Securing Coherence unicast communications for FMW SOA by Peter van Nes

Posted: April 4, 2015 in WebLogic
Tags: , , , , , ,

 

clip_image002When confidentiality is required for an Oracle Fusion Middleware environment, the first thing you probably will do is configure SSL for the domain. You might think that this will secure all your connections in the domain, but various FMW applications utilize different frameworks like JGroups or Oracle Coherence which connections are not secured by configuring SSL for the domain.

Various FMW applications, like Oracle Identity Manager, use FMW SOA which utilizes Oracle Coherence for Unicast communications. As Oracle recommends Unicast communication for SOA enterprise deployments in the Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite, you probably will have setup Unicast communication in your production environments accordingly by adding the Java properties tangosol.coherence.wka[1-n] and tangosol.coherence.localhost.

Instead of adding the properties to the Server Start arguments for each server individually you could add these settings to the setDomainEnv.sh. This way you have consolidated view of all the configuration settings for the Coherence cluster. Securing Unicast communications

Unicast (TCMP) communications for Coherence can be secured using by defining a SSL Socket Provider.  [Coherence Security Guide; Using SSL to Secure TCMP Communication]

A pre-defined SSL Socket Provider ‘ssl’ is defined in the tangosol-coherence.xml file of java archive coherence.jar which can be found in the lib directory of your coherence installation in the <MW_HOME>. The pre-defined SSL Socket Provider expects a key- and truststore with the name keystore.jks which must be present in the classpath. Therefore this Socket Provider is less suitable for production environments where truststores and keystores are defined in separate Keystores. Best practice is not to replace tangosol-coherence.xml, but to override the operational and run-time settings using  an Operational Override File. The property tangosol.coherence.override specifies the name of the override file to be used instead of the default. In this override file the cluster-config element should be defined to enable SSL for TCMP (Unicast). The cluster-config element contains three sub-elements; member-identity, unicast-listener and socket-provider.

The member-identity element contains the cluster-name of the Coherence cluster. This is the same name as the cluster name set in property tangosol.coherence.cluster when configuring unicast communications. Element unicast-listener defines the well- known-addresses, listen-ports and other properties of all cluster nodes. This are the values you assigned to the properties tangosol.coherence.wka[1-n] and tangosol.coherence.localhost when setting up unicast communications. The element socket-provider should have the same value as attribute id of the socket-provider element which will be described next. Read the complete article here.

 

WebLogic Partner Community

For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.

Blog Twitter LinkedIn Forum Wiki

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s