6-62 Oracle Fusion Middleware Administrators Guide Example 4: Properties File with Ciphers for Oracle Virtual Directory AuthenticationType=Server Ciphers=SSL_RSA_WITH_RC4_128_MD5 SSLVersion=SSLv3,SSLv2Hello KeyStore=ovdidentity.jks TrustStore=ovdtrust.jks SSLEnabled=true This properties file contains: ■ Specific cipher value ■ SSL Version ■ Server authentication mode 7 Using the SSL Automation Tool 7-1 7 Using the SSL Automation Tool This chapter contains the following sections: ■ Introduction to the SSL Automation Tool ■ Prerequisites ■ Generating the CA Certificate ■ Configuring a Component Server ■ Configuring a Client

7.1 Introduction to the SSL Automation Tool

The Oracle SSL Automation Tool enables you to configure multiple components in a domain using a domain-specific CA certificate. The task of enabling SSL in a deployment can be intimidating and cumbersome for administrators. Manual configuration of SSL generally requires an administrator to have some expertise in several areas, such as: ■ SSL as a technology ■ Low-level tools available to perform SSL configuration and administration ■ Best security practices The Oracle SSL Automation Tool replaces manual procedures and simplifies SSL configuration. It enables you to generate a central, self-signed CA certificate, configure component servers with that certificate, and provide the CA certificate as a trusted certificate to multiple clients. It ensures that a network of trust is established in a consistent manner on all clients and servers, and can be used for both outward facing connections and for connections within the DMZ. The SSL Automation Tool is based on a trust model, which introduces the concept of SSL Domains. An SSL domain is the security environment in which all the SSL components are deployed with the same CA signed certificates. Each SSL Domain has associated with it a self-signed Domain CA. All components within this SSL Domain implicitly trust the Domain CA. Additionally, this Domain CA can generate SSL Server Certificates for the server components deployed within that SSL Domain. If the server components in one SSL Domain A need to be trusted by a client component in another SSL Domain B, then only the Domain CA certificate from A need be imported and trusted by the client component in SSL Domain B. The tool consists of a series of shell scripts: three main SSL scripts and several component-specific scripts. Table 7–1 lists the main scripts. 7-2 Oracle Fusion Middleware Administrators Guide The server and client configuration scripts invoke component-specific scripts, depending on the value of an option that you specify on the command line when you invoke the main script. The scripts use the LDAP Policy Store present in a deployment to centrally store the SSL Domain CA wallets. These SSL Domain CA wallets are protected by LDAP access controls, with access granted only to members of the SSL Administrators group. You must be a member of the group to run the scripts. The SSL Automation Tool provides the following benefits: ■ It provides a consistent set of interfaces for consumption by administrators. ■ It removes the propagation of self-signed certificates and reduces the number of relevant trust points, which are now limited to SSL Domain CAs. ■ It ensures that only properly authorized SSL Administrators are allowed to perform SSL related administrative tasks. ■ It allows support for additional components to be added incrementally without the need for fundamental change.

7.2 Prerequisites

Before you attempt to use this tool, ensure that you have performed the tasks described in this section.

7.2.1 Setting up Oracle Fusion Middleware Environment

All the components of your Oracle Fusion Middleware environment must be up and running before you invoke the scripts to configure SSL on those components. If your components are running on Windows platforms, you must obtain and install Cygwin from http:www.cygwin.com before you can use the scripts. Set the ORACLE_HOME environment variable in the Cygwin shell. For example: export ORACLE_HOME=C:rc8fmwhomeOracle_Home

7.2.2 Assembling Required Information

Make sure you have the values of the following variables listed in Table 7–2 and Table 7–3 available before you invoke the SSL scripts. Table 7–1 Main Scripts Script Function SSLGenCA.sh Generates the CA certificate and stores it in an LDAP directory SSLServerConfig.sh Configures the servers SSLClientConfig.sh Configures the clients Table 7–2 Domain-Level Information Variables for SSL Automation Tool Variable HOSTNAME ORACLE_HOME Fusion Middleware ORACLE_COMMON