OIPA Use of Coherence

The OIPA application uses the Oracle Coherence distributed cache solution to minimize database traffic. In addition to using the cache, OIPA Cycle uses the Coherence Processing Pattern as a computing grid to allow task distribution among all OIPA Cycle Web. Batch processing on the grid is initiated through the Coherence communication protocol by the Cycle Client. Even though all parties involved in Coherence communications are located behind the firewall in the OIPA application server and database zone, it is important, nevertheless to secure Coherence according to the Coherence User Guide.

Oracle Coherence also provides workload management to distribute tasks across a computer cluster or other resources. This enables Cycle to achieve optimal resource utilization, maximize throughput, minimize response time and avoid overload, as well as avoid having a single point of failure for tasks processed in the grid. Along with the security provided by the firewalls, Coherence workload management provides these additional security features:

Configuring SSL

The Secure Sockets Layer (SSL) protocol provides communication security by encrypting traffic across a network in a way designed to prevent eavesdropping and tampering. It uses asymmetric cryptography for privacy and a keyed message authentication code for message reliability. Setting up an SSL-secured connection requires a digital certificate issued by a trusted certificate authority. Self-signed digital certificates should only be used for internal testing.

Any entry points for OIPA web services that are consumed by external third party clients should be secured with SSL. Also, organization standards may require securing communication between browser-based clients and web servers in the demilitarized zone that host the front end of the OIPA system.

Setting up a web server to use SSL-secured HTTP protocol (HTTPS) instead of unsecure HTTP is server-specific. The information below should help locate information to navigate through the configuration process.

SSL in WebLogic 12.2.1.1

WebLogic Application Server supports SSL 3.0 and Transport Layer Security (TLS) 1.0 specifications. TLS V1.1 is the default minimum protocol version configured in WebLogic Server. Oracle recommends the use of TLS V1.1 or later in a production environment. WebLogic does not support SSL version 2.0 and below.

For information on how to configure SSL in WebLogic please refer to the following websites or follow the steps below:

https://docs.oracle.com/middleware/1221/wls/SECMG/ssl_overview.htm#SECMG718

http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

Steps to Configure SSL/https:

  1. Login to the WebLogic console.
  2. In the Domain Structure box, expand Environment and click Servers.
  3. Click on the server that you created. Example: OIPA_SERVER.
  4. Select the SSL Listen Port Enabled checkbox.

    Example: 7002 is port number.

  5. Click Save.
  6. Restart the server.
  7. Navigate to https://machinename:7002/PASJava in your browser to access the login page of OIPA.

http://docs.oracle.com/middleware/1221/wls/SECMG/identity_trust.htm#SECMG720

Steps to Configure Certificates:

The steps listed below are based on the default JDK certificate.

WEBLOGIC_JAVA_SECLIB = Specify the location of JDK 1.8.x. /jre/lib/security. 

For Example: /opt/oracle/jdk1.8.0_77/jre/lib/security

WEBLOGIC_JAVA_HOME = Specify the location of JDK 1.8.x. 

For Example: /opt/oracle/jdk1.8.0_77/

Note: If JDK is not installed on your machine, then download and install latest update of Oracle 1.8 JDK

  1. Install the Oracle WebLogic 12.2.1.1 application server.
  2. Go to WEBLOGIC_JAVA_HOME\bin and run the commands listed below.
    • keytool -genkey -keystore jre/lib/security/wsse.keystore -keyalg RSA -keysize 1024 -validity 1000 -alias localhost -dname "CN=localhost"
    • keytool -export -keystore jre/lib/security/wsse.keystore -alias localhost -file server/default/conf/localhost.cer
    • keytool -import -keystore jre/lib/security/wsse.truststore -trustcacerts -alias localhost -file jre/lib/security/localhost.cer
  3. The above step will create two files within WEBLOGIC_JAVA_SECLIB.
    • wsse.keystore
    • wsse.truststore
  4. Move wsse.keystore and wsse.truststore to the conf folder where all properties files reside. Example: C:\OIPA\conf.
  5. Log in to the Oracle Weblogic console and go to Environment >Server > OIPA > Server Start and add the details listed below to Arguments.
    • -Duser.language=en -Duser.region=US -Djava.net.preferIPv4Stack=true -Djava.net.preferPv6Addresses=false -javaagent:C:\OIPA\lib\spring-instrument-4.3.10.RELEASE.jar -Dtangosol.coherence.override=C:\OIPA\conf \coherence-config.xml -Dtangosol.coherence.cacheconfig=C:\OIPA\conf \coherence-cache-config.xml -Dtangosol.pof.config=com-adminserver-pas-web-pof-config.xml -Djavax.net.ssl.trustStore=C:\OIPA\conf\wsse.truststore -Djavax.net.ssl.trustStorePassword=Djavax.net.ssl.keyStore=C:\OIPA\conf\wsse.keystore -Djavax.net.ssl.keyStorePassword=jbossws
  6. Go to WEBLOGIC_JAVA_SECLIB and create a back-up of the cacerts file.
  7. Create a new certification (cacerts) file by following the steps below.
    • Copy InstallCert.class and InstallCert$SavingTrustManager.class in WEBLOGIC_JAVA_HOME\bin.
    • From WEBLOGIC_JAVA_HOME\bin, run InstallCert through a command prompt like java InstallCert localhost:7002. The KeyStore jssecacerts will load and a connection will be opened. Messages will then be presented regarding the certificates.
    • When the process is complete, the following message will appear: Enter certificate to add to trusted keystore or 'q' to quit. Type 1 to continue.
    • When the process is complete, another message will appear: Added certificate to keystore 'jssecacerts' using 'jssecacers' using alias 'localhost-1'. Run java InstallCert localhost:7002 one more time, then enter q to exit. This will create a new jssecacerts keystore file in WEBLOGIC_JAVA_SECLIB and rename it to cacerts.

Note: Repeat step 7 to enable SSL for different port numbers.

  1. Stop the WebLogic application server (JVM, Node, Manager).
  2. Restart the machine.
  3. Start the WebLogic application server (JVM, Node, Manager).
  4. Enter https://machinename:7002/PASJava in your browser to access the login page of OIPA.

SSL in WebSphere 8.5.5.9

Version 8 of WebSphere Application Server, everything is done from the admin console, which includes a complete overview of the SSL management capabilities.

For more information about managing SSL in WebSphere please refer to the following website or follow the steps listed below.

http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp

 

Note: Search for Overview and new features: Securing under Network Deployment

Steps to Configure SSL/https

  1. Login to the WebSphere console.
  2. Expand Server Types and click WebSphere Application Servers.
  3. Click on the server that you created. Example: OIPA_WILDCAT_10.0.0.0
  4. Expand Port and copy WC_defaulthost_secure=port number. This will be pasted in step 7.
  5. From the left side menu expand Environment and click Virtual Host.
  6. Click default_host and click Host_Aliases.
  7. Click New and copy the port number from step 4, then click OK.
  8. Restart the server/JVM.
  9. Navigate to https://machinename:9444/PASJava in your browser to access the login page of OIPA.

Steps to Configure Certificates

32 bit WebSphere Application Server

IBM_JAVA_SECLIB = C:\Program Files (x86)\ WebSphere\AppServer\java\jre\lib\security

IBM_JAVA_HOME = C:\Program Files (x86)\IBM\WebSphere\AppServer\java

64 bit WebSphere Application Server

IBM_JAVA_SECLIB = C:\Program Files\ WebSphere\AppServer\java\jre\lib\security

IBM_JAVA_HOME = C:\Program Files\IBM\WebSphere\AppServer\java

  1. Download and install IBM JDK, if WebSphere is not installed on the machine.
    • URL to download http://www.ibm.com/developerworks/java/jdk/
  2. Start the WebSphere application server
  3. Enable SSL in WebSphere.
    • Log in to the WebSphere console.
    • Expand Server Types and click WebSphere Application Servers.
    • Click on the server that you created. Example: OIPA_WILDCAT_10.0.0.0
    • Expand Port and copy WC_defaulthost_secure=port number. This will be copied later in the process.
    • From the left menu, expand Environment and click Virtual Host.
    • Click default_host and then click Host_Aliases.
    • Click New and copy the port number then click OK.
    • Go to IBM_JAVA_SECLIB\security and comment the details below in the java.security file.

    Note: Make sure to uncomment Default JSSE socket factories and comment WebSphere socket factories (in cryptosf.jar).

    Default JSSE socket factories

    ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl

    ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl

    WebSphere socket factories (in cryptosf.jar)

    #ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory

    #ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory

  4. Stop the server, Node Agent and Deployment Manager.
  5. Start the Deployment Manager, Node Agent and server.
  6. Navigate to https://localhost:9445/PASJava in your browser to make sure SSL works as expected.
  7. Log in to the application. If this action is successful, then SSL is set up correctly from the server side.
  8. Go to IBM_JAVA_HOME\bin and run the commands listed below.
    • keytool -export -keystore ../lib/security/wsse.keystore -alias localhost -file ./lib/security/localhost.cer

    • keytool -import -keystore ../lib/security/wsse.truststore -trustcacerts -alias localhost -file ../lib/security/localhost.cer
  1. The step above will create two files within IBM_JAVA_SECLIB.
    • wsse.keystore
    • wsse.truststore
  2. Move wsse.keystore and wsse.truststore to the conf folder where all properties files reside. For example: C:\OIPA\conf
  3. Login to the WebSphere console, and go to Application servers > OIPA > Process definition > Java Virtual Machine. Add the arguments listed below to JVM.
    • -Duser.language=en --Duser.region=US -Djava.net.preferIPv4Stack=true -Djava.net.preferPv6Addresses=false -javaagent:C:\OIPA\lib\spring-instrument-4.3.10.RELEASE.jar -Dtangosol.coherence.override=C:\OIPA\conf \coherence-config.xml -Dtangosol.coherence.cacheconfig=C:\OIPA\conf \coherence-cache-config.xml -Dtangosol.pof.config=com-adminserver-pas-web-pof-config.xml -Djavax.net.ssl.trustStore=C:\OIPA\conf\wsse.truststore -Djavax.net.ssl.trustStorePassword=Djavax.net.ssl.keyStore=C:\OIPA\conf\wsse.keystore -Djavax.net.ssl.keyStorePassword=jbossws
  4. Go to IBM_JAVA_SECLIB and take a backup of the cacerts file.
  5. Create a new certification (cacerts) file by following the steps listed below.
    • Copy InstallCert.class and InstallCert$SavingTrustManager.class in IBM_JAVA_HOME\bin.
    • From IBM_JAVA_HOME\bin, run InstallCert through a command prompt like java InstallCert localhost:9445. The KeyStore jssecacerts will load and a connection will be opened. Then messages will be presented regarding the certificates.
    • When the process is complete, the following message will appear: Enter certificate to add to trusted keystore or 'q' to quit. Type 1 to continue.

    When the process is complete, another message will appear: Added certificate to keystore 'jssecacerts' using 'jssecacers' using alias 'localhost-1'. Run java InstallCert localhost:9445 one more time, then enter q to exit. This will create a new jssecacerts keystore.

    Note: Repeat step 7 to enable SSL for different port numbers.

  6. Stop the WebSphere application server (JVM, Node Agent, Deployment Manager).
  7. Restart the machine.
  8. Start the WebSphere application server (JVM, Node Agent, Deployment Manager).
  9. Navigate to https://machinename: 9445/PASJava in your browser to access the login page of OIPA.

When OIPA is running in HTTPS, Server shall be configured to set HSTS (HTTP Strict Transport Security) policy. This policy lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

For security reasons, any cross-origin requests, i.e., requests coming from different domains to OIPA Rest Services will be restricted by browsers. To enable cross-origin requests, the server shall be configured to add a header 'Access-Control-Allow-Origin' in the response. A list of allowed domains shall be set to this header. Setting Access-Control-Allow-Origin:*, allows all domains. OIPA also supports this configuration by setting the property application.AccessControlAllowOrigin with list of allowed domains in System Properties document.

By default, OIPA does not support loading pages in an iframe when loaded from other domains. To allow iframes from other domains, the property application.X-Frame-Options shall be set with list of allowed domains. See the System Properties document for further details.

JMS

JMS set-up is optional. It is only required if the Data Intake feature is being utilized. See Data Intake document for additional details.

Data Intake is the process of receiving files from Group Customers for the purpose of importing data into the Oracle Insurance Policy Administration system (OIPA). The data in the files may result in many changes, including but not limited to the following:

The received files are parsed and information about the data in them is put on a JMS queue. OIPA listens for messages on the queue and updates the business data based on pre-configured rules.

 

 

 

 

 

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. About Oracle Insurance | Contact Us