Configuring Security for Oracle CEP 10-19 By default, the password for the certificate private key will be the same as the password for the identity keystore. The evsidentity.jks contains a self-signed certificate. Optionally, create your own certificate file and either replace the evsidentity.jks file, or update the key-store element in the config.xml file. For more information on creating a key-store yourself, see Section 10.5.2, How to Create a Key-Store Manually . For more information on the enforce-fips element, see Section 10.6, Configuring FIPS for Oracle CEP Server . 4. Configure a netio element for SSL. Example 10–5 shows the default netio element the Configuration Wizard creates. Example 10–5 Default netio Element netio namesslNetIoname ssl-config-bean-namesslConfigssl-config-bean-name port9003port netio The ssl-config-bean-name must match the ssl element name child element see step 3. Optionally, change this port to a port number that suits your needs. The default secure port is 9003 by default. 5. Configure the jetty element to add a secure-network-io-name child element. Example 10–6 shows the default jetty element the Configuration Wizard creates. Example 10–6 Default jetty Element jetty nameJettyServername network-io-nameNetIOnetwork-io-name work-manager-nameJettyWorkManagerwork-manager-name secure-network-io-namesslNetIosecure-network-io-name jetty The secure-network-io-name must match the SSL netio element name child element see step 4. 6. Save and close the config.xml file. 7. Restart the Oracle CEP server if running. Note: The Oracle CEP Server will not start unless the password for certificate private key is the same as the password for the identity keystore. Note: In a production environment, the system administrator should replace the default self-signed certificate with a CA signed certificate. 10-20 Oracle Complex Event Processing Administrators Guide See Section 1.5.4, Starting and Stopping Oracle CEP Servers .

10.5.2 How to Create a Key-Store Manually

By default, the Configuration Wizard creates a default key-store certificate file, called evsidentity.jks, in the DOMAIN_DIRservernamessl directory; its password is the same as that entered when creating a server with the Configuration Wizard. Optionally, you can manually create your own key-store. For more information, see: ■ Section 3.1.1, Creating an Oracle CEP Standalone-Server Domain Using the Configuration Wizard in Graphical Mode ■ Section 10.5.1, How to Configure SSL Manually To create a key-store manually: 1. Use the JDK keytool command to generate a key-store: keytool -genkey -alias evsidentity -keyalg RSA -validity 10958 -keystore evsidentity.jks -keysize 1024

2. Enter the key-store password, as prompted:

Enter keystore password: 3. Enter the key-store attributes, as prompted: What is your first and last name? [Unknown]: CEP What is the name of your organizational unit? [Unknown]: SOA What is the name of your organization? [Unknown]: ORACLE What is the name of your City or Locality? [Unknown]: SF What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=CEP, OU=SOA, O=ORACLE, L=SF, ST=CA, C=US correct? [no]: y 4. When prompted for a key password, do not enter a password; just press RETURN: Enter key password for evsidentity RETURN if same as keystore password:

5. Using your favorite XML editor, open the Oracle CEP server config.xml file.

By default, the Configuration Wizard creates the config.xml file in the ORACLE_ CEP_HOME user_projectsdomainsDOMAIN_DIRservernameconfig directory, where ORACLE_CEP_HOME refers to the Oracle CEP installation directory such as d:oracle_cep, DOMAIN_DIR refers to the domain directory Note: The Oracle CEP Server will not start unless the password for certificate private key is the same as the password for the identity keystore. Configuring Security for Oracle CEP 10-21 such as my_domain, and servername refers to the server instance directory such as server1. For more information, see Section 1.3.1, Oracle CEP Server Configuration Files . 6. Configure the ssl element. Example 10–4 shows the default ssl element the Configuration Wizard creates. Example 10–7 Default ssl Element ssl namesslConfigname key-storeKEYSTORE_PATHkey-store key-store-pass passwordPASSWORDpassword key-store-pass key-store-aliasKEYSTORE_ALIASkey-store-alias key-manager-algorithmSunX509key-manager-algorithm ssl-protocolTLSssl-protocol enforce-fipsfalseenforce-fips need-client-authfalseneed-client-auth ssl Where: ■ KEYSTORE_PATH is the file path to the key-store file the file name is from the -keystore argument to the keytool command. ■ PASSWORD is the cleartext keystore password. ■ KEYSTORE_ALIAS is the keystore alias from the -alias argument to the keytool command. 7. Save and close the config.xml file. 8. Encrypt the cleartext password in the key-store-pass element password child element of the config.xml file by using the encryptMSAConfig utility. See Section C.2, The encryptMSAConfig Command-Line Utility.

10.5.3 How to Configure SSL in a Multi-Server Domain for Oracle CEP Visualizer

The following procedure shows how to configure one-way SSL between the server that hosts the Oracle CEP Visualizer data-services application and another server in a multi-server domain. In the procedure, it is assumed that the server that hosts the Oracle CEP Visualizer data-services application is called server1 and the other server is called server2, and that both are located in the oracle_cepuser_ projectsdomainsmydomain directory. Repeat this procedure for other servers in the domain, if required. For information on securing the messages sent between servers in a multi=-server domain, see: ■ Oracle Coherence: Section 6.3, Securing the Messages Sent Between Servers in a Multi-Server Domain ■ Oracle CEP Native Clustering: Section 7.3, Securing the Messages Sent Between Servers in a Multi-Server Domain