Skip Headers
Oracle® Application Server Administrator's Guide
10g Release 2 (10.1.2)
B13995-06
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

17 Enabling SSL in the Middle Tier

This chapter provides instructions for enabling SSL in Oracle Application Server middle-tier installations.

It contains these topics:

17.1 SSL Communication Paths in the Middle Tier

This section identifies all SSL communication paths used in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.

The following are communication paths through the Oracle Application Server middle tier, and their related SSL configuration instructions:


Note:

In most cases, SSL can be configured with the SSL Configuration Tool. For more information, see Chapter 14, "Using the SSL Configuration Tool".

17.2 Recommended SSL Configurations

The Oracle Application Server Security Guide discusses security concepts in detail and provides recommendations for configuring security in various configurations. The "Recommended Deployment Topologies" chapter presents sample architectures for Oracle Application Server 10g Release 2 (10.1.2) installation types. After you have identified the components on which you need to enable SSL, use the instructions in this chapter and Chapter 16, "Enabling SSL in the Infrastructure" to configure the components.

17.3 Common SSL Configuration Tasks for the Middle Tier

This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.

17.3.1 Enabling SSL in OracleAS Web Cache

OracleAS Web Cache is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.

A script, SSLConfigTool, automates the SSL configuration of the following:

  • HTTPS listening ports and wallet location for the cache

  • HTTPS operations ports for the cache

  • Site for HTTPS requests

  • HTTPS port and wallet location for the origin server

  • Site-to-server mapping

For instructions on using this script, seeChapter 14, "Using the SSL Configuration Tool".

17.3.2 Enabling SSL in the Oracle HTTP Server

Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."

A script, SSLConfigTool, automates the setting of the SSL parameters in the httpd.conf file. For more information about this script, see Chapter 14, "Using the SSL Configuration Tool".

17.3.3 Enabling SSL in OC4J

To configure SSL connections to OC4J clients, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide section titled "Oracle HTTPS for Client Connections."

17.3.3.1 Configuring SSL from Oracle HTTP Server to OC4J

To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL between mod_oc4j and OC4J."

17.3.3.2 Using Port Tunneling (iaspt) from Oracle HTTP Server to OC4J

To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."

17.3.3.3 Configuring ORMI/HTTP SSL

ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.

See the Oracle Application Server Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI/HTTP.

17.3.3.4 Configuring the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider for SSL with Oracle Internet Directory

To configure the provider, follow the instructions in the Oracle Application Server Enterprise Deployment Guide, section titled "Configuring Application Authentication and Authorization." To configure the provider for SSL, set the SSL_ONLY_FLAG to true.

17.3.3.5 Configuring Oracle HTTP Server for SSL

The Oracle Application Server Containers for J2EE Security Guide, section titled "Enabling SSL in OC4J" explains how to configure Oracle HTTP Server for SSL.

17.3.3.6 Configuring SSL in Standalone OC4J Installations

The Oracle Application Server Containers for J2EE Security Guide, section titled "Enabling SSL in OC4J" explains how to use SSL to secure communication between clients and an OC4J instance.

17.3.4 Enabling SSL in J2EE and Web Cache Installations

Depending on your security needs and the configuration of the Oracle Application Server J2EE and Web Cache installation, you may implement secure communication in one or more of the installed components. Configuring the first listener (whether it is OracleAS Web Cache or the Oracle HTTP Server) may be sufficient.

To configure the Oracle HTTP Server for SSL, follow the steps in "Enabling SSL for Oracle HTTP Server" in the Oracle HTTP Server Administrator's Guide.

To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.

A script called SSLConfigTool is provided to automate some of the configuration tasks. For instructions on using this script, see Chapter 14.

17.3.5 Enabling SSL in Virtual Hosts

You can use virtual hosts to deploy multiple Web sites on a single Oracle HTTP Server (for example, to make an application available over the HTTP protocol and the HTTPS protocol).

The Oracle Application Server Single Sign-On Administrator's Guide, section titled "Configuring mod_osso with Virtual Hosts" contains instructions on configuring an SSL virtual host to be protected by mod_osso. You cannot use name-based virtual hosting. You must use IP-based or port-based virtual hosting.

The scenario presented assumes that the following conditions are in effect:

  • The host name of the application middle tier is app.mydomain.com (replace this name with the host name of your application middle tier).

  • The middle tier is already configured as a non-SSL partner application (this is typically done during installation).

  • The default SSL port number of the application middle tier is 4443.

17.3.6 Enabling SSL in OracleBI Discoverer

The Oracle Business Intelligence Discoverer Configuration Guide explains how to configure OracleBI Discoverer for SSL.

For a discussion of Oracle Application Server Framework Security, including the SSL protocols for Oracle Business Intelligence, see the Oracle Business Intelligence Discoverer Configuration Guide, section titled "Using Discoverer with OracleAS Framework Security."

For information on implementing SSL in OracleBI Discoverer, see the Oracle Business Intelligence Discoverer Configuration Guide, section titled "What is HTTPS and why should I use it?"

For instructions on enabling OracleBI Discoverer for SSL, see the Oracle Business Intelligence Discoverer Configuration Guide, section titled "About running Discoverer over HTTPS."

17.3.7 Enabling SSL in OracleAS Wireless

For instructions on configuring SSL in OracleAS Wireless, see the Wireless Security chapter in the Oracle Application Server Wireless Administrator's Guide. The section titled "Site Administration" explains how to use the System Manager HTTP, HTTPS configuration page in Oracle Enterprise Manager 10g to configure the Wireless site's proxy server settings, URLs, and SSL certificates.

17.3.8 Enabling SSL in OracleAS Portal

OracleAS Portal uses a number of different components for HTTP communication (such as the Parallel Page Engine, Oracle HTTP Server, and OracleAS Web Cache), each of which may act as a client or server. As a result, each component in the Oracle Application Server middle tier may be configured individually to use the HTTPS protocol instead of HTTP. These components' interaction with OracleAS Portal involves a number of distinct network hops. These include:

  • Between the client browser and the entry point of the OracleAS Portal environment; the entry point can be OracleAS Web Cache or a network edge hardware device such as a reverse proxy or SSL accelerator

  • Between OracleAS Web Cache and the Oracle HTTP Server of the Oracle Application Server middle tier

  • Between the client browser and the Oracle HTTP Server of the OracleAS Single Sign-On/Oracle Internet Directory (or Infrastructure) tier

  • A loop back connection between the Parallel Page Engine (PPE) on the middle tier and OracleAS Web Cache or the front-end reverse proxy

  • Between the Parallel Page Engine (PPE) and the Remote Web Provider producing Portlet content

  • Between the OracleAS Portal infrastructure and the Oracle Internet Directory server

The following sections in the Oracle Application Server Portal Configuration Guide provide an overview of the most common SSL configurations for OracleAS Portal and instructions for implementing them:


Note:

For general information on securing OracleAS Portal, see the Oracle Application Server Portal Configuration Guide (Chapter 6, Securing OracleAS Portal).