7 Enabling SSL

This chapter provides instructions for enabling Secure Sockets Layer (SSL) in Oracle Application Server on Infrastructure and middle-tier installations. It contains the following topics:

Overview of SSL
Using the SSL Configuration Tool
SSL Communication Paths in the Infrastructure
Common SSL Configuration Tasks for the Infrastructure
SSL Communication Paths in the Middle Tier
Common SSL Configuration Tasks for the Middle Tier

7.1 Overview of SSL

In Oracle Application Server, components send requests to and receive responses from other components. These components can be Oracle Application Server components (such as OracleAS Single Sign-On, OracleAS Web Cache, or Oracle HTTP Server) or external clients such as browsers.

To secure these communications, you can configure Oracle Application Server to use SSL, which is an industry standard for securing communications. Oracle Application Server supports SSL versions 2 and 3, as well as TLS version 1.

SSL secures communication by providing message encryption, integrity, and authentication. The SSL standard allows the involved components (such as browsers and HTTP servers) to negotiate which encryption, authentication, and integrity mechanisms to use.

7.2 Using the SSL Configuration Tool

The SSL Configuration Tool is designed to be run after a successful Oracle Application Server installation to automate many of the manual steps currently required for securing HTTP. You use the tool after all Oracle homes you plan to install are successfully installed. If you have a topology where both an OracleAS Infrastructure and middle tier are present, be sure to run the SSL Configuration Tool against the OracleAS Infrastructure first, then the middle tier.

Note:

The SSL Configuration Tool is only supported for Oracle Application Server 10g Release 2 (10.1.2.0.2).

If you install Oracle Application Server and choose to make some configuration changes before running the SSL Configuration Tool, you should run the tool and then refer to the SSL Configuration Tool log files to verify that your changes were not overwritten. The SSL Configuration Tool creates log files in the directory from which the tool is run. A new log file is created each time the tool is run. For these reasons, it is suggested that you create a separate directory from which you can run the SSL Configuration Tool.

If you encounter any problems, you should run the SSL Configuration Tool with the -rollback option to revert back to your configuration environment prior to running the tool.

The SSL Configuration Tool is available with any Oracle Application Server installation type. OracleAS Infrastructure installations are the only installation type that support SSL configuration during the installation. This option is available on one of the installation screens. See Oracle Application Server Installation Guide for more information.

Note:

OracleAS Web Cache is the only standalone type supported by the SSL Configuration Tool. All other standalone types (for example, Apache) are not supported.

In some cases, the SSL Configuration Tool cannot completely configure SSL for your specific topology. When this occurs, you should refer to the appropriate component documentation for instructions on how to complete your SSL configuration manually. For some links to documentation containing manual steps, see Chapter 14, "Using the SSL Configuration Tool" in the Oracle Application Server Administrator's Guide.

7.2.1 Command Line Interface

This section describes how to use the SSLConfigTool command. It contains the following sections:

Where Can I Find the SSL Configuration Tool?
Syntax

7.2.1.1 Where Can I Find the SSL Configuration Tool?

The SSLConfigTool executable is located in the ORACLE_HOME/bin directory.

7.2.1.2 Syntax

The SSLConfigTool command is used as follows:

SSLConfigTool ( -config_w_prompt
               | -config_w_file <input_file_name>
               | -config_w_default
               | -rollback )
               [-dry_run]
               [-wc_for_infra]
               [-secure_admin]
               [-opwd <orcladmin_pwd>]
               [-ptl_dad <dad_name>]
               [-ptl_inv_pwd <ptl_inv_pwd>]

Table 7-1 describes the command line options for the SSLConfigTool command.

Table 7-1 SSL Configuration Tool Command Line Options

Parameter	Description
`-config_w_prompt`	Run in interactive mode.
`-config_w_file` `<input_file_name>`	Run in silent mode using the values specified in the `<input_file_name>` file. This input file should be an XML file.
`-config_w_default`	Run in silent mode using the values specified in the `portlist.ini` and `ias.properties` files.
`-rollback`	Revert to the prior state before the command was last run. SSO registration will be done using virtual host and port.
`-dry_run`	Print the steps without implementing them.
`-wc_for_infra`	Forces an OracleAS Web Cache to be used as a load balancer for an infrastructure environment.
`-secure_admin`	Secure the OracleAS Web Cache and Enterprise Manager administration ports (the ports used to display Application Server Control Console)
`-opwd` `<orcladmin_pwd>`	Set the Oracle administrator password. This parameter is required.
`-ptl_dad` `<dad-name>`	Set the Portal dad name. If no name is specified, the default `portal` will be used.
`-ptl_inv_pwd` `<ptl_inv_pwd>`	Set the Portal invalidation password used to send invalidation to OracleAS Web Cache. This parameter is required if you installed OracleAS Portal. If you are running `SSLConfigTool` with the `-rollback` parameter, this parameter is not required.

Note that the -config_w_prompt, -config_w_file, -config_w_default, and -rollback parameters are mutually exclusive; only one can be used with the SSLConfigTool command.

If you choose to run the tool interactively with the -config_w_prompt parameter, you will be prompted for the appropriate information one question at a time.

If you choose to run the tool silently by specifying a configuration file with the -config_w_file parameter, you should read Section 14.4.3, "Configuration File for Silent Mode" in the Oracle Application Server Administrator's Guide.

7.3 SSL Communication Paths in the Infrastructure

This section identifies all the SSL communication paths used in the Oracle Application Server Infrastructure, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.

Note:

When you install Identity Management, you are prompted to select a mode for Oracle Internet Directory. The default mode is the dual mode, which allows some components to access Oracle Internet Directory using non-SSL connections. If you chose SSL mode during installation, then all installed components must use SSL when connecting to the directory.

Before you begin SSL configuration, determine the Oracle Internet Directory mode. Start the oidadmin tool and view the SSL mode in Oracle Directory Manager. Navigate to the Directory Server and select View Properties and then SSL Settings.

The following lists the communication paths through the Oracle Application Server Infrastructure, and the related SSL configuration instructions:

Oracle HTTP Server to the OC4J_SECURITY instance

To configure AJP communication over SSL, you must configure how mod_oc4j communicates with the iaspt daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, the section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt (Port Tunneling) and then to the OC4J_SECURITY instance

To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, the section titled "Understanding Port Tunneling."
OC4J_SECURITY instance to Oracle Internet Directory

To configure this connection path for SSL, follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide. It explains how to configure SSL communication between the browser and the OracleAS Single Sign-On server (section titled "Enable SSL on the Single Sign-On Middle Tier".

Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL. The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled; you do not have to perform any configuration tasks to accomplish this. (OracleAS Single Sign-On, Oracle Application Server Certificate Authority, and Oracle Delegated Administration Services communicate with Oracle Internet Directory in SSL mode by default.)
Oracle Directory Integration and Provisioning to Oracle Internet Directory and Oracle Internet Directory replication server to Oracle Internet Directory

As shown in Figure 7-1, you can configure several components and communication paths for SSL. The following lists references to the instructions for each:
- Communication between the Oracle Internet Directory Replication server and the Oracle Internet Directory server: Oracle Application Server High Availability Guide, section titled "Secure Sockets Layer (SSL) and Oracle Internet Directory Replication"
- Communication between Oracle Directory Integration and Provisioning and the Oracle Internet Directory server: Oracle Identity Management Integration Guide, chapter titled "Oracle Directory Integration and Provisioning Server Administration"
The OC4J_SECURITY instance to the Metadata Repository database and Oracle Internet Directory to the Metadata Repository database

If Oracle Internet Directory is configured to accept SSL connections on the SSL port specified, then you need to specify only the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:

ldaps://host:sslport/...

Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.

If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, then you must modify the configuration. Refer to the section titled "Secure Sockets Layer (SSL) and the Directory" in the Oracle Internet Directory Administrator's Guide.

Figure 7-1 Identity Management Components and SSL Connection Paths

Description of "Figure 7-1 Identity Management Components and SSL Connection Paths"

7.4 Common SSL Configuration Tasks for the Infrastructure

This section provides references to the component guides in the Oracle Application Server documentation library that provide instructions for configuring SSL in individual components.

7.4.1 Configuring SSL for OracleAS Single Sign-On and Oracle Delegated Administration Services

Follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide to configure SSL communication between:

The browser and the OracleAS Single Sign-On server (section titled "Enable SSL on the Single Sign-On Middle Tier")
The OracleAS Single Sign-On server and the Oracle Internet Directory server (section titled "Configuring SSL Between the Single Sign-On Server and Oracle Internet Directory")

Oracle Delegated Administration Services is SSL-enabled after you configure the Oracle HTTP Server for SSL (as described in "Enable SSL on the Single Sign-On Middle Tier"). The Oracle Delegated Administration Services communication to Oracle Internet Directory is always SSL-enabled. You do not have to perform any configuration tasks to accomplish this.

7.4.2 Configuring SSL for Oracle Internet Directory

Instructions for configuring SSL communication in Oracle Internet Directory are provided in the following guides:

Oracle Internet Directory Administrator's Guide, the section titled "Secure Sockets Layer (SSL) and the Directory"
Oracle Internet Directory Administrator's Guide, the section titled "Configuring SSL Parameters"
Oracle Internet Directory Administrator's Guide, the section titled "Limitations of the Use of SSL in 10g (10.1.2)"

7.4.3 Configuring SSL for Oracle Internet Directory Replication Server and Oracle Directory Integration and Provisioning

As shown in Figure 7-1, you can configure several components and communication paths for SSL. The following lists references to the instructions for each:

Communication between the Oracle Internet Directory Replication server and the Oracle Internet Directory server: Oracle Application Server High Availability Guide, section titled "Secure Sockets Layer (SSL) and Oracle Internet Directory Replication"
Communication between Oracle Directory Integration and Provisioning and the Oracle Internet Directory server: Oracle Identity Management Integration Guide, chapter titled "Oracle Directory Integration and Provisioning Server Administration"

7.4.4 Configuring SSL in the Identity Management Database

Follow the instructions in the Oracle Application Server Single Sign-On Administrator's Guide, in the section titled "Reconfigure the Identity Management Infrastructure Database" to configure SSL in the Identity Management database.

7.5 SSL Communication Paths in the Middle Tier

This section identifies all SSL communication paths used in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.

The following lists the communication paths through the Oracle Application Server middle tier, and the related SSL configuration instructions:

External Clients or Load Balancer to Oracle HTTP Server

To configure the Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Enabling SSL."
External Clients or Load Balancer to OracleAS Web Cache

To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
OracleAS Web Cache to Oracle HTTP Server

To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.
Oracle HTTP Server to OC4J Applications (AJP)

To configure the AJP communication over SSL, you must configure mod_oc4j's communication with the iaspt daemon. To do this, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Configuring mod_oc4j to Use SSL."
Oracle HTTP Server to iaspt and then to OC4J

To configure this connection path for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, section titled "Understanding Port Tunneling."
OC4J (the JAAS provider) to Oracle Internet Directory

To configure the provider, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide. To configure the provider for SSL, set the SSL_ONLY_FLAG to true.
OC4J to the database (ASO)

If Oracle Internet Directory configured to accept SSL connections on the SSL port specified, you need only specify the SSL protocol and SSL port in the JDBC URL requesting an application, as follows:

ldaps://host:sslport/...

Note that when you are using a secure connection, you must add an s to the name of the protocol. For example, use ldaps instead of ldap.

If Oracle Internet Directory is not configured to accept SSL connections on the SSL port, you must modify the configuration. See Oracle Internet Directory Administrator's Guide, section titled "Secure Sockets Layer (SSL) and the Directory."
ORMI (Oracle Remote Method Invocation, a custom wire protocol) over HTTP and HTTP over SSL

ORMI over SSL is not supported. To configure similar functionality, you can configure ORMI over HTTP, and then configure HTTP for SSL.

See the Oracle Application Server Containers for J2EE Services Guide, section titled "Configuring ORMI Tunnelling Through HTTP" for instructions on how to configure ORMI/HTTP.
SSL into standalone OC4J (HTTPS)

To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J" explains how to use SSL to secure communication between clients and an OC4J instance.
OracleAS Portal Parallel Page Engine (the servlet in the OC4J_PORTAL instance) to OracleAS Web Cache (HTTPS)

To configure this connection path for SSL, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide, section titled "Configuring SSL in OC4J."

7.6 Common SSL Configuration Tasks for the Middle Tier

This section identifies some commonly used SSL configurations in the Oracle Application Server middle-tier installation types, and provides cross-references to the configuration instructions in component guides in the Oracle Application Server documentation library.

7.6.1 Enabling SSL in OracleAS Web Cache

OracleAS Web Cache is part of all Oracle Application Server middle-tier installations. To configure it for SSL, follow the instructions in chapter "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.

A script, SSLConfigTool, automates the SSL configuration of the following:

HTTPS listening ports and wallet location for the cache
HTTPS operations ports for the cache
Site for HTTPS requests
HTTPS port and wallet location for the origin server
Site-to-server mapping

For instructions on using this script, see Chapter 14, "Using the SSL Configuration Tool" in the Oracle Application Server Administrator's Guide.

7.6.2 Enabling SSL in the Oracle HTTP Server

Oracle HTTP Server is part of all Oracle Application Server middle-tier installations. To configure Oracle HTTP Server for SSL, follow the instructions in the Oracle HTTP Server Administrator's Guide, the section titled "Enabling SSL."

A script, SSLConfigTool, automates the setting of the SSL parameters in the httpd.conf file. For more information about this script, see Chapter 14, "Using the SSL Configuration Tool" in the Oracle Application Server Administrator's Guide.

7.6.3 Enabling SSL in Oracle Application Server Containers for J2EE (OC4J)

To configure SSL connections to OC4J clients, follow the instructions in the Oracle Application Server Containers for J2EE Security Guide section titled "Oracle HTTPS for Client Connections."

7.6.4 Enabling SSL in J2EE and Web Cache Installations

Depending on your security needs and the configuration of the Oracle Application Server J2EE and Web Cache installation, you may implement secure communication in one or more of the installed components. Configuring the first listener (whether it is OracleAS Web Cache or the Oracle HTTP Server) may be sufficient.

To configure the Oracle HTTP Server for SSL, follow the steps in "Enabling SSL for Oracle HTTP Server" in the Oracle HTTP Server Administrator's Guide.

To configure OracleAS Web Cache for SSL, follow the instructions in "Configuring OracleAS Web Cache for HTTPS Requests" in the Oracle Application Server Web Cache Administrator's Guide.

A script called SSLConfigTool is provided to automate some of the configuration tasks. For instructions on using this script, see Chapter 14, "Using the SSL Configuration Tool" in the Oracle Application Server Administrator's Guide.

7.6.5 Enabling SSL in Virtual Hosts

You can use virtual hosts to deploy multiple Web sites on a single Oracle HTTP Server (for example, to make an application available over the HTTP protocol and the HTTPS protocol).

The Oracle Application Server Single Sign-On Administrator's Guide, section titled "Configuring mod_osso with Virtual Hosts" contains instructions on configuring an SSL virtual host to be protected by mod_osso. You cannot use name-based virtual hosting. You must use IP-based or port-based virtual hosting.

The scenario presented assumes that the following conditions are in effect:

The host name of the application middle tier is app.mydomain.com (replace this name with the host name of your application middle tier).
The middle tier is already configured as a non-SSL partner application (this is typically done during installation).
The default SSL port number of the application middle tier is 4443.

7.6.6 Enabling SSL in OracleBI Discoverer

The Oracle Business Intelligence Discoverer Configuration Guide explains how to configure OracleBI Discoverer for SSL.

For a discussion of Oracle Application Server Framework Security, including the SSL protocols for Oracle Business Intelligence, refer to the Oracle Business Intelligence Discoverer Configuration Guide, the section titled "Using Discoverer with OracleAS Framework Security."

For information about implementing SSL in OracleBI Discoverer, refer to the Oracle Business Intelligence Discoverer Configuration Guide, the section titled "What is HTTPS and why should I use it?"

For instructions on enabling OracleBI Discoverer for SSL, refer to the Oracle Business Intelligence Discoverer Configuration Guide, the section titled "About running Discoverer over HTTPS."

7.6.7 Enabling SSL in OracleAS Wireless

For instructions on configuring SSL in OracleAS Wireless, refer to the Wireless Security chapter in the Oracle Application Server Wireless Administrator's Guide. The section titled "Site Administration" explains how to use the System Manager HTTP, HTTPS configuration page in Oracle Enterprise Manager 10g to configure the Wireless site's proxy server settings, URLs, and SSL certificates in the Wireless site.

7.6.8 Enabling SSL in OracleAS Portal

OracleAS Portal uses several components for HTTP communication (such as the Parallel Page Engine, Oracle HTTP Server, and OracleAS Web Cache), each of which may function as a client or server. As a result, each component in the Oracle Application Server middle tier may be configured individually to use the HTTPS protocol instead of HTTP. These components' interact with OracleAS Portal through the following distinct network hops:

Between the client browser and the entry point of the OracleAS Portal environment. The entry point can be OracleAS Web Cache or a network edge hardware device such as a reverse proxy or SSL accelerator
Between OracleAS Web Cache and the Oracle HTTP Server of the Oracle Application Server middle tier
Between the client browser and the Oracle HTTP Server of the OracleAS Single Sign-On or Oracle Internet Directory (or Infrastructure) tier
A loop back connection between the Parallel Page Engine (PPE) on the middle tier and OracleAS Web Cache or the front-end reverse proxy
Between the Parallel Page Engine (PPE) and the Remote Web Provider that provides Portlet content
Between the OracleAS Portal infrastructure and the Oracle Internet Directory server

The following sections in the Oracle Application Server Portal Configuration Guide provide an overview of the most common SSL configurations for OracleAS Portal and instructions for implementing them:

SSL to OracleAS Single Sign-On: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Single Sign-On.
SSL to OracleAS Web Cache: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure a secure connection to OracleAS Web Cache.
SSL throughout OracleAS Portal: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure secure connections throughout OracleAS Portal.
External SSL with non- SSL within Oracle Application Server: Follow the instructions in the Oracle Application Server Portal Configuration Guide to configure OracleAS Portal such that the site is externally accessible through SSL URLs, with the Oracle Application Server running in the non-SSL mode.

Note:

For general information about securing OracleAS Portal, refer to the Oracle Application Server Portal Configuration Guide (the chapter about Securing OracleAS Portal).

7.6.9 Configuring SSL for Oracle Enterprise Manager 10g

To configure SSL for Oracle Enterprise Manager 10g, refer to the Oracle Application Server Administrator's Guide.