Thursday, May 24, 2012

Deploying OAM 11g Correctly Part 2 – Logins and SSL

This is another post in our OAM 11g Academy series. To view the first post in the series which will be updated throughout to contain links to the entire series, click here: http://fusionsecurity.blogspot.com/2011/02/oracle-access-manager-11g-academy.html

A couple months ago Chris wrote a good post about the best way to deploy OAM from a web server / network architecture point of view.

Today, I’d like to touch on a very important but overlooked aspect of OAM deployments which is whether or not to use SSL between the web server and OAM. The product documentation and broader OAM writings out there in the community do a good job of describing the webgate to OAM server communication (OAP) security modes of open vs. simple vs. cert mode. However, what is completely neglected is the discussion of whether or not to use SSL between the web server and OAM.

This discussion applies to architectures where the OAM server is being fronted by a web server (usually OHS). This includes Fusion Apps deployments, the integrated IDM deployment described in the IDM Enterprise Deployment Guide (EDG), and many other custom deployments.

OAM 10g vs. 11g

In OAM 10g, users login by submitting credentials to the webate which then passes them along over the OAP protocol to the access server (OAM server equivalent in 10g). So, in 10g it was extra important to use simple mode or cert mode for the webgate to OAM communication if you don’t want credentials going over the wire.

In OAM 11g, users login by submitting credentials directly to the OAM server (running in WLS) which can be exposed directly to the user or put behind a web server (usually OHS). This means 2 things:

1) Credentials are no longer going over the webgate to OAM (OAP) connection. This somewhat lessons the value of using simple or cert mode; although username and response information that potentially carries confidential data still goes over this connection.

2) In the case where OHS is fronting OAM, user credentials are going from OHS to OAM/WLS. This means that if you don’t want those credentials to travel over the wire in the clear, that you should configure this connection to be over SSL.

Recommendation

If your security requirements and network are such that you want to encrypt credentials and other potentially confidential information going between the web server (OHS) and OAM, then you should configure the webgate to OAM communication to be simple or cert mode and configure the OHS to OAM/WLS communication to be SSL (HTTPS).

If your security requirements and network are such that you don’t care about encrypting credentials that go over the wire between the web server (OHS) and OAM then use open mode for the webgate communication and normal HTTP for OHS to OAM/WLS.

The following diagram illustrates both of these options.


I would argue it doesn’t make sense to do what many people do which is to use simple mode for webgate communication but normal HTTP without SSL for web server (OHS) to OAM/WLS communication.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.