8
Configuring Security for Oracle9iAS Web Cache

This chapter explains how to configure security settings for Oracle9iAS Web Cache, including configuration for passwords and executable ownership. In addition, this chapter describes how to configure Oracle9iAS Web Cache for HTTPS support of secure pages.

This chapter contains these topics:

• Modifying Default Security Settings

• Configuring HTTPS Protocol Support

Modifying Default Security Settings

When Oracle9iAS Web Cache is installed, it is set up with default passwords for administration and invalidation requests. In addition, the computer on which you installed Oracle9iAS Web Cache is the default trusted host.

To change the security settings:

1. Start Oracle9iAS Web Cache Manager.

   See Also: Oracle9iAS Web Cache Administration and Deployment Guide in the Oracle9iAS Documentation Library.

2. Change the password for the administrator.

   Configuration and operational tasks can be performed with the Oracle9iAS Web Cache administrator user. The administrator user has a default password of administrator set up during installation. Before you begin configuration, change the default password to a secure password.

   1. In the navigator pane, select Administering Oracle Web Cache > Security.

      The Security page appears in the right pane.

   2. In the Security page, click Change Admin Password under Administration User.

      The Change Administration User Password dialog box appears.

   3. Enter administrator in the Old Password field and a new password between four and 20 characters in the New Password and Confirm New Password fields.

   4. Click Submit.

3. Optionally, change the password for the invalidation administrator.

   The invalidation administrator has a user ID of invalidator, with default password of invalidator.

   1. In the Security page, click Change Invalidation Password under the Invalidation User.

      The Change Invalidation User Password dialog box appears.

   2. Enter invalidator in the Old Password field, and a new password between four and 20 characters long in the New Password and Confirm New Password fields.

   3. Click Submit.

4. Optionally, change the trusted subnet or trusted host from which Oracle9iAS Web Cache and invalidation administration can take place.

   By default, the computer on which you installed Oracle9iAS Web Cache is the trusted host.

   1. In the Security page, click Change Trusted Subnets under the Currently trusted subnets.

      The Change Trusted Subnets dialog box appears.

   2. Select one of the following options:

      All subnets

      Select to allow administration requests from all computers in all the subnets in the network.

      This machine only

      Select to allow administration and invalidation requests from only this computer.

      Enter list of IPs

      Select to allow requests from all IP addresses you enter in a comma-separated list. You can enter IP addresses in one of the following formats:

      • Complete IP address in dot notation, including the network number, subnet address, and unique host number

        Example: 10.1.2.3

      • Network/netmask pair for subnet restriction through masking

        Example: 10.1.0.0/255.255.0.0 allows all the hosts in the 10.1 subnet access.

      • Network/nnn Classless Inter-Domain Routing (CIDR) specification to require nnn bits from high end to match

        Example: 10.1.0.0/16 allows all the hosts in the 10.1 subnet access. This example is similar to the network/netmask example, except the netmask consists of nnn high-order 1 bits.

        Note: Sometimes requests come through a proxy server. If the proxy server is not covered by the trusted subnet settings, then requests will fail.

   3. Click Submit.

5. Optionally, change the user ID and group ID for the Oracle9iAS Web Cache executables on UNIX.

   By default, the user that performed the installation is the owner of Oracle9iAS Web Cache executables. This can user can execute webcachectl commands. Users that belong to the same group ID of the user that performed installation can also execute webcachectl commands.

   1. In the navigator pane, select Administering Oracle Web Cache > Process Identity.

      The Process Identity page appears in the right pane.

   2. In the Process Identity page, click Change IDs.

      The Change Process Identity dialog box appears.

   3. Enter the new user in the New User ID field and the group ID of the user in the New Group ID field.

   4. Click Submit.

6. In the Oracle9iAS Web Cache Manager main window, click Apply Changes.

   Note: If you changed the password for the administrator user in Step 2, you must restart the admin server process with the webcachectl restart command rather than with the Restart option in the Operations page (Administration > Operations).

Configuring HTTPS Protocol Support

You can configure Oracle9iAS Web Cache to receive HTTPS browser requests and send HTTPS requests to the origin server. HTTPS uses the Secure Sockets Layer (SSL) to encrypt and decrypt user page requests as well as the pages that are returned by the origin server.

To describe the how SSL works in an HTTPS connection, the word client is used to describe either a browser or Oracle9iAS Web Cache, and the word server is used to describe either Oracle9iAS Web Cache or an origin server.

The authentication process between the client and server consists of the steps that follow:

1. The client initiates a connection to the server by using HTTPS.

2. SSL performs the handshake between the client and the server.

At the commencement of an HTTPS network connection between the client and server, an SSL handshake is performed. An SSL handshake includes the following actions:

• The client and server establish which cipher suites to use.

• The server sends its certificate to the client, and the client verifies that the server's certificate was signed by a trusted CA.

• The client and server exchange key information using public key cryptography; based on this information, each generates a session key. All subsequent communications between the client and the server is encrypted and decrypted by using this set of session keys and the negotiated cipher suite.

To configure HTTPS support, perform these tasks:

• Task 1: Create Wallets

• Task 2: Configure HTTPS Listening Ports and Wallet Location

• Task 3: Permit Only HTTPS Requests for a Site

Task 1: Create Wallets

Wallets are needed to support the following HTTPS requests:

• Browser requests for sites hosted by Oracle9iAS Web Cache

• Administration, invalidation, and statistics monitoring requests to Oracle9iAS Web Cache

• Oracle9iAS Web Cache requests to origin servers

Each site requires at least one wallet. One wallet can be shared among all the Oracle9iAS Web Cache listening ports, or a separate wallet can be created for each Oracle9iAS Web Cache listening port.

To create a wallet, use Oracle Wallet Manager. Create the wallet as the following user:

• The user and group ID configured in the Process Identity page (Cache-Specific Configuration > Process Identity) on UNIX

• The owner of OracleHOME_NAMEWebCache service on Windows

When the webcachectl or OracleHOME_NAMEWebCache service starts the cache server process, Oracle9iAS Web Cache opens the wallet as the webcachectl or the OracleHOME_NAMEWebCache service owner.

By default, wallets are stored in the following locations:

• /etc/ORACLE/WALLETS/user_name on UNIX

• %USERPROFILE%\ORACLE\WALLETS on Windows NT and Windows 2000

See Also: Chapter 5, "Using Oracle Wallet Manager" for information about using Oracle Wallet Manager to create and manage Oracle Wallets.

Enabling Wallets to Open on Windows

Oracle9iAS Web Cache attempts to open wallets at startup on Windows. On Windows, wallets are protected so that only the user that created them can open and use them. By default, Oracle9i Application Server services are associated with the local system account, which does not have permission to open wallets.

To enable Oracle9iAS Web Cache to open wallets at startup:

1. Create a wallet with an administrator account.

2. Change the system account information for the Oracle9iAS Web Cache services:

   Windows NT

   Windows 2000

   Choose the Services icon from the Control Panel window. The Services window appears. Select the OracleHOME_NAMEWebCache service. The Service dialog appears. Click This Account. By default the LocalSystem user account is associated with the service. Click the ellipse (...) next to This Account. The Add User dialog box appears. Select the user that created the wallet from the Names list, and then click Add. Click OK to close the Add User dialog box. In the Service dialog box, provide the password for the wallet administrator in the Password field, and then confirm the password in the Confirm Password field. In the Services dialog box, click OK. Repeat Steps 3 - 9 for the OracleHOME_NAMEWebCacheAdmin and OracleHOME_NAMEWebCacheMon services. In the Services window, click Close.

   Choose Administrative Tools > Services from the Control Panel window. The Services window appears. Select the OracleHOME_NAMEWebCache service. The OracleHOME_NAMEWebCache Properties dialog appears. Click the Log On tab. In the Log On tab, click This account. By default the LocalSystem user account is associated with the service. Click Browse next to This Account. The Select User dialog box appears. Select the user that created the wallet from the list, and then click OK. Click OK to close the Add User dialog box. In the OracleHOME_NAMEWebCache Properties dialog box, provide the password for the wallet administrator in the Password field, and then confirm the password in the Confirm Password field. In the Services dialog box, click OK. Repeat Steps 3 - 9 for the OracleHOME_NAMEWebCacheAdmin and OracleHOME_NAMEWebCacheMon services.

On Windows NT, additionally grant the wallet administrator the right to run Oracle9iAS Web Cache as a service:

1. Choose Start > Programs > Administrative Tools > User Manager.

   The User Manager window appears.

2. Select the wallet administration, and then choose Policies > User Rights.

   The User Rights Policy dialog box appears.

3. Click the Show Advanced User Rights check box, and then select Log on as a service from the Right list.

4. Select Users from the Grant To list.

   If Users does not exist, create it:

   1. Click Add.

      The Add Users and Groups dialog box appears.

   2. Select the name of the local host computer from the List Names From list.

   3. Select Users from the Names list, and then choose Add.

   4. Click OK.

      Users appears in the Grant To list.

5. Click OK in the User Rights Policy dialog box.

   The User Manager window reappears.

6. Choose User > Exit.

Task 2: Configure HTTPS Listening Ports and Wallet Location

To configure HTTPS protocol support between browsers and Oracle9iAS Web Cache:

1. Select Cache-Specific Configuration > Listening Ports in Oracle9iAS Web Cache Manager to configure Oracle9iAS Web Cache with an HTTPS listening port and the location of the wallet for each supported site.

2. Select Cache-Specific Configuration > Operations Ports in Oracle9iAS Web Cache Manager to configure administration, invalidation, and statistics monitoring requests with HTTPS listening ports and the location of the site's wallet.

   The ports for these requests can share the same wallet as established for the Oracle9iAS Web Cache listening port in Step 1.

To configure HTTPS protocol support between Oracle9iAS Web Cache and origin servers:

1. Select General Configuration > Application Web Servers or Proxy Servers in Oracle9iAS Web Cache Manager to configure an application Web server or proxy server with an HTTPS communication port.

2. Select Cache-Specific Configuration > Origin Server Wallet in Oracle9iAS Web Cache Manager to specify the location of the wallet used for communication from Oracle9iAS Web Cache to an application Web server or proxy server.

   The ports for these requests can share the same wallet as established for the Oracle9iAS Web Cache listening ports.

   See Also: Chapter 6, "Initial Setup and Configuration," of Oracle9iAS Web Cache Administration and Deployment Guide in the Oracle9iAS Documentation Library for further information about configuring HTTPS listening ports and specifying the location of the wallet.

Task 3: Permit Only HTTPS Requests for a Site

You can restrict a URL or set of URLs for a site to permit only HTTPS requests.

To allow only HTTPS traffic for a URL or a set of URLs:

1. Select General Configuration > Sites in Oracle9iAS Web Cache Manager to configure to specify a site definition.

2. In the Site Definitions page, choose Add Site to add a site definition or Edit Site to modify an existing site definition.

   The Add Site or Edit Site dialog box appears.

3. In the HTTPS Only Prefix field, enter the URL prefix for which only HTTPS requests will be served.

   If all traffic must be restricted to HTTPS, enter "/ " for the entire site.

4. Enter appropriate information in the other fields, as described in the online help and Chapter 6, "Initial Setup and Configuration," of Oracle9iAS Web Cache Administration and Deployment Guide in the Oracle9iAS Documentation Library.