OIPA use of Coherence

The OIPA application uses the Oracle Coherence distributed cache solution to minimize database traffic. In addition to using the cache, OIPA Cycle uses the Coherence Processing Pattern as a computing grid to allow task distribution among all OIPA Cycle Web. Batch processing on the grid is initiated through the Coherence communication protocol by the Cycle Client. Even though all parties involved in Coherence communications are located behind the firewall in the OIPA application server and database zone, it is important, nevertheless to secure Coherence according to the Coherence User Guide.

Oracle Coherence also provides workload management to distribute tasks across a computer cluster or other resources. This enables Cycle to achieve optimal resource utilization, maximize throughput, minimize response time and avoid overload, as well as avoid having a single point of failure for tasks processed in the grid. Along with the security provided by the firewalls, Coherence workload management provides these additional security features:

  • TCP port exposure is limited to a single port that allows easier port security and firewall configuration.

  • A virtual IP address hides actual physical IP addresses of the OIPA application servers.

  • The suspect protocol protects against Denial of Service (DoS) attacks by detecting and barring "rogue" clients that attempt to overuse server resources.

Configuring SSL

The Secure Sockets Layer (SSL) protocol provides communication security by encrypting traffic across a network in a way designed to prevent eavesdropping and tampering. It uses asymmetric cryptography for privacy and a keyed message authentication code for message reliability. Setting up an SSL-secured connection requires a digital certificate issued by a trusted certificate authority. Self-signed digital certificates should only be used for internal testing.

Any entry points for OIPA web services that are consumed by external third party clients should be secured with SSL. Also, organization standards may require securing communication between browser-based clients and web servers in the demilitarized zone that host the front end of the OIPA system.

Setting up a web server to use SSL-secured HTTP protocol (HTTPS) instead of unsecure HTTP is server-specific. The information below should help locate information to navigate through the configuration process.

SSL in WebLogic 15.1.1.0.0 (Note (TODO): Update this for 15.1.1.0 and update steps accrodingly)

For secure communication, Oracle recommends using the latest supported TLS versions, such as TLS 1.2 or TLS 1.3, which offer enhanced security features and address the vulnerabilities present in older protocols.For information on how to configure SSL in WebLogic please refer to the following websites or follow the steps below:

https://docs.oracle.com/en/middleware/standalone/weblogic-server/15.1.1/secmg/ssl_overview.html

Steps to Configure SSL/https:

  1. Login to the WebLogic console.

  2. From Edit tree , expand Environment and click Servers.

  3. Click on the server that was created. Example: OIPA_SERVER.

  4. Select the SSL Listen Port Enabled checkbox. Example: 7002 is port number.

  5. Click Save.

  6. Restart the server.

  7. Navigate to https://machinename:7002/PASJava in the browser to access the login page of OIPA.

    8. http://docs.oracle.com/middleware/1221/wls/SECMG/identity_trust.htm#SECMG720

     

Steps to Configure Certificates:

The steps listed below are based on the default JDK certificate.

WEBLOGIC_JAVA_SECLIB = Specify the location of JDK 17.0.x. /jdk-17/lib/security.

For Example:/opt/oracle/jdk-17/lib/security

WEBLOGIC_JAVA_HOME = Specify the location of JDK 17.0.x

For Example:/opt/oracle/jdk-17

Note: If JDK is not installed on your machine, then download and install latest update of 17.0.x.

  1. Install the Oracle WebLogic 15.1.1.0.0 application server.
  2. Go to WEBLOGIC_JAVA_HOME\bin and run the commands listed below.

cd $WEBLOGIC_JAVA_HOME/bin

keytool -genkeypair \

-alias localhost \

-keyalg RSA \

-keysize 2048 \

-validity 1000 \

-dname "CN=localhost" \

-keystore /OIPA/conf/wsse.keystore \

-storetype JKS \

-storepass password \

-keypass password

keytool -exportcert \

-alias localhost \

-keystore /OIPA/conf/wsse.keystore \

-storetype JKS \

-storepass password \

-rfc \

-file /OIPA/conf/localhost.cer

keytool -importcert \

-alias localhost \

-trustcacerts \

-noprompt \

-file /OIPA/conf/localhost.cer \

-keystore /OIPA/conf/wsse.truststore \

-storetype JKS \

-storepass password

  1. The above step will create two files within WEBLOGIC_JAVA_SECLIB.
    • wsse.keystore
    • wsse.truststore
  2. Move wsse.keystore and wsse.truststore to the conf folder where all properties files reside. Example (Linux): /OIPA\conf.
  3. Log in to the Oracle Weblogic console and go to Environment >Server > OIPA > Server Start and add the details listed below to Arguments.

    4. --LINUX (All Cycle Agents)

    -Duser.language=en

    -Duser.region=US

    -Djava.net.preferIPv4Stack=true

    -Djava.net.preferPv6Addresses=false

    -javaagent:/OIPA/lib/spring-instrument-6.2.18.jar

    -Dtangosol.coherence.override=/OIPA/conf/coherence-config.xml

    -Dtangosol.coherence.cacheconfig=/OIPA/conf/coherence-cache-config.xml

    -Dtangosol.coherence.distributed.localstorage=true

    -Dtangosol.pof.config=com-adminserver-pas-web-pof-config.xml

    -Djavax.net.ssl.trustStore=/OIPA/conf/wsse.truststore

    -Djavax.net.ssl.trustStorePassword=

    -Djavax.net.ssl.keyStore=C:\OIPA\conf\wsse.keystore

    -Djavax.net.ssl.keyStorePassword=password

    --Cycle Client

    -Duser.language=en

    -Duser.region=US

    -Djava.net.preferIPv4Stack=true

    -Djava.net.preferPv6Addresses=false

    -javaagent:/OIPA/lib/spring-instrument-6.2.18.jar

    -Dtangosol.coherence.override=/OIPA/conf/coherence-config.xml

    -Dtangosol.coherence.cacheconfig=/OIPA/conf/coherence-cache-config.xml

    -Dtangosol.coherence.distributed.localstorage=false

    -Dtangosol.pof.config=com-adminserver-pas-web-pof-config.xml

    -Djavax.net.ssl.trustStore=/OIPA/conf/wsse.truststore

    -Djavax.net.ssl.trustStorePassword=

    -Djavax.net.ssl.keyStore=C:\OIPA\conf\wsse.keystore

    -Djavax.net.ssl.keyStorePassword=password

  4. Go to WEBLOGIC_JAVA_SECLIB and create a back-up of the cacerts file.
  5. Create a new certification (cacerts) file by following the steps below.
    • Copy InstallCert.class and InstallCert$SavingTrustManager.class in WEBLOGIC_JAVA_HOME\bin.
    • From WEBLOGIC_JAVA_HOME\bin, run InstallCert through a command prompt like java InstallCert localhost:7002. The KeyStore jssecacerts will load and a connection will be opened. Messages will then be presented regarding the certificates.
    • When the process is complete, the following message will appear: Enter certificate to add to trusted keystore or 'q' to quit. Type 1 to continue.
    • When the process is complete, another message will appear: Added certificate to keystore 'jssecacerts' using 'jssecacers' using alias 'localhost-1'. Run java InstallCert localhost:7002 one more time, then enter q to exit. This will create a new jssecacerts keystore file in WEBLOGIC_JAVA_SECLIB and rename it to cacerts.

    6. Note: Repeat step 7 to enable SSL for different port numbers.

  6. Stop the WebLogic application server (JVM, Node, Manager).
  7. Restart the machine.
  8. Start the WebLogic application server (JVM, Node, Manager).
  9. Enter https://machinename:7002/PASJava in the browser to access the login page of OIPA.

JMS

JMS set-up is optional. It is only required if the Data Intake feature is being utilized. See Data Intake document for additional details.

Data Intake is the process of receiving files from Group Customers for the purpose of importing data into the Oracle Insurance Policy Administration system (OIPA). The data in the files may result in many changes, including but not limited to the following:

  • Adding a new member to the system

  • Changing an Employee's elected coverage

  • Adding a dependent to a coverage

  • Enrolling a member and dependents

  • Auto-cancelling coverage for a member

  • Updating member information in the system

The received files are parsed and information about the data in them is put on a JMS queue. OIPA listens for messages on the queue and updates the business data based on pre-configured rules.