Configuring SSL in Oracle Fusion Middleware 6-37

6.7.3.2 Setting the SSLFIPS_140 Parameter

You can configure these components to run in the FIPS mode by setting the SSLFIPS_140 parameter to TRUE in the fips.ora file: SSLFIPS_140=TRUE This file does not exist out-of-the-box and has to be created. Locate fips.ora either in the ORACLE_HOMEldapadmin directory, or in the directory pointed to by the FIPS_HOME environment variable. The SSLFIPS_140 parameter is set to FALSE by default. You must set it to TRUE for FIPS mode operation.

6.7.3.3 Selecting Cipher Suites

A cipher suite is a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth. Only the following cipher suites are approved for use in FIPS mode: SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA Any other ciphers should not be used while running in FIPS mode. You can configure one or more of these ciphers using comma-separated values. These should be specified in the SSL properties file for the key Ciphers in the WLST configureSSL command. See Section 6.9.28, Properties Files for SSL for details about specifying the SSL properties file with the configureSSL command.

6.7.3.4 Other Configuration Parameters

The minimum key size for enabling FIPS mode is 1024 bits. Ensure that the keys used in FIPS mode are at least 1024 bits. You can only use wallets created using Oracle tools like SSLConfig, Oracle Wallet Manager, or orapki. Third-party PKCS12 wallet files cannot be used in FIPS mode.

6.8 Best Practices for SSL

This section outlines some best practices for Oracle Fusion Middleware component administrators and application developers. It contains these topics: ■ Best Practices for Administrators ■ Best Practices for Application Developers

6.8.1 Best Practices for Administrators

Best practices for system administrators include the following: ■ Use self-signed wallets only in test environment. You should obtain a CA signed certificate in the wallet before moving to production environment. For details, see Chapter 8, Managing Keystores, Wallets, and Certificates. 6-38 Oracle Fusion Middleware Administrators Guide ■ It is recommended that components at least in the Web tier use certificates that have the system hostname or virtual host or site name as the DN. This allows browsers to connect in SSL mode without giving unsettling warning messages. ■ A minimum key size of 1024 bits is recommended for certificates used for SSL. Higher key size provides more security but at the cost of reduced performance. Pick an appropriate key size value depending on your security and performance requirements. ■ Lack of trust is one of the most common reasons for SSL handshake failures. Ensure that the client trusts the server by importing the server CA certificate into the client keystore before starting SSL handshake. If client authentication is also required, then the reverse should also be true.

6.8.2 Best Practices for Application Developers

The following practices are recommended: ■ Use Java Key Store JKS to store certificates for your Java EE applications. ■ Externalize SSL configuration parameters like keystore path, truststore path, and authentication type in a configuration file, rather than embedding these values in the application code. This allows you the flexibility to change SSL configuration without having to change the application itself.

6.9 WLST Reference for SSL

Starting with 11g Release 1 11.1.1, WLST commands have been added to manage Oracle wallets and JKS keystores and to configure SSL for Oracle Fusion Middleware components. Use the commands listed in Table 6–1 , Table 6–2 , and Table 6–3 for this task. You can obtain help for each command by issuing: helpcommand_name Certain commands require parameters like instance name, ias-component and process type. You can obtain this information with the command: ORACLE_INSTANCEbinopmnctl status See Also: Section 8.2, Command-Line Interface for Keystores and Wallets for important instructions on how to launch the WLST shell to run SSL-related commands. Do not launch the WLST interface from any other location. Note: All WLST commands for SSL configuration must be run in online mode. Table 6–1 WLST Commands for SSL Configuration Use this command... To... Use with WLST... configureSSL Set the SSL attributes for a component listener. Online getSSL Display the SSL attributes for a component listener. Online