4 Performing a Secure Order Balancer Installation
This chapter presents planning information for securely installing Order Balancer and describes recommended deployment topologies that enhance security.
Pre-Installation Configuration
- You must have at least one dedicated UNIX group and one dedicated user account within that group for Order Balancer. Create a group for Order Balancer that includes the Order Balancer user account and the root user.
- When creating the Order Balancer WebLogic server domain:
- Make sure that the administration server and the optional managed server SSL ports are used.
- After you have created the WebLogic Server domain for Order Balancer, start the WebLogic administration server.
- Using the WebLogic administration console, configure certificate identity and trust store to use TLS protocol.
- Import trust certificates into the Order Balancer trust store for each ASAP member instance that will be added to Order Balancer. This enables Order Balancer to connect to the ASAP servers securely.
- Do not use the default, demonstration certificate that comes with the WebLogic server. See the WebLogic documentation for more information.
- Disable SSL v3.0 protocol.
Note:
Oracle recommends that you configure WebLogic SSL ports so that only the TLS protocol is enabled.
Installing Order Balancer Securely
To deploy and configure Order Balancer securely in the Order Balancer WebLogic server domain, see "Installing Order Balancer" in the ASAP System Administrator's Guide.
Table 4-1 lists the parameters you need to set in the installer input configuration properties file (sampleConfig.properties) to securely install Order Balancer.
Table 4-1 Configuration Properties
| Parameter | Parameter Value |
|---|---|
| WLS_PROTOCOL | Set the value to t3s. |
| WLS_PORT | Set the value to the SSL Server port of Order Balancer WebLogic server. |
| WLS_SSL_ENABLED | Set the value to true. |
| WLS_IGNORE_HOSTNAME_VERIFICATION | Set the value to true or false in accordance with the trust certificate configuration in Order Balancer WebLogic server. |
| WLS_TRUST_KEYSTORE | Set the value to CustomTrust (default demo certificates should not be used). |
| WLS_CUSTOM_TRUST_KEYSTORE_TYPE | Set the value in accordance with the trust store configuration in Order Balancer WebLogic server. |
| WLS_CUSTOM_TRUST_KEYSTORE_FILE | Set the value to the path of the Order Balancer trust store file as configured in Order Balancer WebLogic server. |
Adding ASAP Instances
The ASAP member instance trust certificates are expected to have already been added to the Order Balancer trust store that is configured for Order Balancer to use for SSL communication. To securely add ASAP member instances to Order Balancer, specify the following parameter when running the addASAPServer script:
asapSrvURL: Provide the t3s URL with the SSL port of the ASAP WebLogic server.
Configuring Authentication Providers for Order Balancer
During the Order Balancer installation process, the Order Balancer installer creates default Order Balancer users, groups, roles, and methods in the embedded LDAP authentication provider included with the Order Balancer WebLogic server. You can use this authentication provider to configure the default Order Balancer users, groups, roles, and methods, and add, delete, or modify your own users, groups, roles, and methods.
Managing ASAP WebLogic Server User Security
Order Balancer supports only the default WebLogic server myrealm security realm. Order Balancer administrators can configure user password policies through the WebLogic Administration Console. For more information, see "Installing Order Balancer" in the ASAP System Administrator’s Guide.