Oracle® Application Server Administrator's Guide
10g Release 2 (10.1.2) B13995-06 |
|
Previous |
Next |
This chapter provides instructions for enabling SSL in Oracle Application Server middle-tier installations.
It contains these topics:
This section identifies all SSL communication paths used in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
The following are communication paths through the Oracle Application Server middle tier, and their related SSL configuration instructions:
Note: In most cases, SSL can be configured with the SSL Configuration Tool. For more information, see Chapter 14, "Using the SSL Configuration Tool". |
External Clients or Load Balancer to Oracle HTTP Server
To configure the Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
External Clients or Load Balancer to OracleAS Web Cache
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
OracleAS Web Cache to Oracle HTTP Server
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server to OC4J Applications (AJP)
To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt and then to OC4J
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J (the JAAS provider) to Oracle Internet Directory
To configure the provider, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide. To configure the provider for SSL, set the SSL_ONLY_FLAG
to true
.
OC4J to the database (ASO)
If Oracle Internet Directory configured to accept SSL connections on the SSL port specified, you need only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:
ldaps://host.sslport/...
Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.
If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, you must modify the configuration. See Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
ORMI (Oracle Remote Method Invocation, a custom wire protocol) over HTTP and HTTP over SSL
ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.
See the Oracle Application Server Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI/HTTP.
SSL into standalone OC4J (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J" explains how to use SSL to secure communication between clients and an OC4J instance.
OracleAS Portal Parallel Page Engine (the servlet in the OC4J_PORTAL instance) to OracleAS Web Cache (HTTPS)
To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J."
The Oracle Application Server Security Guide discusses security concepts in detail and provides recommendations for configuring security in various configurations. The "Recommended Deployment Topologies" chapter presents sample architectures for Oracle Application Server 10g Release 2 (10.1.2) installation types. After you have identified the components on which you need to enable SSL, use the instructions in this chapter and Chapter 16, "Enabling SSL in the Infrastructure" to configure the components.
This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.
OracleAS Web Cache is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
A script, SSLConfigTool
, automates the SSL configuration of the following:
HTTPS listening ports and wallet location for the cache
HTTPS operations ports for the cache
Site for HTTPS requests
HTTPS port and wallet location for the origin server
Site-to-server mapping
For instructions on using this script, seeChapter 14, "Using the SSL Configuration Tool".
Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
A script, SSLConfigTool
, automates the setting of the SSL parameters in the httpd.conf
file. For more information about this script, see Chapter 14, "Using the SSL Configuration Tool".
To configure SSL connections to OC4J clients, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide section titled "Oracle HTTPS for Client Connections."
To configure the AJP communication over SSL, you must configure mod_oc4j
's communication with the iaspt
daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL between mod_oc4j and OC4J."
To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.
See the Oracle Application Server Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI/HTTP.
To configure the provider, follow the instructions in the Oracle Application Server Enterprise Deployment Guide, section titled "Configuring Application Authentication and Authorization." To configure the provider for SSL, set the SSL_ONLY_FLAG
to true
.
The Oracle Application Server Containers for J2EE Security Guide, section titled "Enabling SSL in OC4J" explains how to configure Oracle HTTP Server for SSL.
The Oracle Application Server Containers for J2EE Security Guide, section titled "Enabling SSL in OC4J" explains how to use SSL to secure communication between clients and an OC4J instance.
Depending on your security needs and the configuration of the Oracle Application Server J2EE and Web Cache installation, you may implement secure communication in one or more of the installed components. Configuring the first listener (whether it is OracleAS Web Cache or the Oracle HTTP Server) may be sufficient.
To configure the Oracle HTTP Server for SSL, follow the steps in "Enabling SSL for Oracle HTTP Server" in the Oracle HTTP Server Administrator's Guide.
To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
A script called SSLConfigTool
is provided to automate some of the configuration tasks. For instructions on using this script, see Chapter 14.
You can use virtual hosts to deploy multiple Web sites on a single Oracle HTTP Server (for example, to make an application available over the HTTP protocol and the HTTPS protocol).
The Oracle Application Server Single Sign-On Administrator's Guide, section titled "Configuring mod_osso with Virtual Hosts" contains instructions on configuring an SSL virtual host to be protected by mod_osso. You cannot use name-based virtual hosting. You must use IP-based or port-based virtual hosting.
The scenario presented assumes that the following conditions are in effect:
The host name of the application middle tier is app.mydomain.com (replace this name with the host name of your application middle tier).
The middle tier is already configured as a non-SSL partner application (this is typically done during installation).
The default SSL port number of the application middle tier is 4443.
The Oracle Business Intelligence Discoverer Configuration Guide explains how to configure OracleBI Discoverer for SSL.
For a discussion of Oracle Application Server Framework Security, including the SSL protocols for Oracle Business Intelligence, see the Oracle Business Intelligence Discoverer Configuration Guide, section titled "Using Discoverer with OracleAS Framework Security."
For information on implementing SSL in OracleBI Discoverer, see the Oracle Business Intelligence Discoverer Configuration Guide, section titled "What is HTTPS and why should I use it?"
For instructions on enabling OracleBI Discoverer for SSL, see the Oracle Business Intelligence Discoverer Configuration Guide, section titled "About running Discoverer over HTTPS."
For instructions on configuring SSL in OracleAS Wireless, see the Wireless Security chapter in the Oracle Application Server Wireless Administrator's Guide. The section titled "Site Administration" explains how to use the System Manager HTTP, HTTPS configuration page in Oracle Enterprise Manager 10g to configure the Wireless site's proxy server settings, URLs, and SSL certificates.
OracleAS Portal uses a number of different components for HTTP communication (such as the Parallel Page Engine, Oracle HTTP Server, and OracleAS Web Cache), each of which may act as a client or server. As a result, each component in the Oracle Application Server middle tier may be configured individually to use the HTTPS protocol instead of HTTP. These components' interaction with OracleAS Portal involves a number of distinct network hops. These include:
Between the client browser and the entry point of the OracleAS Portal environment; the entry point can be OracleAS Web Cache or a network edge hardware device such as a reverse proxy or SSL accelerator
Between OracleAS Web Cache and the Oracle HTTP Server of the Oracle Application Server middle tier
Between the client browser and the Oracle HTTP Server of the OracleAS Single Sign-On/Oracle Internet Directory (or Infrastructure) tier
A loop back connection between the Parallel Page Engine (PPE) on the middle tier and OracleAS Web Cache or the front-end reverse proxy
Between the Parallel Page Engine (PPE) and the Remote Web Provider producing Portlet content
Between the OracleAS Portal infrastructure and the Oracle Internet Directory server
The following sections in the Oracle Application Server Portal Configuration Guide provide an overview of the most common SSL configurations for OracleAS Portal and instructions for implementing them:
SSL to OracleAS Single Sign-On: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Single Sign-On.
SSL to OracleAS Web Cache: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Web Cache.
SSL throughout OracleAS Portal: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure secure connections throughout OracleAS Portal.
External SSL with non- SSL within Oracle Application Server: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure OracleAS Portal such that the site is externally accessible through SSL URLs, with the Oracle Application Server running in non-SSL mode.
Note: For general information on securing OracleAS Portal, see the Oracle Application Server Portal Configuration Guide (Chapter 6, Securing OracleAS Portal). |
See Section 16.3.7, "Configuring SSL for Oracle Enterprise Manager 10g" in Chapter 16, "Enabling SSL in the Infrastructure".