Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam

1,526 views
1,406 views

Published on

Deze presentatie is gegeven tijdens de Oracle OpenWorld Preview sessie bij AMIS &

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,526
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Tips and Trics for hardening Oracle Fusion Middleware - Jacco Landlust & Simon Haslam

  1. 1. Tips and Tricks for hardening Oracle Fusion Middleware a presentation by Jacco Landlust & Simon Haslamwoensdag 3 oktober 12
  2. 2. Introduction Architecture Separate binaries from config Firewall Jacco H. Landlust Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • 35 years old • Deventer, the Netherlands • Lives Together with Margot, 2 Daughters (Franka & Jules) and our Cat 2woensdag 3 oktober 12
  3. 3. Introduction Architecture Separate binaries from config Firewall Jacco H. Landlust / iDBA Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Independent Red Stack Administrator • Oracle since 2000 • Oracle ACE since 2006 • iDBA since 2010 • Architecture, Clustering, High Availability, Performance & Management 3woensdag 3 oktober 12
  4. 4. Introduction Architecture Separate binaries from config Firewall Simon Haslam Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Over 35 years old • Sherborne, UK 4woensdag 3 oktober 12
  5. 5. Introduction Architecture Separate binaries from config Firewall Simon Haslam Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Oracle since 1996 (UNIX since 1989) • Founded Veriton in 1996 • Oracle ACE Director since 2009 • Chair of the UKOUG Application Server & Middleware SIG • Architecture, Design, Installation • http://simonhaslam.co.uk 5woensdag 3 oktober 12
  6. 6. Introduction Architecture Separate binaries from config Firewall Why present together? Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Lone wolf pack • We just like to talk, share ideas and discuss Oracle Fusion Middleware administrator topics • Oracle Infrastructure Administrators Group 6woensdag 3 oktober 12
  7. 7. Introduction Architecture Separate binaries from config Firewall Prerequisites & Disclaimer Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • This is a technical presentation • Background knowledge about middleware is assumed • Best practices of our (Limited) experience • We do not work for Oracle / represent Oracle • We do not pretend this list is complete • We are not ‘native’ American speakers 7woensdag 3 oktober 12
  8. 8. Tips and Tricks for hardening Oracle Fusion Middleware 8woensdag 3 oktober 12
  9. 9. Introduction Architecture Separate binaries from config Firewall Whatever you do Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Run on “current” versions • Monitor for critical patches by Oracle • Apply PSU’s / CPU’s 9woensdag 3 oktober 12
  10. 10. Introduction Architecture Separate binaries from config Firewall Architecture Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Decide upon definitions in your team • Document your train of thoughts • We love pictures • Segregation of environments (DTAP) • Start with security measures in DEV • Use SSL wherever you can 10woensdag 3 oktober 12
  11. 11. Introduction Architecture Separate binaries from config Firewall Architecture Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Separate system components from Java components • Separate directories • Separate binaries from configuration • Separate AdminServer from Managed Servers • Standardize & automate as much as possible 11woensdag 3 oktober 12
  12. 12. Introduction Architecture Separate binaries from config Firewall Architecture Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Tiered architecture • Think about access to components: • from where? • to what? • by whom? 12woensdag 3 oktober 12
  13. 13. Introduction Architecture Separate binaries from config Firewall Architecture Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing 13woensdag 3 oktober 12
  14. 14. Introduction Architecture Separate binaries from config Firewall Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing 14woensdag 3 oktober 12
  15. 15. Introduction Architecture Separate binaries Separate binaries from config Firewall Personal Accounts Nodemanager from configuration SSL Domain Wide Administration Port Database Auditing • No chance of runtime user altering binaries • Runtime users secondary group is primary group of binary owner • Need to fix privileges on some files / directories • One nodemanager per runtime user 15woensdag 3 oktober 12
  16. 16. Introduction Architecture Separate binaries from config Firewall Caveats Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • One nodemanager per runtime user • Startup binary of system owner needs to be owner by runtime user • Different layared products have different requirements 16woensdag 3 oktober 12
  17. 17. Introduction Architecture Separate binaries from config Firewall Fix Privileges Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing find ${MW_HOME} -type d -exec chmod g+rx {} ; find ${MW_HOME} -type f -exec chmod g+r {} ; chmod g+w ${MW_HOME}/logs touch ${MW_HOME}/domain-registry.xml chmod g+w ${MW_HOME}/domain-registry.xml touch ${MW_HOME}/common/nodemanager/nodemanager.domains chmod g+w ${MW_HOME}/wlserver_10.3/common/nodemanager/nodemanager.domains chmod g+w ${MW_HOME}/wlserver_10.3/server/lib chmod g+w ${MW_HOME}/wlserver_10.3/server/lib/*.jks chmod g+w ${MW_HOME}/oracle_common/sysman chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.sslConfig chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.joc_demo_keystore.jks chmod g+r ${MW_HOME}/oracle_common/modules/oracle.javacache_11.1.1/server_config/.KEYSTORE find ${MW_HOME} -name perl -exec chmod g+rx {} ; find ${MW_HOME} -name emagent -exec chmod g+rx {} ; find ${MW_HOME} -name emctl -exec chmod g+rx {} ; find ${MW_HOME} -name emdctl -exec chmod g+rx {} ; chown root ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl chmod 6750 ${MW_HOME}/Oracle_WT1/ohs/bin/.apachectl chown ${DOMUSR} ${MW_HOME}/Oracle_WT1/ohs/bin/apachectl 17woensdag 3 oktober 12
  18. 18. Introduction Architecture Separate binaries from config Firewall Firewall Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing http://en.wikipedia.org/wiki/Firewall_(computing) A firewall primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A networks firewall builds a bridge between an internal network that is assumed to be secure and trusted, and another network, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted 18woensdag 3 oktober 12
  19. 19. Introduction Architecture Separate binaries from config Firewall Network Connection Filter Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Connection filters let you deny access at the network level • Network connection filters are a type of firewall in that they can be configured to filter on protocols, IP addresses, and DNS node names • Careful: rules are domain wide 19woensdag 3 oktober 12
  20. 20. Introduction Architecture Connection Filter Separate binaries from config Firewall Personal Accounts Nodemanager Rules Syntax SSL Domain Wide Administration Port Database Auditing Each rule must be written on a single line. • Tokens in a rule are separated by white space. • A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored. • Whitespace before or after a rule is ignored. • When entering the filter rules on the Administration Console, enter them in the following format: target localAddress localPort action protocols • If no protocol is defined, all protocols will match a rule • The rules are evaluated in the order in which they were written 20woensdag 3 oktober 12
  21. 21. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 127.0.0.1 * 7001 allow 192.168.56.101 * 7001 allow 0.0.0.0/0 * 7001 allow http 0.0.0.0/0 * 7001 deny 21woensdag 3 oktober 12
  22. 22. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 22woensdag 3 oktober 12
  23. 23. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 22woensdag 3 oktober 12
  24. 24. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 22woensdag 3 oktober 12
  25. 25. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 22woensdag 3 oktober 12
  26. 26. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 22woensdag 3 oktober 12
  27. 27. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing weblogic.security.net.ConnectionFilterImpl 22woensdag 3 oktober 12
  28. 28. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing weblogic.security.net.ConnectionFilterImpl 22woensdag 3 oktober 12
  29. 29. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing weblogic.security.net.ConnectionFilterImpl 22woensdag 3 oktober 12
  30. 30. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing <29-sep-2012 11:58:00 uur CEST> <Notice> <Socket> <BEA-000445> <Connection rejected, filter blocked Socket[addr=192.168.56.1,port=49182,localport=7001], weblogic.security.net.FilterException: [Security:090220]rule 4> 23woensdag 3 oktober 12
  31. 31. Introduction Architecture Setup filter to block Separate binaries from config Firewall Personal Accounts Nodemanager all non-http traffic SSL Domain Wide Administration Port Database Auditing 127.0.0.1 * 7001 allow 192.168.56.101 * 7001 allow 0.0.0.0/0 * 7001 allow http 0.0.0.0/0 * 7001 deny 24woensdag 3 oktober 12
  32. 32. Introduction Architecture Separate binaries from config Firewall Personal Accounts Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Trace administrative actions to a human • Authentication providers • Identity assertion authentication provider • JAAS control flags • Order of providers matters • Most FMW layered products only find group memberships (and groups) for the first provider 25woensdag 3 oktober 12
  33. 33. Introduction Architecture Separate binaries from config Firewall Role Based Privileges Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • For WebLogic configured in /console • For most Fusion Middleware application configured in /em • Policy store provider in OID or Database 26woensdag 3 oktober 12
  34. 34. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing CREATE TABLE USERS ( U_NAME VARCHAR(200) NOT NULL, U_PASSWORD VARCHAR(50) NOT NULL, U_DESCRIPTION VARCHAR(1000), CONSTRAINT PK_USERS PRIMARY KEY (U_NAME)); CREATE TABLE GROUPS ( G_NAME VARCHAR(200) NOT NULL, G_DESCRIPTION VARCHAR(1000) NULL, CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME)); 27woensdag 3 oktober 12
  35. 35. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing CREATE TABLE GROUPMEMBERS ( G_NAME VARCHAR(200) NOT NULL, G_MEMBER VARCHAR(200) NOT NULL, CONSTRAINT PK_GROUPMEMBERS PRIMARY KEY (G_NAME,G_MEMBER), CONSTRAINT FK1_GROUPMEMBERS FOREIGN KEY ( G_NAME ) REFERENCES GROUPS (G_NAME) ON DELETE CASCADE, CONSTRAINT FK2_GROUPMEMBERS FOREIGN KEY ( G_MEMBER ) REFERENCES USERS (U_NAME) ON DELETE CASCADE ); 28woensdag 3 oktober 12
  36. 36. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing insert into USERS (U_NAME,U_PASSWORD,U_DESCRIPTION) values(jacco,Welcome01,admin user); insert into GROUPS (G_NAME,G_DESCRIPTION) values(Administrators,Adnministrators); insert into GROUPMEMBERS (G_NAME,G_MEMBER) values(Administrators,jacco); 29woensdag 3 oktober 12
  37. 37. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  38. 38. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  39. 39. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  40. 40. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  41. 41. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  42. 42. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  43. 43. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  44. 44. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  45. 45. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  46. 46. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  47. 47. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  48. 48. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  49. 49. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  50. 50. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  51. 51. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 30woensdag 3 oktober 12
  52. 52. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  53. 53. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  54. 54. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  55. 55. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  56. 56. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  57. 57. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  58. 58. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  59. 59. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  60. 60. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  61. 61. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  62. 62. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  63. 63. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  64. 64. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  65. 65. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  66. 66. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  67. 67. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  68. 68. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  69. 69. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  70. 70. Introduction Architecture SQL Based Separate binaries from config Firewall Personal Accounts Nodemanager Authentication Provider SSL Domain Wide Administration Port Database Auditing 31woensdag 3 oktober 12
  71. 71. Introduction Architecture Separate binaries from config Firewall Nodemanager Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Always use secureListener=true • Setup credentials to custom user • Store and protect credentials in keyfiles • Never use demo certificates (in production) 32woensdag 3 oktober 12
  72. 72. Introduction Architecture Secure Sockets Layer / Separate binaries from config Firewall Personal Accounts Nodemanager Transport Layer Security SSL Domain Wide Administration Port Database Auditing • TLS and predecessor SSL are cryptographic protocols • The TLS protocol allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tamering. 33woensdag 3 oktober 12
  73. 73. Introduction Architecture Separate binaries from config Firewall How does it work? Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing 1. The client sends the server the clients SSL version number, cipher settings, session-specific data, and other information that the server needs to communicate with the client using SSL. 2. The server sends the client the servers SSL version number, cipher settings, session-specific data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certificate, and if the client is requesting a server resource that requires client authentication, the server requests the clients certificate. 3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details). If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to step 4. 4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it with the servers public key (obtained from the servers certificate, sent in step 2), and then sends the encrypted pre-master secret to the server. 5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the clients own certificate to the server along with the encrypted pre-master secret. 34woensdag 3 oktober 12
  74. 74. Introduction Architecture Separate binaries from config Firewall How does it work? Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing 6. If the server has requested client authentication, the server attempts to authenticate the client (see Client Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. 7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). 8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished. 9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished. source: http://en.wikipedia.org/wiki/Secure_Sockets_Layer 35woensdag 3 oktober 12
  75. 75. Introduction Architecture Separate binaries from config Firewall Key Information Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Identity store: information to uniquely and securely identify yourself • Truststore: knowledge of whom to trust 36woensdag 3 oktober 12
  76. 76. Introduction Architecture Different Components, Different Separate binaries from config Firewall Personal Accounts Nodemanager Keystores SSL Domain Wide Administration Port Database Auditing • All java components use Java key stores (by default) • All system components use Oracle Wallets • Most system components need auto-login wallets • Default CAs are stored with JRE 37woensdag 3 oktober 12
  77. 77. Introduction Architecture Separate binaries from config Firewall When using WLST Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • -Dweblogic.security.SSL.trustedCAKeyStore=/path/to/ truststore.jks • Setup WLST_PROPERTIES in ${MW_HOME}/wlserver_10.3/common/bin/wlst.sh • Preferably create a wrapper script outside of your middleware home 38woensdag 3 oktober 12
  78. 78. Introduction Architecture Separate binaries from config Firewall Nodemanager Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Setup in nodemanager.properties KeyStores=CustomIdentityAndCustomTrust CustomIdentityKeyStoreFileName=identity.jks CustomIdentityKeyStorePassPhrase=Welcome01 CustomIdentityAlias=oow12demo.area51.local CustomIdentityPrivateKeyPassPhrase=Welcome01 CustomTrustKeyStoreFileName=truststore.jks 39woensdag 3 oktober 12
  79. 79. Introduction Architecture Separate binaries from config Firewall WebLogic Servers Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Change keystoretype to Custom Identity (and Custom Trust) • Configure Identity Keystore • Configure Trust Keystore (if custom) • Configure Private key (whoami) • No disabling of hostname verification • 2 way SSL 40woensdag 3 oktober 12
  80. 80. Introduction Architecture Separate binaries from config Firewall Layered Products Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • Most can be configured from Enterprise Manager (you must have the administrator role!) • Credential Maps are all stored in an Oracle Wallet • Setup SSL in mod_wl_ohs.conf to encrypt traffic between OHS and WLS 41woensdag 3 oktober 12
  81. 81. Introduction Architecture Domain Wide Separate binaries from config Firewall Personal Accounts Nodemanager Administration Port SSL Domain Wide Administration Port Database Auditing • You can separate administration traffic from application traffic in your domain • Run administrative actions on separate threads from application threads • You can start a server in standby state • Since communication uses SSL, administration traffic (which includes such things as administrator passwords) is more secure 42woensdag 3 oktober 12
  82. 82. Introduction Architecture Separate binaries from config Firewall Caveats Personal Accounts Nodemanager SSL Domain Wide Administration Port Database Auditing • All servers in your domain must be configured with support for the SSL protocol • Port conflicts, override per managed server • Inter-layered product communication usually runs over user weblogic / a user with the administrator role • Register system components can be difficult / you cannot use standard config.sh GUI’s 43woensdag 3 oktober 12
  83. 83. Introduction Architecture Domain Wide Separate binaries from config Firewall Personal Accounts Nodemanager Administration Port SSL Domain Wide Administration Port Database Auditing 44woensdag 3 oktober 12
  84. 84. Introduction Architecture Domain Wide Separate binaries from config Firewall Personal Accounts Nodemanager Administration Port SSL Domain Wide Administration Port Database Auditing 44woensdag 3 oktober 12
  85. 85. Introduction Architecture Domain Wide Separate binaries from config Firewall Personal Accounts Nodemanager Administration Port SSL Domain Wide Administration Port Database Auditing 44woensdag 3 oktober 12
  86. 86. Introduction Architecture Domain Wide Separate binaries from config Firewall Personal Accounts Nodemanager Administration Port SSL Domain Wide Administration Port Database Auditing 44woensdag 3 oktober 12

×