10-24 Oracle Complex Event Processing Administrators Guide

10.6 Configuring FIPS for Oracle CEP Server

You can configure Oracle CEP server to use a Federal Information Processing Standards FIPS-certified pseudo-random number generator. For more information, see Section 10.1.5, FIPS . To configure FIPS for Oracle CEP server: 1. Configure Java SE security. See Section 10.2, Configuring Java SE Security for Oracle CEP Server . 2. Configure SSL. See Section 10.5, Configuring SSL to Secure Network Traffic . 3. Copy com.bea.core.jsafejcefips_version.jar: ■ From: ORACLE_CEP_HOMEocep_11.1utilssecurity ■ To: JRE_HOMEjrelibext Where ORACLE_CEP_HOME refers to the directory in which you installed Oracle CEP and JRE_HOME refers to the directory that contains your JRockit JRE: a. If using the JRockit JDK installed with Oracle JRockit Real Time, copy the com.bea.core.jsafejcefips_version.jar into the JROCKIT_HOMEJROCKIT_RT_ HOMEjrelibext directory. Where JROCKIT_HOME is the directory in which you installed Oracle JRockit Real Time, such as d:\jrockit. b. If using the JRockit JDK installed with Oracle CEP, copy the com.bea.core.jsafejcefips_version.jar into the ORACLE_CEP_HOMEJROCKIT_ HOME jrelibext directory. Where ORACLE_CEP_HOME is the directory in which you installed Oracle CEP server such as d:\oracle_cep. 4. Stop the Oracle CEP server, if it is currently running. See Section 1.5.4, Starting and Stopping Oracle CEP Servers . 5. Edit the JRE_HOMEjrelibsecurityjava.security file to add com.bea.core.jsafejcefips_2.0.0.0.jar as a JCE provider as Example 10–8 shows. Example 10–8 Editing java.security to Add jsafejcefips JAR as a JCE Provider security.provider.N=com.rsa.jsafe.provider.JsafeJCE Where N is a unique integer that specifies the order in which Java accesses security providers. To make the JsafeJCE provider the default provider, set N to 1. In this case, change the value of N for any other providers in the java.security file so that each provider has a unique number as Example 10–9 shows. Example 10–9 Making JsafeJCE the Default Provider security.provider.1=com.rsa.jsafe.provider.JsafeJCE security.provider.2=sun.security.provider.Sun Configuring Security for Oracle CEP 10-25 6. Edit the server.config file ssl element as Example 10–10 shows to add the following child elements: ■ enforce-fips: set this option to true. ■ secure-random-algorithm: set this option to FIPS186PRNG ■ secure-random-provider: set this option to JsafeJCE. Example 10–10 Editing server.config to Enable Fips ssl namesslConfigname key-store.sslevsidentity.jkskey-store key-store-pass passwords4YUEvH4Wl2DAjb45iJnrw==password key-store-pass key-store-aliasevsidentitykey-store-alias key-manager-algorithmSunX509key-manager-algorithm ssl-protocolTLSssl-protocol enforce-fipstrueenforce-fips need-client-authfalseneed-client-auth secure-random-algorithmFIPS186PRNGsecure-random-algorithm secure-random-providerJsafeJCEsecure-random-provider ssl 7. Restart the Oracle CEP server for the changes to take effect. See Section 1.5.4, Starting and Stopping Oracle CEP Servers .

10.7 Configuring HTTPS-Only Connections for Oracle CEP Server

This section describes how to lock down the server so that only HTTPS connections are allowed. To configure HTTPS-Only connections for Oracle CEP server: 1. Ensure that SSL is configured for the server. See Section 10.5, Configuring SSL to Secure Network Traffic for details. 2. Remove the HTTP port configuration from the servers DOMAIN_ DIR servernameconfigconfig.xml file, leaving only the configuration for the HTTPS port. Example 10–11 shows a config.xml snippet with a standard configuration in which both an HTTP and HTTPS port have been configured. The HTTP port is 9002 and the HTTPS port is 9003. Clients can access the Jetty server using both ports. Example 10–11 Typical config.xml File With Both HTTP and HTTPS Access netio nameNetIOname port9002port netio netio namesslNetIoname port9003port ssl-config-bean-namesslConfigssl-config-bean-name netio jetty