Oracle9i Application Server Security Guide Release 2 (9.0.2) Part Number A90146-01 |
|
This chapter explains how to configure security settings for Oracle9iAS Web Cache, including configuration for passwords and executable ownership. In addition, this chapter describes how to configure Oracle9iAS Web Cache for HTTPS support of secure pages.
This chapter contains these topics:
When Oracle9iAS Web Cache is installed, it is set up with default passwords for administration and invalidation requests. In addition, the computer on which you installed Oracle9iAS Web Cache is the default trusted host.
To change the security settings:
Configuration and operational tasks can be performed with the Oracle9iAS Web Cache administrator
user. The administrator
user has a default password of administrator
set up during installation. Before you begin configuration, change the default password to a secure password.
The Security page appears in the right pane.
The Change Administration User Password dialog box appears.
administrator
in the Old Password field and a new password between four and 20 characters in the New Password and Confirm New Password fields.
The invalidation administrator has a user ID of invalidator
, with default password of invalidator
.
The Change Invalidation User Password dialog box appears.
invalidator
in the Old Password field, and a new password between four and 20 characters long in the New Password and Confirm New Password fields.
By default, the computer on which you installed Oracle9iAS Web Cache is the trusted host.
The Change Trusted Subnets dialog box appears.
All subnets
Select to allow administration requests from all computers in all the subnets in the network.
This machine only
Select to allow administration and invalidation requests from only this computer.
Enter list of IPs
Select to allow requests from all IP addresses you enter in a comma-separated list. You can enter IP addresses in one of the following formats:
Example: 10.1.2.3
Example: 10.1.0.0/255.255.0.0
allows all the hosts in the 10.1
subnet access.
Example: 10.1.0.0/16
allows all the hosts in the 10.1
subnet access. This example is similar to the network/netmask example, except the netmask consists of nnn high-order 1 bits.
By default, the user that performed the installation is the owner of Oracle9iAS Web Cache executables. This can user can execute webcachectl
commands. Users that belong to the same group ID of the user that performed installation can also execute webcachectl
commands.
The Process Identity page appears in the right pane.
The Change Process Identity dialog box appears.
If you changed the password for the
Note:
administrator
user in Step 2, you must restart the admi
n server process with the webcachectl restart
command rather than with the Restart option in the Operations page (Administration > Operations).
You can configure Oracle9iAS Web Cache to receive HTTPS browser requests and send HTTPS requests to the origin server. HTTPS uses the Secure Sockets Layer (SSL) to encrypt and decrypt user page requests as well as the pages that are returned by the origin server.
To describe the how SSL works in an HTTPS connection, the word client is used to describe either a browser or Oracle9iAS Web Cache, and the word server is used to describe either Oracle9iAS Web Cache or an origin server.
The authentication process between the client and server consists of the steps that follow:
At the commencement of an HTTPS network connection between the client and server, an SSL handshake is performed. An SSL handshake includes the following actions:
To configure HTTPS support, perform these tasks:
Wallets are needed to support the following HTTPS requests:
Each site requires at least one wallet. One wallet can be shared among all the Oracle9iAS Web Cache listening ports, or a separate wallet can be created for each Oracle9iAS Web Cache listening port.
To create a wallet, use Oracle Wallet Manager. Create the wallet as the following user:
Oracle
HOME_NAME
WebCache
service on Windows
When the webcachectl
or Oracle
HOME_NAME
WebCache
service starts the cache
server process, Oracle9iAS Web Cache opens the wallet as the webcachectl
or the Oracle
HOME_NAME
WebCache
service owner.
By default, wallets are stored in the following locations:
See Also:
Chapter 5, "Using Oracle Wallet Manager" for information about using Oracle Wallet Manager to create and manage Oracle Wallets. |
Oracle9iAS Web Cache attempts to open wallets at startup on Windows. On Windows, wallets are protected so that only the user that created them can open and use them. By default, Oracle9i Application Server services are associated with the local system account, which does not have permission to open wallets.
To enable Oracle9iAS Web Cache to open wallets at startup:
On Windows NT, additionally grant the wallet administrator the right to run Oracle9iAS Web Cache as a service:
The User Manager window appears.
The User Rights Policy dialog box appears.
If Users does not exist, create it:
The User Manager window reappears.
To configure HTTPS protocol support between browsers and Oracle9iAS Web Cache:
The ports for these requests can share the same wallet as established for the Oracle9iAS Web Cache listening port in Step 1.
To configure HTTPS protocol support between Oracle9iAS Web Cache and origin servers:
The ports for these requests can share the same wallet as established for the Oracle9iAS Web Cache listening ports.
You can restrict a URL or set of URLs for a site to permit only HTTPS requests.
To allow only HTTPS traffic for a URL or a set of URLs:
The Add Site or Edit Site dialog box appears.
If all traffic must be restricted to HTTPS, enter "/
" for the entire site.
|
Copyright © 2002 Oracle Corporation. All Rights Reserved. |
|