Oracle Mobile Security Suite Workshop. Installation

(1)

Oracle Mobile Security Suite

Workshop

(2)

2

Oracle Confidential – Do Not Distribute

The following is intended to outline our general product direction. It is intended

for information purposes only, and may not be incorporated into any contract.

It is not a commitment to deliver any material, code, or functionality, and should

not be relied upon in making purchasing decisions. The development, release,

and timing of any features or functionality described for Oracle’s products

(3)

3

Mobile Security Suite Components

1. Mobile Security

Access Server

(MSAS)

2. Mobile Security

Administrative

Console (MSAC)

3. Mobile Security File

Manager

4. Mobile Security

(4)

4

OMSS Components

• Oracle Mobile Security Access Server

• Apache (incoming 80/443 from Mobile Device) with custom Apache Module

• Authentication vs AD Kerberos or OAM OAuth (outgoing 88/443)

• Consume Policy from Admin Console (outgoing 443)

• Connect to File Manager Server (outgoing 8080/8443)

• Connect to other Web Apps / Web Services / Backend Server

• Oracle Mobile Security Administrative Console

• Apache or IIS (incoming 443 from Browser & Access Server)

• Policy Store in DB: ORCL, MSSQL, MySQL

• Connect with AD/OUD for users/groups sync (outgoing 389 / 636 / 3268 / 3269)

• Optional End-User Access

(5)

5

OMSS Components

• Oracle Mobile Security Notification Server

• Tomcat with custom application (incoming 8080/8443) from Admin Console

• Connect with Mail Server (outgoing 80/443)

• Send Push Notification to client via APNS / GCM (outgoing 80/443)

• Optional

• Oracle Mobile Security File Manager Server

• Tomcat with custom application (incoming 8080/8443) from client via Access Server

• HTTP/HTTPS WebDav  SMB / CIFS

• Connect to Windows File Server (outgoing 445)

• Optional

(6)

6 OMSS

Architecture

Recap

Mobile

Security

Access

Server

Apache

+

Custom

Apache

Modules

Admin Console Apache or IIS + PHP + Custom Module

File Manager Server Tomcat + Custom App Notification Server Tomcat + Custom App

Mobile

Security

Container

ORCL / MSSQL / MySQL LDAP/LDAPS (TCP) 389 / 636 / 3268 / 3269 AD WebDav  SMB/CIFS APNS / GCM

(7)

7

System Requirements 1/2

Windows

• Operating system:

• Windows 2008 R2

• Latest service pack and security updates

• Hardware:

• 4 GB Memory

• 2.2 GHz Processor with 4 cores

• 30GB Hard Drive

• Physical and virtual servers are

supported

Linux

• Operating system:

• OEL 6 UL1+

• Hardware:

• 4 GB Memory

• 2.2 GHz Processor with 4 cores

• 30GB Hard Drive

• Physical and virtual servers are

supported

(8)

8

System Requirements 2/2

1. iOS c14n (containerization tool)

• MAC OS X 10.7

• Xcode 5.1.1

• XQuartz 2.7.4

2. Android c14n

• MAC OS X 10.7

• JDK 6.0 or higher

(9)

9

OMSS Installation Overview

• Access Server, Admin Console, Notification Server, File Manager Server can

be installed on the same host (for POC / Demo)

• Components can also be installed on different hosts (production)

• In the Workshop Lab Exercise, we will put everything on the same host

• Windows Server 2008 R2 64 bit OR Oracle Linux 6.1+ (RHEL)

• Database Options: Oracle DB, MSSQL or MySQL (embedded in Windows

version)

(10)

10

OMSS Installation Overview

• Authentication / User Repository Options

• Kerberos + AD (aka KINIT)

• OAM + OUD (aka OAM Auth)

• Pre-install Check

• TCP Port 80 / 443 / 8080 / 8443 are free (default ports, config during installation)

• No MySQL installed if using Windows + MySQL (embedded)

• Connection to OUD/AD (incl GC)

• A valid user to connect to OUD/AD

• Windows – Local Admin rights to add scheduled task + User account to Logon as service

• OAM / OAMMS OAuth Authentication – OAuth & OAuth Client setup

(11)

11

OMSS Installation Overview

• Pre-install Check continue…..

• Corresponding Groups in OUD / AD

• DNS Available, Time Sync

• SSL Certificate Ready (or use self-signed)

• FQDN for Access Server

• Additional Authentication Options – for Kerberos + AD

• PKINIT

– Virtual SmartCard based on Windows SmartCard Logon

• OTP

– Radius based OTP token, e.g. Vasco, RSA SecurID

• SSL Server Certificate Options

• Self-signed

(12)

12

OMSS 3.0.1 Deployment Configuration

Machine1

Machine2

Machine3

Machine4

Comments

Access Server

Admin Console

File Manager

Notification

DB

Lab

Access Server

Admin Console

File Manager

Notification

DB

Lab or production

Access Server

Admin Console

File Manager

Notification

DB

Lab or production

Access Server

Admin Console

DB

File Manager

Notification

Lab or production

Access Server

Admin Console

Notification

(13)

13

LDAP, Database & Authentication Server

requirements

1. Authentication OAM :

• OAM with OAM Mobile&Social 11gR2 PS2

2. Authentication Active Directory

• Windows 2008 domain controller

• Domain functional level of at least Windows 2003

3. LDAP

• OUD 11gR2 PS2

• Active Directory Windows 2003

4. Database

(14)

14

Installing OMSS on Linux

1. RPMs based

2. For each components

• Install RPM

• $ sudo rpm –ivh msac-3.0.0.el6.x86_64.rpm

• Configuration :

• $ gedit /opt/oracle/omss/msac/templates/vars.conf

Note- Take a look at the each conf files during the Lab execution

.

• Apply configuration :

(15)

15

Installing OMSS on Linux

Pre Requisite - Generate Certificate

Self Signed Certificate good for POC

• Create the CA’s key pair

openssl genrsa -out CA.key 1024

• The CA needs its own “certificate” (This is the “widely published” “root

certificate”)

openssl req -new -x509 -days 3650 -key CA.key -out CA.crt

• Create the private key for the server. (The “server” being the web

server.)

openssl genrsa -out server.key 1024

• Create a “Certificate Signing Request”

(16)

16

Installing OMSS on Linux

Pre Requisite - Generate Certificate

• “Sign” the certificate

openssl x509 -req -days 3650 -CA CA.crt -CAkey CA.key

-set_serial 01 -in server.csr -out server.crt

• Convert the CA Crt to PEM

openssl x509 -in CA.crt -out CA.der -outform DER

openssl x509 -in CA.der -inform DER -out CA.pem -outform PEM

• Convert the Server Crt to PKCS1

openssl pkcs12 -export -out server.p12 -inkey server.key

-in server.crt

(17)

17

Installing OMSS on Linux

Install the Dependent rpms

• Dependent rpms are supplied with OMSS 3.1 software

(18)

18

Installing OMSS on Linux

Prepare the DB (Oracle DB)

• Create the necessary table spaces in the database (Sample Shown)

create tablespace lat_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/lat_store.dbf' size

50M autoextend on

create tablespace rep_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/rep_store.dbf' size

50M autoextend on

create tablespace aud_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/aud_store.dbf' size

50M autoextend on

create tablespace appu_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/appu_store.dbf'

size 50M autoextend on

create tablespace msns_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/msns_store.dbf'

size 50M autoextend on

(19)

19

Installing OMSS on Linux

Installing the Mobile Security Admin Console (MSAC)

• Install the RPM (Every RPM gets installed in /opt/oracle/omss)

(20)

20

Installing OMSS on Linux

Installing the Mobile Security Admin Console (MSAC)

• Observe the log (msac_spool.lst). Log located at

/opt/oracle/omss/msac/logs folder.

(21)

21

Installing OMSS on Linux

Installing the Mobile Security Admin Console (MSAC)

• Start the Admin Console

(22)

22

Installing OMSS on Linux

Installing the Mobile Security Access Server (MSAS)

• Install the RPM

(23)

23

Installing OMSS on Linux

Installing the Mobile Security Notification Server (MSNS)

• Install pre requisite tomcat

(24)

24

Installing OMSS on Linux

Installing the Mobile Security Notification Server (MSNS)

(25)

25

Installing OMSS on Linux

Installing the Mobile Security File Manager (MSFM)

(26)

26

Installing OMSS on Linux

Installing the Mobile Security File Manager (MSFM)

(27)

27

Starting OMSS on Linux

1. MSAC & MSAS start/stop with Apache httpd commands

• $ sudo /usr/sbin/httpd.worker –f /opt/oracle/omss/msas/conf/httpd.conf –k start

• $ sudo /usr/sbin/httpd.worker –f /opt/oracle/omss/msac/conf/httpd.conf –k start

2. Notification Server & FileManager

• Run within Tomcat on linux

(28)

28

Installing OMSS on Windows

(29)

29

Installing OMSS on Windows

(30)

30

Installing OMSS on Windows

(31)

31

(32)

32

(33)

33

(34)

34

(35)

35

(36)

36

(37)

37

(38)

38

(39)

39

OMSS Admin Console

(40)

40

OMSS Admin Console

https://FQDN/acp/

Dashboard

•Active & New Containers •Policy Violation •Active Logins •Top Users, Apps, Devices •Exceptions Containers •List of Containers •Details /container •Activity /container •Effective Policy /container •Lock, Unlock, Wipe /container Groups •List of Groups •Corresponding Policies /group •Lock, Unlock, Wipe, Invite /group Users •List of Users /group •General info /user •Invite /user Catalog •List of vApp •Add, Update, Delete /vApp Policies •List of Policies •Groups /pol •Authentication /pol •Catalog avaliable /pol •Container & vApp /pol •Time /pol

•Geo Access /pol •Allowed Devices

/pol •Browser

behavior / pol •Doc Editing /pol •File Manager

/pol

•PIM Setting /pol •Provisioning & Templ /pol Settings •Client •Web •Server •Invite •Invite Template •LDAP •CA •Notification Help