you specify the location of the wallet for OracleAS Web Cache communication to the origin server. This wallet manages OracleAS Web Cache authentication data, such as keys, certificates, and trusted certificates needed by the Secure Sockets Layer (SSL).
In addition to supporting OracleAS Web Cache requests using HTTPS to the origin server, this wallet also enables the admin server process to send HTTPS requests to invalidation and statistics monitoring ports enabled for SSL.
To configure HTTPS protocol support between OracleAS Web Cache and origin servers in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Application > Origin Servers to configure an origin server for HTTPS and Web Cache Home page > Administration tab > Properties > Web Cache > Security to configure the origin server wallet.
|
See Also: "Configuring Origin Servers" and "Modifying General Security Settings" in Enterprise Manager Online Help for instructions |
To configure HTTPS protocol support between OracleAS Web Cache and origin servers in OracleAS Web Cache Manager:
From the navigator frame, select Origin Servers, Sites, and Load Balancing > Origin Servers.
In the Origin Servers page, either click Add to add an origin server, or select an existing server and click Edit.
In the dialog box, specify the information for the origin server, selecting HTTPS for the Protocol. (See "Task 9: Configure Origin Server, Load Balancing, and Failover Settings" for information on configuring the origin server.)
Click Submit.
In the navigator frame, select Origin Servers, Sites, and Load Balancing > Origin Server Wallet.
Select the cache for which you want to modify wallet settings, and then click Edit Selected.
The Edit Origin Server Wallet dialog box appears.
In the Wallet Directory field, enter the directory location of the wallet. This directory must contain an existing wallet.
You can share one wallet among all the HTTPS listening ports for a site and the origin server, or create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.
Click Submit.
|
See Also:
|
You must specify a site that will accept HTTPS requests.
To configure site settings in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Application > Sites.
|
See Also: "Configuring Site Properties for a Named Site" in Enterprise Manager Online Help for instructions |
To configure site settings in OracleAS Web Cache Manager:
In the navigator frame, select Origin Servers, Sites, and Load Balancing > Site Definitions.
In the Site Definitions page, click Add Site.
Specify the information, as described in "Task 10: Configure Web Site Settings" .
In the Port field, enter the number of the HTTPS listening port. This site will use the wallet defined for that port.
In the HTTPS Only Prefix field, enter the URL prefix for which only HTTPS requests will be served. If all traffic must be restricted to HTTPS, enter "/ " for the entire site.
Click Submit.
In the navigator frame, select Origin Servers, Sites, and Load Balancing > Site-to-Server Mapping.
Create a mapping from the site to an origin server, as described in "Task 10: Configure Web Site Settings" .
Click Submit.
By default, Oracle HTTP Server does not maintain keep-alive connection for HTTPS client requests from Microsoft Internet Explorer 5.5 and later releases. Internet Explorer has known issues with trying to reuse SSL connections after they have timed out. In order for Oracle HTTP Server to maintain keep-alive connections from OracleAS Web Cache, you must remove the following entry from the ssl.conf file in $ORACLE_HOME/Apache/Apache/conf directory on UNIX or ORACLE_HOME\Apache\Apache\conf directory on Windows:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
The ssl.conf file specifies the SSL definitions for Oracle HTTP Server. If this entry is not removed, then keep-alive connections are disabled.
|
See Also:
|
You can require that clients send certificates (client-side certificates) to the cache to verify the identity of the client.
With client-side certificates, the client browser sends the certificate to the cache during the SSL handshake. Then, the server processes the request for the object. If the requested object is not stored in the cache, the cache forwards the request to the application Web server, a peer cache (in a cluster), or a subordinate cache (in a hierarchy). To transfer information about the client-side certificate to another cache or to the application Web server, OracleAS Web Cache adds HTTP headers to the request. The headers begin with the string SSL-Client-Cert.
Note the following points about using client-side certificates:
In a simple configuration (client to cache to application Web server), the client sends the certificate to the cache during the SSL handshake. If the requested object is not stored in the cache, the cache forwards the request to the application Web server and transfers the client-side certificate information in headers to the application Web server. The application Web server recognizes the headers and responds to the request.
In a cluster, the client sends the certificate to a cache cluster member during the SSL handshake. If the requested object is not stored in that cache, the cluster member requests it from a peer (the cluster member that owns the object). With client-side certificates, OracleAS Web Cache must be able to pass the client-side certificate information in headers to the peer cluster member, and the peer must be able to pass the headers to the application Web server.
In an ESI hierarchical deployment, the client browser sends the certificate to the subscriber cache in a hierarchy. That cache must be able to forward the certificate information in headers to a provider cache. However, with this configuration, the provider caches could inadvertently accept the certificate information in a header from a bogus entity. To prevent this, you must secure the provider caches, by methods such as installing them behind a firewall.
If client-side certificates are required, but not provided by the client, OracleAS Web Cache returns an error: 403: Forbidden.
|
Note: OracleAS Web Cache supports the use of client-side certificates with Oracle HTTP Server only.OracleAS Web Cache does not support client-side certificates with a distributed cache hierarchy because the security of the certificates cannot be guaranteed. |
The following topics describe how to configure client-side certificate settings:
Configuring Client-Side Certificate Settings for the HTTPS Listening Port
Configuring Client-Side Certificate Settings for Cache Clusters
Configuring Client-Side Certificate Settings for an ESI Cache Hierarchy
Configuring Client-Side Certificate Settings for the HTTPS Listening Port
To use client-side certificates, you must enable an HTTPS listening port, as described in "Task 2: Configure an HTTPS Listening Port". If you have a cache cluster, you must enable HTTPS listening ports for all cluster members. In addition, you must configure OracleAS Web Cache to require client browsers to provide SSL certificates.
To enable this setting in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Security.
|
See Also: "Configuring Listen Ports" in Enterprise Manager Online Help for instructions |
To enable this setting in OracleAS Web Cache Manager:
In the navigator frame, select Ports > Listen Ports.
The Listen Ports page is displayed.
Select the HTTPS port and click Edit.
In the Edit Listening Port dialog box, select Require Client-Side Certificate.
Click Submit.
If you have a simple configuration, not a cache cluster or a cache hierarchy, proceed to the next section, "Task 8: (Optional) Permit Only HTTPS Requests for a URL or Set of URLs".
After configuring the client-side certificate, to enable OracleAS Web Cache to transfer certificate information to Oracle HTTP Server, add the AddCertHeader directive to httpd.conf.
|
See Also: Oracle HTTP Server Administrator's Guide for information about adding theAddCertHeader directive
|
Configuring Client-Side Certificate Settings for Cache Clusters
If you have a cache cluster, you must prevent a cache from accepting the certificate information in HTTP headers from any source other than a peer cluster member. In addition, each cache must be able to pass the client-side certificate information in headers to the peer cluster member, and the peer must be able to pass them to the application Web server.
To configure this behavior in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Security.
|
See Also: "Ensuring that ClientIP Headers Are Valid" in Enterprise Manager Online Help for instructions |
To configure this behavior in OracleAS Web Cache Manager:
In the navigator frame, select Properties > Security.
In the Special Security Header Configuration section of the Security page, the value of the Accept SSL client certificates encoded in SSL-Client-Cert HTTP headers must be NO (the default):
If it is not, click Edit to modify the setting in the Special Security Header Configuration dialog box.
In the Cluster Security Configuration, value of the Route requests that contain SSL client certificates to cache cluster peers must be YES.
If it is not, click Edit to modify the setting in the Cluster Security Configuration dialog box.
Configuring Client-Side Certificate Settings for an ESI Cache Hierarchy
If you have an ESI cache hierarchy, a provider cache must be able to accept the client-side certificate information in headers from the subscriber cache.
To enable this behavior in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Security.
|
See Also: "Ensuring that ClientIP Headers Are Valid" in Enterprise Manager Online Help for instructions |
To enable this behavior in OracleAS Web Cache Manager:
In the navigator frame, select Properties > Security.
In the Special Security Header Configuration section of the Security page, the value of Accept SSL client certificates encoded in SSL-Client-Cert HTTP headers must be YES.
If it is not, click Edit to modify the setting in the Special Security Header Configuration dialog box.
If the subordinate caches are in a cluster, the subordinate caches must be able to pass the client-side certificate information in headers to the peer cluster member. In this case, in the Cluster Security Configuration section of the Security page, the value of the Route requests that contain SSL client certificates to cache cluster peers must be YES.
If it is not, click Edit to modify the setting in the Cluster Security Configuration dialog box.
Configuring Client-Side Certificate Settings for a Site
You can also specify that an entire site require client-side certificates:
To configure a site to use client-side certificates in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Application > Sites.
|
See Also: "Configuring Site Properties for a Named Site" in Enterprise Manager Online Help for instructions |
To configure a site to use client-side certificates in OracleAS Web Cache Manager:
You can restrict a URL or set of URLs for a site to permit only HTTPS requests.
To allow only HTTPS traffic for a URL or a set of URLs:
Configure Web site settings, as described in "Task 10: Configure Web Site Settings".
In Step 2e, enter the URL or URL prefix.
If all traffic must be restricted to HTTPS, enter "/" for the entire site.
If you are using OracleAS Web Cache Manager, click Apply Changes in the main window.
After you make configuration changes, you must restart the cache or admin server processes, using the opmnctl utility or webcachectl utility (for standalone installations) on the computer on which OracleAS Web Cache software is installed and configured.
