Skip Headers
Oracle® Application Server Integration B2B User's Guide
10g Release 2 (10.1.2.0.2)
B19370-01
  Go To Table Of Contents
Contents
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Index
Index

Previous
Previous
Next
Next
 

20 Oracle Application Server Integration B2B Security

This chapter describes the architecture and configuration of security for Oracle Application Server Integration B2B.

This chapter contains the following topics:

See the following for more information:

About OracleAS Integration B2B Security

This section describes the OracleAS Integration B2B security model. This section contains these topics:

Classes of Users and Their Privileges

A single user named admin is automatically created during OracleAS Integration B2B installation. The password for admin is the same one you specified for the Oracle Application Server administrator named ias_admin when prompted during the J2EE and Web Cache and OracleAS Integration B2B installations.

The admin user consists of a single default user role named Administrator. The Administrator role consists of the use cases (privileges) that enable the admin user to use the entire functionality of the OracleAS Integration B2B user interface tool to design, deploy, monitor, and manage integrations. A Reports role is also available for users (such as business analysts) that require access to only the Reports tab of the OracleAS Integration B2B user interface tool. The admin user can create additional users to which to assign the Administrator role.

You can also administer portions of OracleAS Integration B2B from the Oracle Enterprise Manager 10g Application Server Control Console. Log in with the ias_admin username. Use the same password for ias_admin that you specified when prompted during the J2EE and Web Cache and OracleAS Integration B2B installations.

See the following for more information:

Resources Protected

The following security is provided for protecting resources:

  • The partner data that you design with the OracleAS Integration B2B user interface tool is protected by both the admin username and password and by the security provided by the Oracle database used for the Oracle Application Server Metadata Repository.

  • Network messaging can be secured and encrypted using Oracle Advanced Security. Network messaging can also be secured by using secure HTTP with the OracleAS Integration B2B user interface tool.

  • Transport protocols that enable communication between applications and OracleAS Integration B2B use their own security (such as HTTP, FTP, and SMTP) to restrict access to data.

  • The messages that trading partners send and receive during integrations between enterprises are protected by the following levels of security:

    • Digital envelopes and certificates

    • Digital signatures for host and remote trading partners

    • Secure HTTP (using secure socket layer (SSL))

    • Encrypted wallet password for a host trading partner

See "OracleAS Integration B2B Security Configuration" for an overview of security configuration for integrations between enterprises.

Authorization and Access Enforcement

When you attempt to access the OracleAS Integration B2B user interface tool, you are prompted for a username and password. Without knowledge of this connection information, you cannot access the user interface tool to design, deploy, and manage integrations between enterprises.

Use of Oracle Application Server Security Services

Oracle Application Server provides a series of security services. OracleAS Integration B2B enables you to use SSL. You can use SSL for securing connections between host and remote trading partners. SSL uses a public key infrastructure to provide authentication and data integrity.

Secure HTTP can also be used to secure the OracleAS Integration B2B user interface tool.

See Oracle Application Server Security Guide for a description of Oracle Application Server security services.

Use of Oracle Identity Management Infrastructure

This release of OracleAS Integration B2B does not require use of Oracle Identity Management infrastructure features; Oracle Identity Management is optionally selectable for use during OracleAS Integration B2B installation and is only used for OracleAS Integration B2B schema password storage.

Configuring Oracle Application Server Security Framework for OracleAS Integration B2B

This section describes Oracle Application Server security options to configure to use OracleAS Integration B2B. This section contains these topics:

OracleAS Integration B2B Security Framework Configuration Issues

The OracleAS Integration B2B schema is protected by a password created during Oracle Application Server Infrastructure installation. These schemas are stored in the metadata repository of Oracle Application Server Infrastructure to which you configure access during OracleAS Integration B2B installation. In addition, the partner data you design, deploy, and manage with the OracleAS Integration B2B user interface tool is stored in this same metadata repository of Oracle Application Server Infrastructure.

See the following for more information:

Identity Management Configuration Issues Specific to OracleAS Integration B2B

This initial release of OracleAS Integration B2B does not use the identity management infrastructure. Therefore, there are no identity management configuration issues and options.

Configuring OracleAS Integration B2B Security

This section provides an overview of OracleAS Integration B2B installation and configuration issues. This section contains these topics:

OracleAS Integration B2B Installation

This section describes OracleAS Integration B2B security installation issues.

Required Information for Successfully Installing Oracle Application Server Integration B2B

While you do not specify security parameters when installing OracleAS Integration B2B, the Oracle Application Server administrator must know the following information to install OracleAS Integration B2B:

  • The name of the host on which the Oracle Application Server Infrastructure installation to use as the metadata repository is installed

  • The specific Oracle Application Server Infrastructure installation on that host that includes the OracleAS Integration B2B schema

  • The OracleAS Integration B2B schema password automatically created during Oracle Application Server Infrastructure installation

  • The ias_admin password specified during J2EE and Web Cache installation, which is used as the initial password for the OracleAS Integration B2B admin user and for the Oracle Enterprise Manager 10g Application Server Control Console ias_admin user

See Oracle Application Server Integration B2B Installation Guide for OracleAS Integration B2B installation instructions.

OracleAS Integration B2B Security Configuration

You configure security with the OracleAS Integration B2B user interface tool after installation. OracleAS Integration B2B provides the following levels of security:

See "Creating a Trading Partner Agreement" to create a trading partner agreement to which to assign a trading partner with its delivery channel characteristics.

Digital Envelopes and Certificates for Host and Remote Trading Partners

You can create encrypted business messages with remote trading partner certificates. Table 20-1 provides an overview of the tasks.

Table 20-1 Host and Remote Trading Partner Certificate Tasks

Tasks See...

Assign a digital envelope to a remote trading partner with the Create Trading Partner wizard:


  • Select Yes from the Encryption Enabled list of the Create Trading Partner: Delivery Channel page.

  • Select a digital envelope from the Digital Envelope list of the Create Trading Partner: Document Exchange page.

Assign remote trading partner certificates through either of two methods:


With the Create Trading Partner wizard:


  • Enter a remote certificate name in the Name field of the Create Trading Partner: Document Exchange page.


  • Click Browse to select a certificate file for the Certificate File field of the Create Trading Partner: Document Exchange page.


Without the Create Trading Partner wizard:

Note: Creating a remote trading partner certificate through this second method means that you must manually attach the correct digital envelope.


Assign a wallet password to the host trading partner in the user interface tool:


  • Create a wallet password with the user interface tool.


  • Specify a wallet location on the Server Properties page of Oracle Enterprise Manager 10g Application Server Control Console.



These digital envelope and remote trading partner certificate details comprise a portion of the delivery channel characteristics. You can then assign the delivery channel to a trading partner participating in a trading partner agreement.

See the following for more information:

Digital Signatures for Host and Remote Trading Partners

You can use a digital signature with host and remote trading partners. The digital signature ensures that the message is authentic. Table 20-2 provides an overview of the tasks for configuring digital signatures.

Table 20-2 Digital Signature Tasks

Tasks See...

Assign digital signatures to host and remote trading partners with the Create Trading Partner wizard:


  • Select Yes from the Is Non-Repudiation of Origin Required list and Is Non-Repudiation of Receipt Required list on the Create Trading Partner: Delivery Channel page.

    Notes: If you select Yes from the Is Non-Repudiation of Origin Required list, you must also select Yes from the Is Non-Repudiation of Receipt Required list.

    In a trading partner agreement, both the host and remote trading partners must have the same values for Is Non-Repudiation of Origin Required and Is Non-Repudiation of Receipt Required.


  • Select a digital signature from the Digital Signature list of the Create Trading Partner: Document Exchange page.

    Note: Oracle recommends that you select a digital signature that uses SHA-RSA.


Assign a signing credential to a remote trading partner with the Create Trading Partner wizard:


  • Enter a signing credential name in the Name field of the Create Trading Partner: Document Exchange page.


  • Click Browse to select a signing credential for the Certificate File field of the Create Trading Partner: Document Exchange page.


Assign a wallet password to the host trading partner:


  • Update the wallet password in the user interface tool.


  • Update the wallet location on the Server Properties page of Oracle Enterprise Manager 10g Application Server Control Console.



These digital signature details comprise a portion of the delivery channel characteristics. You can then assign the delivery channel to a trading partner participating in a trading partner agreement.

See the following for more information:

Secure HTTP and Client Authentication

You can use SSL to secure connections between host and remote trading partners. Table 20-3 provides an overview of the parts to configuring SSL.

Table 20-3 SSL Tasks

Part Task See...

1

Assign SSL for transport security with the Create Trading Partner wizard:



  • Select Yes from the Transport Security Enabled list of the Create Trading Partner: Delivery Channel page.



  • Select HTTP 1.0 (Secure) or HTTP 1.1 (Secure) from the Transport Protocol list of the Create Trading Partner: Transport page.


2

Set up a certificate authority (CA):



Oracle Application Server Administrator's Guide



  • Import a trading partner's CA into Oracle Wallet Manager.



  • Export the entire wallet into a text file. The file requires a .txt extension.



  • Place this file in the same location as the original wallet file.


3

Assign a wallet password to the host trading partner:



  • Update the wallet password you created previously.



  • Update the wallet location on the Server Properties page of Oracle Enterprise Manager 10g Application Server Control Console.


4

Configure SSL server and client authentication for Oracle Application Server.

  • Oracle Application Server Administrator's Guide

  • Oracle Application Server Security Guide



These SSL details comprise a portion of the delivery channel characteristics. You can then assign the delivery channel to a trading partner participating in a trading partner agreement.


Note:

Oracle Wallet Manager allows only base64 files to be imported. Use Internet Explorer or another tool to convert a nonbase64 encoded certificate to base64.

See the following for more information:

Troubleshooting SSL Setup

Follow these instructions to troubleshoot SSL setup:

Use the browser to connect to the secure HTTP URL. Upon successful connection, the following details are viewable:

  • If you are using Internet Explorer, then from File, select Properties. The connection information appears. A Certificates button that displays certificate information also appears.

  • You may get a confirmation page from the remote server.

Verifying SSL Client Authentication

Follow these instructions to verify SSL client authentication:

  • Using the Netscape browser:

    1. Import an Oracle Wallet by selecting Communicator, then Tools, then Security Info, then Certificates, then Yours, and then Import a Certificate from the main menu.

    2. Connect to the secure HTTP URL.

  • Using the Internet Explorer browser:

    Internet Explorer does not recognize the .p12 file generated using Oracle Wallet. Perform these steps to import the Oracle Wallet:

    1. Import the Oracle Wallet by selecting Communicator, then Tools, then Security Info, then Certificates, then Yours, and then Import a Certificate from the main menu.

    2. Export the Oracle Wallet by selecting Communicator, then Tools, then Security Info, then Certificates, then Yours, and then Export.

    3. Import this Oracle Wallet into Internet Explorer and try connecting to the secure HTTP URL.

Encrypted Wallet Passwords for Host Trading Partners

OracleAS Integration B2B uses an Oracle Wallet for storing private and public keys. A wallet password is required for accessing an Oracle Wallet. You create an initial wallet password and an Oracle Wallet with Oracle Wallet Manager. The wallet password is stored in encrypted format in the Oracle Application Server Metadata Repository. This wallet is used for digital envelopes, digital signatures, and SSL. Table 20-4 provides an overview of the tasks to perform in the OracleAS Integration B2B user interface tool after you create the wallet password and Oracle Wallet:

Table 20-4 Host Trading Partner Wallet Password

Task See...

Create a host trading partner wallet password

"Creating a Host Trading Partner Wallet Password"

Note: Enter the same wallet password that you created in Oracle Wallet Manager. If you later change the wallet password in Oracle Wallet Manager, you must also update the password in the OracleAS Integration B2B user interface tool.

Specify the directory location for the wallet file

"OracleAS Integration B2B Middle-Tier Instance Server Properties" to access the OracleAS Integration B2B server properties (under the Server Properties section) with Oracle Enterprise Manager 10g Application Server Control Console. The Wallet Location property enables you to specify the directory location for the wallet file.


Host Trading Partner Password Encryption in High Availability Environments

OracleAS Integration B2B provides a feature that automatically encrypts the host trading partner's OracleAS Integration B2B passwords through use of an obfuscated, encryption key created during installation. If you want to change this key value, do so during OracleAS Integration B2B downtime, as all passwords within the OracleAS Integration B2B schema are re-encrypted. A new encryption key is then created.

If OracleAS Integration B2B is part of a high availability or disaster recovery configuration and you want to change the encryption key, you must perform the following procedures:

  1. Follow the instructions in "Managing and Monitoring a Middle-Tier Instance from Oracle Enterprise Manager 10g Application Server Control Console" to log in to the Oracle Enterprise Manager 10g Application Server Control Console and access the primary OracleAS Integration B2B instance.

  2. Shut down the B2B server and Oracle Application Server Containers for J2EE (OC4J) instance subcomponents on the primary system on which OracleAS Integration B2B is installed.

  3. Go to the Security Key parameter on the Server Properties page.

  1. Make the following changes:

    1. Change the encryption key in the Security Key field.

    2. Check the Re-encrypt Security Key for B2B Repository box.

      This action re-encrypts the OracleAS Integration B2B schema password.

  2. Click Apply.

  3. Go to the secondary (or backup) system of which OracleAS Integration B2B is a part.

  4. Repeat Steps 2 and 3 on the secondary system.

  5. Enter the same encryption key in the Security Key field as you did in Step 3a. However, do not check the Re-encrypt Security Key for B2B Repository box.

  6. Repeat Steps 6 through 8 for additional secondary systems.

  7. Restart the primary and secondary systems.

Configuration Issues and Options to Use for Oracle Application Server Security Framework

You can enable encryption between OracleAS Integration B2B and the Oracle Application Server Metadata Repository by setting several Oracle Net configuration parameters. For example, you can encrypt JDBC with the following sqlnet.ora parameters:

sqlnet.encryption_server=accepted
sqlnet.encryption_client=requested
sqlnet.encryption_types_server=(RC4_40)
sqlnet.encryption_types_client=(RC4_40)
sqlnet.crypto_seed ="-kdje83kkep39487dvmlqEPTbxxe70273"


See Also:

Oracle Database Advanced Security Administrator's Guide available on the Oracle Technology Network:
http://www.oracle.com/technology

Oracle HTTP Server Transport Servlet and OracleAS Integration B2B

OracleAS Integration B2B is integrated with the transport servlet of the Oracle HTTP Server to provide security for incoming messages of trading partners.

Messages sent from remote trading partners must first pass through the transport servlet of the Oracle HTTP Server that is automatically deployed after installation. The transport server receives and passes messages on to a remote method invocation (RMI) port and instance name to which the B2B server component of OracleAS Integration B2B listens. RMI functionality enables the different Java processes of the Oracle HTTP Server and the B2B server to interface. RMI also provides for scalability: you can configure one RMI to communicate with multiple B2B servers. The messages are then passed on to OracleAS Integration B2B.

Figure 20-1 shows Oracle HTTP Server and OracleAS Integration B2B configuration.

Figure 20-1 Oracle HTTP Server and OracleAS Integration B2B

Description of Figure 20-1  follows
Description of "Figure 20-1 Oracle HTTP Server and OracleAS Integration B2B"

The RMI port number and instance name to which the OracleAS Integration B2B listens are automatically configured with the same values in both the transport servlet's web.xml file and in the OracleAS Integration B2B server properties settings (accessible from the Oracle Enterprise Manager 10g Application Server Control Console). These values must be the same. If you change these values in one location, you must also change them to the same values in the other location.

This procedure is followed only for incoming messages from remote trading partners.

For security reasons, Oracle recommends that you install and configure an additional Oracle HTTP Server outside your corporate network to receive messages from remote trading partners and pass them onto the Oracle HTTP Server and OracleAS Integration B2B instances inside your corporate network. This additional Oracle HTTP Server hides the actual location of the host trading partner from all outside parties.


See Also:

  • Oracle Application Server Integration B2B Installation Guide for instructions on configuring an additional Oracle HTTP Server outside your corporate network

  • Oracle HTTP Server Administrator's Guide for additional transport servlet details

  • Oracle Enterprise Manager 10g Application Server Control Console online Help for instructions on setting RMI port and RMI instance name values

  • Oracle Application Server High Availability Guide for instructions on changing the RMI hostname value for high availability environments in which you have multiple OracleAS Integration B2B instances using the same Oracle Application Server Metadata Repository


Chapter Summary

This chapter describes the security provisions of OracleAS Integration B2B, including how to use the OracleAS Integration B2B user interface tool to configure digital envelopes, remote trading partner certificates, digital signatures, SSL, and host trading partner wallet passwords.