搜索
Copyright©2006,Oracle.Allrightsreserved.ManagingSecureSocketsLayerinOracleApplicationServerCopyright©2006,Oracle.Allrightsreserved.7-2ObjectivesAftercompletingthislesson,youshouldbeableto:•Explainhowsecuresocketslayer(SSL)works•DiscussOracleApplicationServerpublickeyinfrastructure(PKI)components•ExplaintheOracleWalletManager(OWM)functionality•Manageuserandtrustedcertificates•ConfigureOracleHTTPServertouseSSL•ConfigureORMISforOC4JCopyright©2006,Oracle.Allrightsreserved.7-3WhatIsSSL?•Securesocketslayer(SSL)isanindustry-standardprotocolforsecuringnetworkconnections.•SSLinvolvesthreemechanisms:–Encryption–Authentication–Dataintegrity•OracleApplicationServersupportsSSL(versions2and3)andTransportLayerSecurity(TLS)version1.Copyright©2006,Oracle.Allrightsreserved.7-5HowSSLWorksOracleApplicationServer10gBrowser132RequestclientCertificateSessionKeyPublicCertificateHTTPS4Copyright©2006,Oracle.Allrightsreserved.7-7KeyCryptographySSLprovidesmessageintegrity,authentication,andencryption:•Onthebasisoftheconceptofpublickeycryptography•Throughtwotypesofencryptions:–Publickey–PrivateorsymmetrickeyCopyright©2006,Oracle.Allrightsreserved.7-9PublicKeyInfrastructure(PKI)Youcanusepublickeycertificatesforthefollowing:•Enablingsecureandreliableauthenticationofusers•Ensuringtheintegrityoftransmitteddata•Preventingunauthorizedaccesstoinformationwhentransmittedorstored•PrecludingrepudiationofelectronictransactionsCopyright©2006,Oracle.Allrightsreserved.7-11UserCertificates•YoumayneedausercertificatetoauthenticatetoanSSL-enabledWebsite.•YoucanobtainusercertificatesfromanyCertificateAuthority(CA).Copyright©2006,Oracle.Allrightsreserved.7-12ObtainingaServerCertificate•YoucanmaketheaccesstoaserverintheenterprisesecurebyenablingSSL.•Toenabletheserversecurity,yourequireaPKCS#10certificaterequest.•UseOracleWalletManager(OWM)togeneratetheserverrequest.•YoucangetaservercertificatefromatrustedCAaftersubmittingthePKCS#10request.Copyright©2006,Oracle.Allrightsreserved.7-13StoringSecureCredentialsAwallet:•Isadatabasethatisusedtomanageauthenticationdata•Storessecurecredentialssuchasdigitalcertificates•ManagessecuritycredentialsontheserverandclientCopyright©2006,Oracle.Allrightsreserved.7-14WhatIsOracleWalletManager?•OracleWalletManager(OWM)isastand-aloneJavaapplicationthatwalletownersusetomanageandeditsecuritycredentialsintheirwallets.•Asasecurityadministrator,youcanuseOWMtomanagepublic-keysecuritycredentialsonOracleApplicationServer.Copyright©2006,Oracle.Allrightsreserved.7-15OracleApplicationServerPKIComponentsOracleApplicationServerPKI:•Includes:–Securesocketslayer(SSL)–Containers,wallets,andOracleWalletManager(OWM)•SimplifiestheprocessofimplementingsecurityCopyright©2006,Oracle.Allrightsreserved.7-17TasksUsingOWM•Generatingapublic–privatekeypair•Creatingacertificaterequest•Installingacertificatefortheentity•Configuringtrustedcertificatesfortheentity•CreatingawalletthatcanbeaccessedbyOWM•ImportingandexportingwalletsCopyright©2006,Oracle.Allrightsreserved.7-18CreatingaNewWallet•YoucancreateanewemptywalletbyusingtheOWM.•Thepasswordthatyouprovideforthenewwalletmust:–Haveatleasteightcharacters–Containalphabeticcharacters–ContainnumbersorspecialcharactersCopyright©2006,Oracle.Allrightsreserved.7-19ManagingUserCertificates•OWMusestwokindsofcertificates:–Usercertificates–Trustedcertificates•YoumustinstallatrustedcertificatefromtheCAbeforeyoucaninstallausercertificateissuedbythatCA.Copyright©2006,Oracle.Allrightsreserved.7-20AddingaCertificateRequest•Youmustfirstcreateacertificaterequesttoobtainausercertificate.•Youcanaddmultiplecertificaterequeststoawallet.Copyright©2006,Oracle.Allrightsreserved.7-21ExportingaUserCertificateRequestCopyright©2006,Oracle.Allrightsreserved.7-22ImportingtheUserCertificatetotheWalletCopyright©2006,Oracle.Allrightsreserved.7-23ManagingTrustedCertificatesManagingtrustedcertificatesincludesthefollowingtasks:•Importingatrustedcertificate•Removingatrustedcertificate•Exportingatrustedcertificate•Exportingalltrustedcertificates•ExportingawalletCopyright©2006,Oracle.Allrightsreserved.7-24ImportingandExportingaTrustedCertificateCopyright©2006,Oracle.Allrightsreserved.7-25ExportingaWalletYoucanexportawallettotext-basedPKIformats.Copyright©2006,Oracle.Allrightsreserved.7-26CertificateRevocationList•Certificaterevocationlist(CRL)isasetofsigneddatastructuresthatcontainalistofrevokedcertificates.•Theauthenticityandintegrityofthecertificaterevocationlistisprovidedbyanappendeddigitalsignature.•Theorapkiutilityisacommand-linetoolthatisusedtomanageCRLs,createandmanageOraclewallets,andcreatesignedcertificatesfortestingpurposes.Copyright©2006,Oracle.Allrightsreserved.7-27EnablingOracleHTTPServertoUseSSL•OnecommonuseofSSListosecureHTTPcommunicationbetweenabrowserandaWebserver.•mod_osslisOracle’ssecuresocketslayer(SSL)implementation.•mod_osslsupportsSSLv.3.0.Copyright©2006,Oracle.Allrightsreserved.7-28ConfiguringOracleHTTPServerforSSLCertificates•YoucanconfigureOracleHTTPServerforSSLbyconfiguringthessl.conffile.•Thessl.conffileislocatedat$ORACLE