Quick
guide to Oracle IRM 11g index
So far in this
guide we have an IRM Server up and running, however I skipped over SSL configuration in
the previous article because I wanted
to focus in more detail now. You can, if you wish, not bother with setting up SSL, but considering this is a security technology it is worthwhile doing.
Contents
Setting up a one way, self signed SSL certificate in WebLogic
Setting up an official SSL certificate in Apache 2.x
Configuring Apache
to proxy traffic
to the IRM server
There are two common scenarios in which an Oracle IRM server is configured. For a development or evaluation system, people usually communicate directly
to the WebLogic Server running
the IRM service. However in a production environment and for some proof of concept evaluations that require a setup reflecting a production system,
the traffic
to the IRM server travels via a web server proxy, commonly Apache. In this
guide we are building an Oracle Enterprise Linux based IRM service and this article will go over
the configuration of SSL in WebLogic and also in Apache.
Like in
the past articles, we are going
to use two host names in
the configuration below,irm.company.com will refer
to the public Apache server
irm.company.internal will refer
to the internal WebLogic IRM server
Setting up a one way, self signed SSL certificate in WebLogic
First lets look at creating just a simple self signed SSL certificate
to be used in WebLogic. This is a quick and easy way
to get SSL working in your environment, however
the downside is that no browsers are going
to trust this certificate you create and you'll need
to manually install
the certificate onto any machine's communicating with
the server. This is fine for development or when you have only a few users evaluating
the system, but for any significant use it's usually better
to have a fully trusted certificate in use and I explain that in
the next section. But for now lets go through creating, installing and testing a self signed certificate.
We use a library in Java
to create
the certificates, open a console and running
the following commands. Note you should choose your own secure passwords whenever you see password below.
[oracle@irm /] source /oracle/middleware/wlserver_10.3/server/bin/setWLSEnv.sh
[oracle@irm /] cd /oracle/middleware/user_projects/domains/irm_domain/config/fmwconfig/
[oracle@irm /] java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer -keyfile MyOwnSelfKey.key -keyfilepass password -cn "irm.oracle.demo"
[oracle@irm /] java utils.ImportPrivateKey -keystore MyOwnIdentityStore.jks -storepass password -keypass password -alias trustself -certfile MyOwnSelfCA.cer.pem -keyfile MyOwnSelfKey.key.pem -keyfilepass password
[oracle@irm /] keytool -import -trustcacerts -alias trustself -keystore TrustMyOwnSelf.jks -file MyOwnSelfCA.cer.der -keyalg RSA
We now have two Java Key Stores, MyOwnIdentityStore.jks and TrustMyOwnSelf.jks. These contain keys and certificates which we will use in WebLogic Server. Now we need
to tell
the IRM server
to use these stores when setting up SSL connections for incoming requests. Make sure
the Admin server is running and login into
the WebLogic Console at http://irm.company.intranet:7001/console and do
the following;
In
the menu on
the left, select
the + next
to Environment
to expose
the submenu, then click on Servers.
You will see two servers in
the list, AdminServer(admin) and IRM_server1. If
the IRM server is running, shut it down either by hitting CONTROL + C in
the console window it was started from, or you can switch
to the CONTROL tab, select IRM_server1 and then select
the Shutdown menu and then Force Shutdown Now.
In
the Configuration tab select IRM_server1 and switch
to the Keystores tab. By default WebLogic Server uses it's own demo identity and trust. We are now going
to switch
to the self signed one's we've just created. So select
the Change button and switch
to Custom Identity and Custom Trust and hit save.
Now we have
to complete
the resulting fields,
the setting's i've used in my evaluation server are below.
IdentityCustom Identity Keystore: /oracle/middleware/user_projects/domains/irm_domain/config/fmwconfig/MyOwnIdentityStore.jks
Custom Identity Keystore Type: JKS
Custom Identity Keystore Passphrase: password
Confirm Custom Identity Keystore Passphrase: password
TrustCustom Trust Keystore: /oracle/middleware/user_projects/domains/irm_domain/config/fmwconfig/TrustMyOwnSelf.jks
Custom Trust Keystore Type: JKS
Custom Trust Keystore Passphrase: password
Confirm Custom Trust Keystore Passphrase: password
Now click on
the SSL tab for
the IRM_server1 and enter in
the alias and passphrase, in my demo here
the details are;
IdentityPrivate Key Alias: trustself
Private Key Passphrase: password
Confirm Private Key Passphrase: password
And hit save.
Now lets test a connection
to the IRM server over HTTPS using SSL. Go back
to a console window and start
the IRM server, a quick reminder on how
to do this is...
[oracle@irm /] cd /oracle/middleware/user_projects/domains/irm_domain/bin
[oracle@irm /] ./startManagedWeblogic IRM_server1
Once running, open a browser and head
to the SSL port of
the server. By default
the IRM server will be listening on
the URL https://irm.company.intranet:16101/irm_rights. Note in
the example image on
the right
the port is 7002 because it's a system that has
the IRM services installed on
the Admin server, this isn't typical (or advisable). Your system is going
to have a separate managed server which will be listening on port 16101. Once you open this address you will notice that your browser is going
to complain that
the server certificate is untrusted.
The images on
the right show how Firefox displays this error. You are going
to be prompted every time you create a new SSL session with
the server, both from
the browser and more annoyingly from
the IRM Desktop.
If you plan on always using a self signed certificate, it is worth adding it
to the Windows certificate store so that when you are accessing sealed content you do not keep being informed this certificate is not trusted. Follow these instructions (which are for Internet Explorer 8, they may vary for your version of IE.)
Start Internet Explorer and open
the URL
to your IRM server over SSL, e.g. https://irm.company.intranet:16101/irm_rights. IE will complain that about
the certificate, click on Continue
to this website (not recommended).
From
the IE Tools menu select Internet Options and from
the resulting dialog select Security and then click on Trusted Sites and then
the Sites button.
Add
to the list of trusted sites a URL which mates
the server you are accessing, e.g. https://irm.company.intranet/ and select OK. Now refresh
the page you were accessing and next
to the URL you should see a red cross and
the words Certificate Error. Click on this button and select View Certificates.
You will now see a dialog with
the details of
the self signed certificate and
the Install Certificate... button should be enabled. Click on this
to start
the wizard. Click next and you'll be asked where you should install
the certificate.
Change
the option
to Place all certificates in
the following store. Select browse and choose
the Trusted Root Certification Authorities location and hit OK. You'll then be prompted
to install
the certificate and answer yes.
You also need
to import
the root signed certificate into
the same location, so once again select
the red Certificate Error option and this time when viewing
the certificate, switch
to the Certification Path tab and you should see a CertGenCAB certificate. Select this and then click on View Certificate and go through
the same process as above
to import
the certificate into
the store.
Finally close all instances of
the IE browser and re-access
the IRM server URL again, this time you should not receive any errors.
Setting up an official SSL certificate in Apache 2.x
At this point we now have an IRM server that you can communicate with over SSL. However this certificate isn't trusted by any browser because it's path of trust doesn't end in a recognized certificate authority (CA). Also you are communicating directly
to the WebLogic Server over a non standard SSL port, 16101. In a production environment it is common
to have another device handle
the initial public internet traffic and then proxy this
to the WebLogic server.
The diagram below shows a very simplified view of this type of deployment. What i'm going
to walk through next is configuring Apache
to proxy traffic
to a WebLogic server and also
to use a real SSL certificate from an official CA.
First step is
to configure Apache
to handle incoming requests over SSL. In this
guide I am configuring
the IRM service in Oracle Enterprise Linux 5 update 3 and Apache 2.2.3 which came with OpenSSL and mod_ssl components. Before I purchase an SSL certificate, I need
to generate a certificate request from
the server. Oracle.com uses Verisign and for my own personal needs I use cheaper certificates from GoDaddy.
The following instructions are specific
to Apache, but there are many references out there for other web servers. For Apache I have OpenSSL and
the commands are;
[oracle@irm /] cd /usr/bin
[oracle@irm bin] openssl genrsa -des3 -out irm-apache-server.key 2048
Generating RSA private key, 2048 bit long modulus
............................+++
.........+++
e is 65537 (0x10001)
Enter pass phrase for irm-apache-server.key:
Verifying - Enter pass phrase for irm-apache-server.key:
[oracle@irm bin] openssl req -new -key irm-apache-server.key -out irm-apache-server.csr
Enter pass phrase for irm-apache-server.key:
You are about
to be asked
to enter information that will be incorporated
into your certificate request.
What you are about
to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.',
the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:CA
Locality Name (eg, city) [Newbury]:San Francisco
Organization Name (eg, company) [My Company Ltd]:Oracle
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:irm.company.com
Email Address []:
[email protected]
Please enter
the following 'extra' attributes
to be sent with your certificate request
A challenge password []:testing
An optional company name []:
You must make sure
to remember
the pass phrase you used in
the initial key generation, you will need this when later configuring Apache. In
the /usr/bin directory there are now two new files.
The irm-apache-server.csr contains our certificate request and is what you cut and paste, or upload,
to your certificate authority when you purchase and validate your SSL certificate. In response you will typically get two files. Your server certificate and another certificate file that will likely contain a set of certificates from your CA which validate your certificate's trust. Next we need
to configure Apache
to use these files. Typically there is an ssl.conf file which is where all
the SSL configuration is done. On my Oracle Enterprise Linux server this file is located in /etc/httpd/conf.d/ssl.conf and i've added
the following lines.
<VirtualHost irm.company.com>
# Setup SSL for irm.company.com
ServerName irm.company.com
SSLEngine On
SSLCertificateFile /oracle/secure/irm.company.com.crt
SSLCertificateKeyFile /oracle/secure/irm.company.com.key
SSLCertificateChainFile /oracle/secure/gd_bundle.crt
</VirtualHost>
Restarting Apache (apachectl restart) and I can now attempt
to connect
to the Apache server in a web browser, https://irm.company.com/. If all is configured correctly I should now see an Apache test page delivered
to me over HTTPS.
Configuring Apache
to proxy traffic
to the IRM server
Final piece in setting up SSL is
to have Apache proxy requests for
the IRM server but do so securely. So
the requests
to Apache will be over HTTPS using a legitimate certificate, but we can also configure Apache
to proxy these requests internally across
to the IRM server using SSL with
the self signed certificate we generated at
the start of this article.
To do this proxying we use
the WebLogic Web Server plugin for Apache which you can download here from Oracle. Download
the zip file and extract onto
the server.
The file extraction reveals a set of zip files, each one specific
to a supported web server. In my instance I am using Apache 2.2 32bit on an Oracle Enterprise Linux, 64 bit server. If you are not sure what version your Apache server is, run
the command /usr/sbin/httpd -V and you'll see version and it its 32 or 64 bit. Mine is a 32bit server so I need
to extract
the file WLSPlugin1.1-Apache2.2-linux32-x86.zip.
The from
the resulting lib folder copy
the file mod_wl.so into /usr/lib/httpd/modules/.
First we want
to test that
the plug in will work for regular HTTP traffic. Edit
the httpd.conf for Apache and add
the following section at
the bottom.
LoadModule weblogic_module modules/mod_wl.so
<IfModule mod_weblogic.c>
WebLogicHost irm.company.internal
WebLogicPort 16100
WLLogFile /tmp/wl-proxy.log
</IfModule>
<Location /irm_rights>
SetHandler weblogic-handler
</Location>
<Location /irm_desktop>
SetHandler weblogic-handler
</Location>
<Location /irm_sealing>
SetHandler weblogic-handler
</Location>
<Location /irm_services>
SetHandler weblogic-handler
</Location>
Now restart Apache again (apachectl restart) and now open a browser
to http://irm.company.com/irm_rights. Apache will proxy
the HTTP traffic from
the port 80 of your Apache server
to the IRM service listening on port 16100 of
the WebLogic Managed server. Note above I have included all four of
the Locations you might wish
to proxy. http://irm.company.internalirm_rights is
the URL
to the management website, /irm_desktop is
the URL used for
the IRM Desktop
to communicate. irm_sealing is for web services based document sealing and irm_services is for IRM server web services.
The last two are typically only used when you have
the IRM server integrated with another application and it is unlikely you'd be accessing these resources from
the public facing Apache server. However, just in case, i've mentioned them above.
Now let's enable SSL communication from Apache
to WebLogic. In
the ZIP file we extracted were some more modules we need
to copy into
the Apache folder. Looking back in
the lib that we extracted, there are some more files. Copy
the following into
the /usr/lib/httpd/modules/ folder.
libwlssl.so
libnnz11.so
libclntsh.so.11.1
Now
the documentation states that should only need
to do this, but I found that I also needed
to create an environment variable called LD_LIBRARY_PATH and point this
to the folder /usr/lib/httpd/modules/. If I didn't do this, starting Apache with
the WebLogic module configured
to SSL would throw
the error.
[crit] (20014)Internal error: WL SSL Init failed for server: (null) on 0
So I had
to edit
the file /etc/profile and add
the following lines at
the bottom. You may already have
the LD_LIBRARY_PATH variable defined, therefore simply add this path
to it.
LD_LIBRARY_PATH=/usr/lib/httpd/modules/
export LD_LIBRARY_PATH
Now
the WebLogic plug in uses an Oracle Wallet
to store
the required certificates.You'll need
to copy
the self signed certificate from
the IRM server over
to the Apache server. Copy over
the MyOwnSelfCA.cer.der into
the same folder where you are storing your public certificates, in my example this is /oracle/secure. It's worth mentioning these files should ONLY be readable by root (the user Apache runs as).
Now lets create an Oracle Wallet and import
the self signed certificate from
the IRM server.
The file orapki was included in
the bin folder of
the Apache 1.1 plugin zip you extracted.
orapki wallet create -wallet /oracle/secure/my-wallet -auto_login_only
orapki wallet add -wallet /oracle/secure/my-wallet -trusted_cert -cert MyOwnSelfCA.cer.der -auto_login_only
Finally change
the httpd.conf
to reflect that we want
the WebLogic Apache plug-in
to use HTTPS/SSL and not just plain HTTP.
<IfModule mod_weblogic.c>
WebLogicHost irm.company.internal
WebLogicPort 16101
SecureProxy ON
WLSSLWallet /oracle/secure/my-wallet
WLLogFile /tmp/wl-proxy.log
</IfModule>
Then restart Apache once more and you can go back
to the browser
to test
the communication. Opening
the URL https://irm.company.com/irm_rights will proxy your request
to the WebLogic server at https://irm.company.internal:16101/irm_rights.
At this point you have a fully functional Oracle IRM service,
the next step is
to create a sealed document and test
the entire system.