Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

6. Managing BAM Securities > Configuring SSL for BAM

Configuring SSL for BAM

Configuring SSL for BAM Secure Socket Layer (SSL) protocol allows WebLogic Server and its clients to communicate over a secure connection. As Oracle BAM is a Java enterprise application running on WebLogic Server, it utilizes the WebLogic Server SSL configuration to enforce the secure communications between BAM and its clients. To configure SSL for BAM, you need to complete the following steps: Prepare a server certificate.Configure SSL for WebLogic Server.Disable hostname verification (optional).Enable SSL for BAM.Enable SSL for ICommand. Preparing a server certificate To use the SSL, an application server must have an associated certificate, which allows the client to authenticate the server during the SSL hand-shake. One popular tool that can be used to set up a digital certificate is keytool, a key and certificate management utility that ships with the Java SDK. The following steps demonstrate how to use keytool to create a public-private key pair and a self-signed certificate for a principal: Generate a key pair in the identity key store identity.jks. $JAVA_HOME/bin/keytool -genkey -alias <alias> -keyalg RSA -keypass <password> -keystore identity.jks -storepass <storepass> -validity 365 Enter the server name, organizational unit, organization, locality, state, and country code when keytool prompts.Export the self-signed certificate from the identity key store into the file bam.cer. $JAVA_HOME/bin/keytool -export -alias <alias> -file bam.cer -keystore identity.jks Import the self-signed certificate into the trust store trust.jks. $JAVA_HOME/bin/keytool -import -alias <alias> -trustcacerts -file bam.cer -keystore trust.jks To learn more about keytool, refer to the keytool documentation at the following URL: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/key-tool.html Configuring SSL for the WebLogic Server Configuring SSL for the WebLogic Server can be done through the WebLogic Server Administration Console, and requires the keystores and truststores, which contain certificates and trusted CAs. Note The EM console that is used to manage BAM is running on the Administration Server, which also requires secure communications with the Managed Server over SSL. Therefore, it is important to set up SSL on both the Administration Server and the Managed Server for BAM. Otherwise, SSL connections cannot be initialized. To enable SSL for the WebLogic Server, perform the following steps: Log in to the WebLogic Server Administration Console.In the Domain Structure page, navigate to Environment | Servers |<BAM_Server>. Note that<BAM_Server> is the name of the Managed Server for BAM, for example, bam_server1.Click on the Configuration tab, and then click on the Keystores tab.Click on Change, and then choose Custom Identity and Custom Trust from the list.In the Keystores configuration page, enter the following information: Custom Identity Keystore: Enter the full path of the identity store file (identity.jks)Custom Identity Keystore Type: Enter jksCustom Identity Keystore Passphrase: Enter the password for the key storeConfirm Custom Identity Keystore Passphrase: Enter the password againCustom Trust Keystore: Enter the full path of the trust store file (trust.jks)Custom Trust Keystore Type: Enter jksCustom Trust Keystore Passphrase: Enter the password for the trust storeConfirm Custom Trust Keystore Passphrase: Enter the password again Click on Save.Click on the SSL tab, and enter the following information: Private Key Alias: Enter the private key aliasPrivate Key Passphrase: Enter the private key passwordConfirm Private Key Passphrase: Enter the password again Click on Save.Click the General tab and enter the following information: SSL Listen Port Enabled: Check this option.SSL Listen Port: Set the listen port for SSL. The default is 9002. Click on Save.Repeat steps 2 to 11 for configuring SSL on the Administration Server.Restart the Administration Server and the Managed Server for BAM. Disabling hostname verification (optional) This step is only required if you have not set up the appropriate certificates to authenticate the different nodes with the Administration Server. For example, if you use the self-signed certificate, you have to disable hostname verification from both the Administration Server and the Managed Server for BAM. Note Disabling hostname verification is not recommended on production environments. This is only suggested for testing purposes. Hostname verification helps to prevent man-in-the-middle attacks. Perform these steps to disable hostname verification: Log in to the WebLogic Server Administration Console.In the Domain Structure pane, navigate to Environment | Servers |<Admin_Server>. Note that<Admin_Server> is the name of the Administration Server.Click on the Configuration tab, and then the SSL tab.Click on Advanced.Select None for the Hostname Verification field.Click on Save.Repeat steps 2 to 6 for the<BAM_Server>. Enabling SSL for BAM Internally, BAM uses RMI for communications between different components. By default, RMI communications in WebLogic Server use the t3 protocol, an optimized protocol for transporting data between the WebLogic Server components. For example, BAM Active Data Cache communicates with internal JMS topics using RMI through the t3 protocol. BAM web applications invoke BAM Active Data Cache APIs through RMI (t3) as well. Note To enable SSL for these internal communications, BAM introduces a parameter called BAMServerEnableSSO, which can only be manually configured in the BAMCommonConfig.xml file. With SSL enabled, the communication protocol becomes t3s. To set up this parameter, add the following configuration in the<BAM_Domain> /config/fmwconfig/servers/<BAM_Server>/applications/oracle-bam_11.1.1/config/BAMCommonConfig.xml file, where <BAM_Domain> is the WebLogic domain name of the Managed Server for BAM, and<BAM_Server> is the name of the Managed Server. <BAMServerEnableSSO>true</BAMServerEnableSSO> Note that you have to restart the Managed Server for BAM to make the change take effect. Tip Enabling SSL for BAM is not required if BAM is running on both SSL and non-SSL ports. However, if the SSL port is the only port enabled on the Managed Server for BAM, you have to enable SSL for BAM. Otherwise, the internal communication channel is broken. Enabling SSL for ICommand ICommand is a command-line utility that performs BAM operations, such as importing and exporting Data Objects. By default, ICommand interacts with BAM Active Data Cache through the t3 protocol. You can enable SSL for ICommand, by setting its protocol to t3s. To enable SSL for ICommand, set the following properties in the <Oracle_Home>/bam/config/BAMICommandConfig.xml file, where<Oracle_Home> is the home directory for SOA: <Communication_Protocol>t3s</Communication_Protocol>

  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint