Configure Web Server Security

This task is used to configure the server to run in either HTTPS or HTTP mode, configure Apache web server parameters, and optionally configure the size of files being uploaded to the web server for the secure functioning of the web server and Oracle Communications Session Delivery Manager.

Note:

This section does not discuss the importation or deletion of Transport Layer security certificates for east-west peer OCSDM server communication, and for southbound communication with network function (NF) devices. These actions are handled in the Custom Installation when using the OCSDM setup installation program. Refer to the Configure Transport Layer Security Certificates section for more information.
  1. Select option 3, Web Server configuration. Press the Enter key to continue.
  2. Option 1 (HTTP/HTTPS configuration) is selected by default to configure the your web server parameters. Press Enter to continue. 
    [X]  1 - HTTP/HTTPS configuration - Setup HTTP or HTTPS configuration [Default]
[ ]  2 - Security configuration - Options below can be used to modify the Web server security configurations of OCSDM
    1. We highly recommend that you keep HTTPS mode (default) as the system running mode for your system to create secure web connections. If you need HTTP (unsecured) select option 2. Press Enter to continue.

      Note:

      Use the default OpenSSL version provided by Oracle Linux on your Linux server. This needs to be done to use the HTTPS service on the Apache web server to support the options to run HTTPS with Transport Layer Security (TLS) 1.2.

      SDM is backward compatible with TLSv1.2.

      
[X]  1 - HTTPS mode [Default]
[ ]  2 - HTTP mode
    2. Accept the default nncentral user as the Apache user.

      Note:

      You cannot use the value root for the Apache user. 
      Apache User [nncentral]
    3. Accept the default nncentral group as the Apache group.

      Note:

      You cannot use the value root for either the Apache group name. 
      Apache Group [nncentral]
    4. Enter an Apache port number or accept the default port of 8443 (secure HTTPS).

      Note:

      Port 8080 is the port number for unsecured HTTP. 
      Apache Port Number (1024-65535) [8443]
    5. Enter the DNS name of the server. 
      Server name [] myserver1

      Note:

      The specified DNS server name must match the common name (CN) of the certificate.
    6. For HTTPS configuration or enabling 2FA on SDM, if your certificate is signed by a certificate authority(CA), select option 2, No, when prompted about creating a self-signed certificate. Selecting option 1, Yes, will continue the setup from sub-step g.
      1. Enter the absolute path to the private key file. 
        Private key file []
      2. Enter the absolute path to the certificate file. 
        Certificate file []
      3. If there are intermediate certificates, select option 1. Press Enter to continue. Then enter the absolute path to the certificate chain file. Otherwise, select the default option 2. 
        Are there intermediate certificates?
[ ]  1 - Yes
[X]  2 - No   [Default]
    7. If you want to create a self signed certificate, select option 1, Yes. Press Enter to continue.

      Note:

      Enabling 2FA on SDM cannot be done with self-signed certificates
    8. Accent nncentral as the certificate alias name. 
      Certificate alias name [nncentral]
    9. Specify a truststore password that provides write protection to the truststore where X.509 certificates are kept. X.509 certificates are used in many internet protocols, including TLS/SSL, which is the basis for HTTPS. 
      Truststore password []
      The upper-level the security configuration is complete and the main web server menu returns. If you do not need to adjust the default maximum file size for files that are uploaded to the web server, your web server configuration is complete.
    10. Client Authentication verifies the identity of the client (the Browser or API), ensuring that only authenticated and authorized clients are allowed to interact with the server. Select option 1 to enable client authentication. This is mandatory for 2FA. If you select option 2, 'No' then steps k, l and m will be skipped." After SDM setup and start up, import the client certicate using your browser while accessing the GUI . For more information, see Importing the Client Certificate Using the Browser
      Would you like to enable client authentication?
[ ]  1 - Yes
[X]  2 - No   [Default]

      Note:

      The Client and Server certificate needs to be signed by the same CA or Chain.
    11. Provide the root CA or a bundled file if signed by an intermediate CA.
      Root CA certificate [] /home/nncentral/certificate-bundle.pem
    12. Provide the Client Certificate Chain Depth
      Client Certificate Chain Depth [] 3
    13. Provide the Keystore password
      Keystore password []
      You will see a message: Setup-->: The CER and KEY files have been acquired.
  3. (Optional) Select option 2, Security configuration to update the Apache HTTP Daemon (HTTPD) server configuration files, if you need to change the default value set by Oracle Communications Session Delivery Manager for files that can be uploaded to the web server. Press the Enter key to continue. 
    [ ]  1 - HTTP/HTTPS configuration - Setup HTTP or HTTPS configuration [Default]
[X]  2 - Security configuration - Options below can be used to modify the Web server security configurations of OCSDM
    1. Select option 1, Modify web server file directive size limit [Default]. 
      [X]  1 – Modify web server file directive size limit [Default]
[ ]  2 - Enable TLS versions 1.1 and 1.2 (HTTPS)
[ ]  3 – Cancel out and do not apply changes
    2. Press Enter to continue. 
      [X]  1 – Modify web server file directive size limit [Default]
[ ]  2 - Enable TLS versions 1.1 and 1.2 (HTTPS)
[ ]  3 – Cancel out and do not apply changes
    3. You are next prompted to enter the upload file size limit in gigabytes (GB). The default size limit is 2 gigabytes. 
      Web server File Size Limit in GB (2-100) [2]
      If the entered value exceeds the file-size limit, an error message displays and prompts you to re-enter the value.
  4. (Optional) By default, Transport Layer Security (TLS) is used for HTTPS. Select option 2, Security configuration if you want to enable TLS versions 1.1 and 1.2 to be used for HTTPS instead. 
    [ ]  1 - HTTP/HTTPS configuration - Setup HTTP or HTTPS configuration [Default]
[X]  2 - Security configuration - Options below can be used to modify the Web server security configurations of OCSDM
    1. Select option 2, Enable TLS versions 1.1 and 1.2 (HTTPS). 
      [ ]  1 – Modify web server file directive size limit [Default]
[X]  2 - Enable TLS versions 1.1 and 1.2 (HTTPS)
[ ]  3 – Cancel out and do not apply changes
    2. Press Enter to continue. 
      [ ]  1 – Modify web server file directive size limit [Default]
[X]  2 - Enable TLS versions 1.1 and 1.2 (HTTPS)
[ ]  3 – Cancel out and do not apply changes