How to use FTPS in SOA 11g 11.1.1.4

How to use FTPS

What is this document all about: This document contains all about; how to use FTPS services for transferring files from one system to another remote system, using ftp adapter in SOA 11g(11.1.1.4)

Pre-Requisites for using FTPS on SOA 11g.

All the below servers must be installed with the specified version and should be Up.

1) Weblogic server --> 10.3.4.0

2) SOA --> 11.1.1.4.0

3) Webtier (http server/ OHS) --> 11.1.1.4

Note : Versions of the above mentioned servers must match otherwise compatibility issue will be there.

How to install Oracle HTTP Server?

Download Oracle WebTier from below link. Please note before installing OHS 11.1.1.4 you have to download and install OHS Release 11.1.1.2. Later you have to patch it to OHS 11.1.1.4

http://www.oracle.com/technetwork/java/webtier/downloads/index2-303202.html

For applying patch you have to follow below link.

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e16793/patch_set_installer.htm

After successful patch you can confirm installed version. Refer Screenshot below:

Note: Confirm the installed version of OHS and if you are unable to see latest patched version then follow steps mentioned in the following documentation link

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e16793/patch_set_installer.htm#CHDFFEEF

Now before moving ahead make sure all servers and services are Up and running.

At this point you are ready with required servers. After this follow http://download.oracle.com/docs/cd/E17904_01/integration.1111/e10231/adptr_file.htm#BABEBGGD

Note: Please find contents of above link in Appendix – 1.

There will be 4 steps to perform.

1. Installing and Configuring OpenSSL (Explained in detail in Appendix – 1)

Require root/super user. This will be done by root/super user and will be used to configure Open SSL.

2. Installing and Configuring vsftpd (Explained in detail in Appendix – 1)

This step will also be performed by root user. After performing this step you will get one certificate file by the name “vsftpd.pem”. Just note down its location it will be used later in wallet creation.

3. Creating an Oracle Wallet

What is Oracle Wallet Manager: Oracle Wallet Manager is an application for managing and editing security credentials in Oracle wallets. A wallet is a password-protected container that stores authentication and signing credentials, including private keys, certificates, and trusted certificates, all of which are used by SSL for strong authentication.

1. Create a new wallet in Oracle Wallet Manager.
2. Import vsftpd.pem from the location where it is saved as a trusted certificate in this wallet.
3. Save this wallet in PKCS # 12 (.p12) format.

See http://download.oracle.com/docs/cd/E17904_01/core.1111/e10105/wallets.htm#CHDGIJDC Oracle Fusion Middleware Administrator's Guide for details about using Oracle Wallet Manager.

Also refer Appendix - 3

4. Setting Up the Oracle FTP Adapter

See below screenshots for JNDI creation in detail.

1. Login to http://<ipaddress>:<port>/console
2. Click ‘Deployment’ in left hand panel. List of adapters will appear in right hand panel.
3. Click on ‘FtpAdapter’ (Not on check box)

4. Then, click ‘Configuration’ tab
5. Then, click ‘Outbound Connection Pools’
6. Now, Open (+) sign near javax.resource.cci.ConnectionFactory
7. Click ‘New’ button
8. Now, you are ready to create new JNDI. For setting properties refer to section “Setting Up the Oracle FTP Adapter” in this document ,or see screenshots below.

Note: While configuring you require wallet location, for that refer http://download.oracle.com/docs/cd/E17904_01/core.1111/e10105/wallets.htm#CIHIECDF

OR refer Appendix - 2

9. After this save the configuration and update FTPAdapter.

Along with all this you have to follow few more steps:

You have to do below changes inside vsftpd.conf in brief.

1. Add “user” property and set to “UserName”(username you will use to connect to remote server) at two places.
2. Define passive port range from 12000 to 12010
3. Open those ports in firewall
4. Stop FTP server
5. Restart vsftpd

Appendix -1

1. Installing and Configuring FTP Over SSL on Solaris and Linux

The following subsections describe how to install and configure secure FTP for Solaris and Linux:

1. Installing and Configuring OpenSSL
2. Installing and Configuring vsftpd
3. Creating an Oracle Wallet
4. Setting Up the Oracle FTP Adapter

1. Installing and Configuring OpenSSL

OpenSSL is an open source implementation of the SSL protocol. OpenSSL implements basic cryptographic functions and provides utility functions. Install and configure OpenSSL on the Solaris or Linux host to be used as the FTP server.

1. Go to the following URL:

http://www.openssl.org/source

2. Locate openssl-0.9.7g.tar.gz in the list of available files. For example:

3132217 Apr 11 17:21:51 2005 openssl-0.9.7g.tar.gz (MD5) (PGP sign)

3. Download the following files:

1. openssl-0.9.7g.tar.gz
2. openssl-0.9.7g.tar.gz.md5 (under the MD5 link)
3. openssl-0.9.7g.tar.gz.asc (under the PGP sign link

4. Unzip the following file using gunzip.

gunzip openssl-0.9.7g.tar.gz

5. Untar the following file:

tar xvf openssl-0.9.7g.tar

6. Change directories to the following location:

cd openssl-0.9.7g

7. Run the following command:

./config --prefix=/usr --openssldir=/usr/local/openssl

8. Change to the Bourne shell (if you are not using it):

sh

9. Configure and export the PATH variable:

PATH=${PATH}:/usr/ccs/bin; export PATH

10. Run the following command:

make

11. Exit the Bourne shell:

exit

12. Run the following command:

make test

13. Log in as the super user:

msu

14. Enter the password when prompted.
15. Run the following command:

make install

2. Installing and Configuring vsftpd

The vsftpd server is a secure and fast FTP server for UNIX systems. Install and configure vsftpd on the Solaris or Linux host to be used as the FTP server.

1. Go to the following location:

ftp://vsftpd.beasts.org/users/cevans/

2. Download vsftpd-2.0.5 (You need the tar and signature file (.asc file)). For example:

[BINARY] vsftpd-2.0.5.tar.gz. . . . . . . . . . . [Mar 19 21:26] 149K

[FILE] vsftpd-2.0.5.tar.gz.asc. . . . . . . . . [Mar 19 21:26] 189B

3. Unzip the following file using gunzip.

gunzip vsftpd-2.0.5.tar.gz

4. Unzip the tar file:

tar xvf vsftpd-2.0.5.tar

5. Change directories to the following location:

cd vsftpd-2.0.5

6. Make the following change in the builddefs.h file:

#undef VSF_BUILD_SSL

to

#define VSF_BUILD_SSL

7. Log in as the super user:

msu

8. Enter the password when prompted.

Create a file named vsftpd.conf with the following settings in the /etc directory:

# Standalone mode

listen=YES

max_clients=200

max_per_ip=4

# Access rights

anonymous_enable=YES

#chroot_local_user=YES

#userlist_enable=YES

ftp_username=ftp

local_enable=YES

write_enable=YES

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

chown_uploads=YES

chown_username=ftp

# Security

anon_world_readable_only=NO

allow_anon_ssl=YES

ssl_enable=YES

connect_from_port_20=YES

hide_ids=YES

pasv_min_port=50000

pasv_max_port=60000

# Features

ftpd_banner="Welcome to the FTP Service"

xferlog_enable=YES

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

# Performance

one_process_model=NO

idle_session_timeout=120

data_connection_timeout=300

accept_timeout=60

connect_timeout=60

anon_max_rate=50000

Note:

Copies of the vsftpd.conf file appear in several locations in the vsftpd-2.0.5 directory structure. If you use one of those files to create the vsftpd.conf file in the /etc directory, then ensure that it only includes the parameters and settings described in Step 9.

10. Run the following commands:

mkdir /var/ftp

useradd -d /var/ftp ftp

chown root /var/ftp

chmod og-w /var/ftp

mkdir /usr/share/empty

mkdir /usr/share/ssl

mkdir /usr/share/ssl/certs

Run the following command:

openssl req -x509 -nodes -newkey rsa:1024 -keyout /usr/share/ssl/certs/vsftpd.pem -out /usr/share/ssl/certs/vsftpd.pem

12. Run the vsftpd daemon from the vsftpd-2.0.5 directory:

./vsftpd

3. Creating Oracle Wallet

Refer Appendix – 3

4. Setting Up the Oracle FTP Adapter

Perform the following tasks to set up the Oracle FTP Adapter:

Also refer

1. On your Solaris or Linux host, run the following commands:

mkdir /var/ftp/inDir

mkdir /var/ftp/outDir

chmod 777 /var/ftp/inDir /var/ftp/outDir

2. Specify the FTP connection parameters in the Oracle FTP Adapter deployment descriptor from the Oracle WebLogic Server Administration Console.

Where...	Is...
useFtps	Set to True. This setting is required to use FTP over SSL. The default is False.
walletLocation	The location of the wallet created in Section 4.4.3.2.3, "Creating an Oracle Wallet."
walletPassword	The password of the wallet.
channelMask	The type of channel: control channel or data channel. Possible values are both, control, data, or none. The default is both.
securePort	The port for FTP over SSL. The default is 990.
keyStoreProviderName	The keystore provider class. The default is oracle.security.pki.OraclePKIProvider.
keystoreType	The keystore type. The default is PKCS12.
keystoreAlgorithm	The keystore algorithm. The default is OracleX509.
enableCipherSuits	List of comma separated cipher suites. The default is blank, in which case the default list of cipher suites are used. For most cases, you are not required to change this.
pkiProvider	The PKI provider name. The default is OraclePKI.
jsseProvider	The JSSE provider name. The default is OracleJSSE.

You have now installed and configured secure FTP and are ready to use this feature with the Oracle FTP Adapter.

Appendix – 2

How to find location of Wallets:

Root Directory for an Oracle HTTP Server Wallet

The root directory for wallets is $ORACLE_INSTANCE/config/OHS/ohs_instance_name/keystores.

This root directory contains subdirectories with wallet names; these subdirectories contain the actual wallet files.

For example, assuming there are two wallets named ohs1 and ohs2, respectively, a sample structure could look like:

$ORACLE_INSTANCE/config/OHS/ohs_instance1/keystores/ohs1/cwallet.sso

$ORACLE_INSTANCE/config/OHS/ohs_instance1/keystores/ohs1/ewallet.p12

$ORACLE_INSTANCE/config/OHS/ohs_instance1/keystores/ohs2/cwallet.sso

Appendix – 3

Creating a Wallet Using Fusion Middleware Control

Take these steps to a wallet:

1. Navigate to the Wallets page for your component instance.
   
   
   

2. Click Create.
3. The Create Wallet page appears.
4. Enter a wallet name. Eg. ASWallet
5. Uncheck the Autologin box and provide password. Eg Dummy123#

6. Click Submit.
7. At this point, you must choose whether to add a certificate request (CR) at this time. Choose ‘NO’
8. Click Finish.
9. Export CR directly to a file with the Export Certificate Request button.
10. A message appears confirming the wallet creation.

Exporting a Certificate, Certificate Request, or a Trusted Certificate Using Fusion Middleware Control

Take these steps to export a certificate, a certificate request (CR), or a trusted certificate:

1. Navigate to the Certificate Management page.
2. Select the certificate, CR, or trusted certificate and click Export.
3. A dialog box appears with the certificate, CR, or trusted certificate in the text box. You can either:

• Copy and paste the Base64-encoded certificate to a file.
• Export it directly to a file with the Export Certificate or Export Trusted Certificate button.

Replacing an Expiring Certificate in a Wallet

An expiring certificate should be replaced before it actually expires to avoid or reduce application downtime.

The steps for replacing an expiring certificate are as follows:

1. Remove the existing certificate (the one that is about to expire) from the wallet.
2. Import the new certificate into the wallet.

To reduce downtime, remove the previous certificate and import the new certificate in the overlap period when the new certificate has become valid and the older one has not yet expired.

If the new certificate was issued by a CA other than the one that issued the original certificate, you may also need to import the new CA's trusted certificate before importing the newly issued certificate.