Skip Headers
Oracle® Application Server Web Cache Administrator's Guide
10g Release 2 (10.1.2)
B14046-04
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

9 Configuring OracleAS Web Cache for HTTPS Requests

To provide more security for your Web site, you can configure OracleAS Web Cache to receive HTTPS protocol client requests and send HTTPS requests to the origin server. HTTPS uses the Secure Sockets Layer (SSL) to encrypt and decrypt user page requests as well as the pages that are returned by the OracleAS Web Cache and origin servers. You can also configure OracleAS Web Cache to send traffic to the origin server through an HTTPS listening port.

To configure HTTPS support, perform these tasks:

You can automate Tasks 2-6 and Task 9 by using the SSLConfigTool script.


See Also:

Oracle Application Server Administrator's Guide for information about the SSLConfigTool

Task 1: Create Wallets

To support HTTPS for OracleAS Web Cache, you must create a wallet on the OracleAS Web Cache server for each supported site. Wallets are needed to support the following HTTPS requests:

A dummy wallet for the origin server is located in $ORACLE_HOME/webcache/wallets/default on UNIX and ORACLE_HOME\webcache\wallets\default on Windows. This wallet is intended for testing purposes. For a production environment, you must create a new wallet.

For each site that OracleAS Web Cache supports, configure at least one wallet. You specify the location of the wallet for each of the OracleAS Web Cache HTTPS listening and operations ports (to support incoming HTTPS requests), and the origin server (to support outgoing HTTPS requests). You can share one wallet, or you can create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.

The following provides the basic steps for creating a wallet for use by OracleAS Web Cache. For detailed instructions, see the Oracle Application Server Administrator's Guide.

  1. Invoke Oracle Wallet Manager:

    • On UNIX, run owm from $ORACLE_HOME/bin.

    • On Windows, choose Start > Programs > Oracle - Oracle_homename > Network Administration > Wallet Manager.

  2. Create the wallet (Wallet > New), entering a password as prompted.

  3. You are prompted whether or not to create a certificate request. Click Yes. Then, enter the information in the dialog box. For Common Name, specify the name or alias of the site that will be configured for HTTPS support.

  4. Submit the certificate to a Certificate Authority (CA) for signature.

  5. Import the CA's root certificate into the wallet (Operations > Import Trusted Certificate).

  6. Enable Auto-login, which enables PKI-based access to services without a password. Select the wallet and choose Wallet from the menu bar. Check Auto Login.

  7. Save the wallet. Select the wallet and choose Wallet > Save.

  8. When you receive the signed certificate from the CA, import it into the wallet (Operations > Import User Certificate) and save the wallet.

By default, Oracle Wallet Manager stores wallets in the following locations:

Task 2: Configure an HTTPS Listening Port

To configure HTTPS protocol support between client and OracleAS Web Cache, you must configure an HTTPS listening port for OracleAS Web Cache.

To configure an HTTPS listening port in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Ports.


See Also:

"Configuring Listen Ports" in Enterprise Manager Online Help for instructions

To configure an HTTPS listening port in OracleAS Web Cache Manager:

  1. From the navigator frame in OracleAS Web Cache Manager, select Ports > Listen Ports.

  2. Select a cache, and then click Add.

  3. Specify the information for the port, selecting HTTPS for the Protocol. You must specify a port

  4. Enable or disable client-side certificates. Select Require Client-Side Certificate to enable OracleAS Web Cache to require client browsers to provide SSL certificates.

    A client-side certificate is a method for verifying the identity of the client. It binds information about the client user to the user's public key and must be digitally signed by a trusted CA.

  5. In the Wallet field, enter the directory location of the wallet. This directory must contain an existing wallet.

    This wallet is used for client requests for sites hosted by OracleAS Web Cache.

    You can share one wallet among all the HTTPS listening ports for a site and the origin server, or create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.

  6. Click Submit.


See Also:


Task 3: Configure HTTPS Operations Ports for the Cache

To configure HTTPS ports to listen for administration, invalidation, or statistics monitoring requests in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Ports.


See Also:

"Configuring Operation Ports" in Enterprise Manager Online Help for instructions

To configure HTTPS ports to listen for administration, invalidation, and statistics monitoring requests in OracleAS Web Cache Manager:

  1. From the navigator frame, select Ports > Operations Ports.

  2. Select a cache, and then click Edit Selected.

  3. Specify the information for the port, selecting HTTPS for the Protocol.

  4. Enable or disable client-side certificates.

    Select Require Client-Side Certificate to enable OracleAS Web Cache to require client browsers to provide SSL certificates.

    A client-side certificate is a method for verifying the identity of the client. It binds information about the client user to the user's public key and must be digitally signed by a trusted CA.

  5. In the Wallet field, enter the directory location of the wallet. This directory must contain an existing wallet.

    This wallet is used for administration, invalidation, and statistics monitoring of HTTPS requests for sites hosted by OracleAS Web Cache.

    You can share one wallet among all the HTTPS listening ports for a site and the origin server, or create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.

    Oracle recommends entering the location, even if the default is being used.

  6. Click Submit.

If you set an HTTPS invalidation or statistics monitoring port, you must configure a valid origin server wallet, as described in "Task 4: Configure HTTPS Port and Wallet Location for the Origin Server". The admin server process requires this wallet to send HTTPS requests to invalidation and statistics monitoring ports enabled for SSL.

If you change the statistics protocol to HTTPS, it is not possible to view performance statistics in Enterprise Manager until a certificate is uploaded in Base64 format to b64InternetCertificate.txt to $ORACLE_HOME/sysman/config on UNIX and ORACLE_HOME\sysman\config on Windows.


See Also:


Task 4: Configure HTTPS Port and Wallet Location for the Origin Server

You can configure HTTPS protocol support between OracleAS Web Cache and origin servers. When you use the Oracle HTTP Server as the origin server, requests from an OracleAS Web Cache server configured with an HTTPS listening port are passed on a secure (SSL) connection. It is not necessary to configure an HTTPS port for an Oracle HTTP Server. However, for other origin servers, you must configure an HTTPS port to secure the connection from OracleAS Web Cache to the origin server.

Then, you specify the location of the wallet for OracleAS Web Cache communication to the origin server. This wallet manages OracleAS Web Cache authentication data, such as keys, certificates, and trusted certificates needed by the Secure Sockets Layer (SSL).

In addition to supporting OracleAS Web Cache requests using HTTPS to the origin server, this wallet also enables the admin server process to send HTTPS requests to invalidation and statistics monitoring ports enabled for SSL.

To configure HTTPS protocol support between OracleAS Web Cache and origin servers in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Application > Origin Servers to configure an origin server for HTTPS and Web Cache Home page > Administration tab > Properties > Web Cache > Security to configure the origin server wallet.


See Also:

"Configuring Origin Servers" and "Modifying General Security Settings" in Enterprise Manager Online Help for instructions

To configure HTTPS protocol support between OracleAS Web Cache and origin servers in OracleAS Web Cache Manager:

  1. From the navigator frame, select Origin Servers, Sites, and Load Balancing > Origin Servers.

  2. In the Origin Servers page, either click Add to add an origin server, or select an existing server and click Edit.

  3. In the dialog box, specify the information for the origin server, selecting HTTPS for the Protocol. (See "Task 9: Configure Origin Server, Load Balancing, and Failover Settings" for information on configuring the origin server.)

  4. Click Submit.

  5. In the navigator frame, select Origin Servers, Sites, and Load Balancing > Origin Server Wallet.

    The Origin Server Wallet page appears.

  6. Select the cache for which you want to modify wallet settings, and then click Edit Selected.

    The Edit Origin Server Wallet dialog box appears.

  7. In the Wallet Directory field, enter the directory location of the wallet. This directory must contain an existing wallet.

    You can share one wallet among all the HTTPS listening ports for a site and the origin server, or create separate wallets. If you use the same wallet, keep in mind that it can support only one server-side certificate.

  8. Click Submit.


    See Also:


Task 5: Configure a Site to Accept HTTPS Requests

You must specify a site that will accept HTTPS requests.

To configure site settings in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Application > Sites.


See Also:

"Configuring Site Properties for a Named Site" in Enterprise Manager Online Help for instructions

To configure site settings in OracleAS Web Cache Manager:

  1. In the navigator frame, select Origin Servers, Sites, and Load Balancing > Site Definitions.

  2. In the Site Definitions page, click Add Site.

  3. Specify the information, as described in "Task 10: Configure Web Site Settings" .

    In the Port field, enter the number of the HTTPS listening port. This site will use the wallet defined for that port.

    In the HTTPS Only Prefix field, enter the URL prefix for which only HTTPS requests will be served. If all traffic must be restricted to HTTPS, enter "/ " for the entire site.

  4. Click Submit.

  5. In the navigator frame, select Origin Servers, Sites, and Load Balancing > Site-to-Server Mapping.

  6. Create a mapping from the site to an origin server, as described in "Task 10: Configure Web Site Settings" .

  7. Click Submit.

Task 6: Modify ssl.conf for Keep-Alive Connections

By default, Oracle HTTP Server does not maintain keep-alive connection for HTTPS client requests from Microsoft Internet Explorer 5.5 and later releases. Internet Explorer has known issues with trying to reuse SSL connections after they have timed out. In order for Oracle HTTP Server to maintain keep-alive connections from OracleAS Web Cache, you must remove the following entry from the ssl.conf file in $ORACLE_HOME/Apache/Apache/conf directory on UNIX or ORACLE_HOME\Apache\Apache\conf directory on Windows:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

The ssl.conf file specifies the SSL definitions for Oracle HTTP Server. If this entry is not removed, then keep-alive connections are disabled.


See Also:


Task 7: (Optional) Require Client-Side Certificates

You can require that clients send certificates (client-side certificates) to the cache to verify the identity of the client.

With client-side certificates, the client browser sends the certificate to the cache during the SSL handshake. Then, the server processes the request for the object. If the requested object is not stored in the cache, the cache forwards the request to the application Web server, a peer cache (in a cluster), or a subordinate cache (in a hierarchy). To transfer information about the client-side certificate to another cache or to the application Web server, OracleAS Web Cache adds HTTP headers to the request. The headers begin with the string SSL-Client-Cert.

Note the following points about using client-side certificates:

The following topics describe how to configure client-side certificate settings:

Configuring Client-Side Certificate Settings for the HTTPS Listening Port

To use client-side certificates, you must enable an HTTPS listening port, as described in "Task 2: Configure an HTTPS Listening Port". If you have a cache cluster, you must enable HTTPS listening ports for all cluster members. In addition, you must configure OracleAS Web Cache to require client browsers to provide SSL certificates.

To enable this setting in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Security.


See Also:

"Configuring Listen Ports" in Enterprise Manager Online Help for instructions

To enable this setting in OracleAS Web Cache Manager:

  1. In the navigator frame, select Ports > Listen Ports.

    The Listen Ports page is displayed.

  2. Select the HTTPS port and click Edit.

  3. In the Edit Listening Port dialog box, select Require Client-Side Certificate.

  4. Click Submit.

If you have a simple configuration, not a cache cluster or a cache hierarchy, proceed to the next section, "Task 8: (Optional) Permit Only HTTPS Requests for a URL or Set of URLs".

After configuring the client-side certificate, to enable OracleAS Web Cache to transfer certificate information to Oracle HTTP Server, add the AddCertHeader directive to httpd.conf.


See Also:

Oracle HTTP Server Administrator's Guide for information about adding the AddCertHeader directive

Configuring Client-Side Certificate Settings for Cache Clusters

If you have a cache cluster, you must prevent a cache from accepting the certificate information in HTTP headers from any source other than a peer cluster member. In addition, each cache must be able to pass the client-side certificate information in headers to the peer cluster member, and the peer must be able to pass them to the application Web server.

To configure this behavior in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Security.


See Also:

"Ensuring that ClientIP Headers Are Valid" in Enterprise Manager Online Help for instructions

To configure this behavior in OracleAS Web Cache Manager:

  1. In the navigator frame, select Properties > Security.

  2. In the Special Security Header Configuration section of the Security page, the value of the Accept SSL client certificates encoded in SSL-Client-Cert HTTP headers must be NO (the default):

    If it is not, click Edit to modify the setting in the Special Security Header Configuration dialog box.

  3. In the Cluster Security Configuration, value of the Route requests that contain SSL client certificates to cache cluster peers must be YES.

    If it is not, click Edit to modify the setting in the Cluster Security Configuration dialog box.

Configuring Client-Side Certificate Settings for an ESI Cache Hierarchy

If you have an ESI cache hierarchy, a provider cache must be able to accept the client-side certificate information in headers from the subscriber cache.

To enable this behavior in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Web Cache > Security.


See Also:

"Ensuring that ClientIP Headers Are Valid" in Enterprise Manager Online Help for instructions

To enable this behavior in OracleAS Web Cache Manager:

  1. In the navigator frame, select Properties > Security.

  2. In the Special Security Header Configuration section of the Security page, the value of Accept SSL client certificates encoded in SSL-Client-Cert HTTP headers must be YES.

    If it is not, click Edit to modify the setting in the Special Security Header Configuration dialog box.

  3. If the subordinate caches are in a cluster, the subordinate caches must be able to pass the client-side certificate information in headers to the peer cluster member. In this case, in the Cluster Security Configuration section of the Security page, the value of the Route requests that contain SSL client certificates to cache cluster peers must be YES.

    If it is not, click Edit to modify the setting in the Cluster Security Configuration dialog box.

Configuring Client-Side Certificate Settings for a Site

You can also specify that an entire site require client-side certificates:

To configure a site to use client-side certificates in Application Server Control Console, navigate to Web Cache Home page > Administration tab > Properties > Application > Sites.


See Also:

"Configuring Site Properties for a Named Site" in Enterprise Manager Online Help for instructions

To configure a site to use client-side certificates in OracleAS Web Cache Manager:

  1. In the navigator frame, select Origin Servers, Sites, and Load Balancing > Site Definitions.

  2. In the Site Definitions page, select the site and click Edit Site.

  3. In the Edit Site page, select Required in the Client-Side Certificate field.

  4. Click Submit.

Task 8: (Optional) Permit Only HTTPS Requests for a URL or Set of URLs

You can restrict a URL or set of URLs for a site to permit only HTTPS requests.

To allow only HTTPS traffic for a URL or a set of URLs:

  1. Configure Web site settings, as described in "Task 10: Configure Web Site Settings".

  2. In Step 2e, enter the URL or URL prefix.

    If all traffic must be restricted to HTTPS, enter "/" for the entire site.

Task 9: Restart OracleAS Web Cache

If you are using OracleAS Web Cache Manager, click Apply Changes in the main window.

After you make configuration changes, you must restart the cache or admin server processes, using the opmnctl utility or webcachectl utility (for standalone installations) on the computer on which OracleAS Web Cache software is installed and configured.