Oracle Mobile Security Suite Workshop Installation
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2
Mobile Security Suite Components 1. Mobile Security Access Server (MSAS) 2. Mobile Security Administrative Console (MSAC) 3. Mobile Security File Manager 4. Mobile Security Notification 3
OMSS Components Server Components Oracle Mobile Security Access Server Apache (incoming 80/443 from Mobile Device) with custom Apache Module Authentication vs AD Kerberos or OAM OAuth (outgoing 88/443) Consume Policy from Admin Console (outgoing 443) Connect to File Manager Server (outgoing 8080/8443) Connect to other Web Apps / Web Services / Backend Server Oracle Mobile Security Administrative Console Apache or IIS (incoming 443 from Browser & Access Server) Policy Store in DB: ORCL, MSSQL, MySQL Connect with AD/OUD for users/groups sync (outgoing 389 / 636 / 3268 / 3269) Optional End-User Access 4
OMSS Components Server Components Oracle Mobile Security Notification Server Tomcat with custom application (incoming 8080/8443) from Admin Console Connect with Mail Server (outgoing 80/443) Send Push Notification to client via APNS / GCM (outgoing 80/443) Optional Oracle Mobile Security File Manager Server Tomcat with custom application (incoming 8080/8443) from client via Access Server HTTP/HTTPS WebDav SMB / CIFS Connect to Windows File Server (outgoing 445) Optional 5
APNS / GCM AD OMSS Architecture Mobile Security Container Mobile Security Access Server Apache + Custom Apache Modules LDAP/LDAPS (TCP) 389 / 636 / 3268 / 3269 Admin Console Apache or IIS + PHP + Custom Module File Manager Server Tomcat + Custom App ORCL / MSSQL / MySQL Notification Server Tomcat + Custom App Recap WebDav SMB/CIFS 6
System Requirements 1/2 Windows Operating system: Windows 2008 R2 Latest service pack and security updates Hardware: 4 GB Memory 2.2 GHz Processor with 4 cores 30GB Hard Drive Physical and virtual servers are supported Linux Operating system: OEL 6 UL1+ Hardware: 4 GB Memory 2.2 GHz Processor with 4 cores 30GB Hard Drive Physical and virtual servers are supported 7
System Requirements 2/2 1. ios c14n (containerization tool) MAC OS X 10.7 Xcode 5.1.1 XQuartz 2.7.4 2. Android c14n MAC OS X 10.7 JDK 6.0 or higher 8
OMSS Installation Overview Access Server, Admin Console, Notification Server, File Manager Server can be installed on the same host (for POC / Demo) Components can also be installed on different hosts (production) In the Workshop Lab Exercise, we will put everything on the same host Windows Server 2008 R2 64 bit OR Oracle Linux 6.1+ (RHEL) Database Options: Oracle DB, MSSQL or MySQL (embedded in Windows version) Note: DB HA is not supported with MySQL 9
OMSS Installation Overview Authentication / User Repository Options Kerberos + AD (aka KINIT) OAM + OUD (aka OAM Auth) Pre-install Check TCP Port 80 / 443 / 8080 / 8443 are free (default ports, config during installation) No MySQL installed if using Windows + MySQL (embedded) Connection to OUD/AD (incl GC) A valid user to connect to OUD/AD Windows Local Admin rights to add scheduled task + User account to Logon as service OAM / OAMMS OAuth Authentication OAuth & OAuth Client setup Kerberos / AD Authentication Kerberos connection to AD 10
OMSS Installation Overview Pre-install Check continue.. Corresponding Groups in OUD / AD DNS Available, Time Sync SSL Certificate Ready (or use self-signed) FQDN for Access Server Additional Authentication Options for Kerberos + AD PKINIT Virtual SmartCard based on Windows SmartCard Logon OTP Radius based OTP token, e.g. Vasco, RSA SecurID SSL Server Certificate Options Self-signed 3 rd Party Singed 11
OMSS 3.0.1 Deployment Configuration Machine1 Machine2 Machine3 Machine4 Comments Access Server Admin Console File Manager Notification DB Access Server Access Server Admin Console File Manager Notification DB Admin Console File Manager Notification Access Server Admin Console DB File Manager Notification Access Server Admin Console Notification DB Lab Lab or production Lab or production Lab or production DB File Manager Lab or production 12
LDAP, Database & Authentication Server requirements 1. Authentication OAM : OAM with OAM Mobile&Social 11gR2 PS2 2. Authentication Active Directory Windows 2008 domain controller Domain functional level of at least Windows 2003 3. LDAP OUD 11gR2 PS2 Active Directory Windows 2003 4. Database Oracle Database 11gR2 13
Installing OMSS on Linux 1. RPMs based 2. For each components Install RPM $ sudo rpm ivh msac-3.0.0.el6.x86_64.rpm Configuration : $ gedit /opt/oracle/omss/msac/templates/vars.conf Note- Take a look at the each conf files during the Lab execution. Apply configuration : $ sudo /opt/oracle/omss/msac/templates/configure.sh 14
Installing OMSS on Linux Pre Requisite - Generate Certificate Self Signed Certificate good for POC Create the CA s key pair openssl genrsa -out CA.key 1024 The CA needs its own certificate (This is the widely published root certificate ) openssl req -new -x509 -days 3650 -key CA.key -out CA.crt Create the private key for the server. (The server being the web server.) openssl genrsa -out server.key 1024 Create a Certificate Signing Request openssl req -new -key server.key -out server.csr 15
Installing OMSS on Linux Pre Requisite - Generate Certificate Sign the certificate openssl x509 -req -days 3650 -CA CA.crt -CAkey CA.key -set_serial 01 -in server.csr -out server.crt Convert the CA Crt to PEM openssl x509 -in CA.crt -out CA.der -outform DER openssl x509 -in CA.der -inform DER -out CA.pem -outform PEM Convert the Server Crt to PKCS1 openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt You will use server.p12 and CA.pem for the install 16
Installing OMSS on Linux Install the Dependent rpms Dependent rpms are supplied with OMSS 3.1 software package 17
Installing OMSS on Linux Prepare the DB (Oracle DB) Create the necessary table spaces in the database (Sample Shown) create tablespace lat_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/lat_store.dbf' size 50M autoextend on create tablespace rep_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/rep_store.dbf' size 50M autoextend on create tablespace aud_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/aud_store.dbf' size 50M autoextend on create tablespace appu_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/appu_store.dbf' size 50M autoextend on create tablespace msns_store datafile '/u01/app/oracle/product/11.2.0/oradata/orcl/msns_store.dbf' size 50M autoextend on 18
Installing OMSS on Linux Installing the Mobile Security Admin Console (MSAC) Install the RPM (Every RPM gets installed in /opt/oracle/omss) Configure the Admin console (Provide password for p12 file). 19
Installing OMSS on Linux Installing the Mobile Security Admin Console (MSAC) Observe the log (msac_spool.lst). Log located at /opt/oracle/omss/msac/logs folder. Make sure that there are no errors 20
Installing OMSS on Linux Installing the Mobile Security Admin Console (MSAC) Start the Admin Console Login with the credential supplied during the install 21
Installing OMSS on Linux Installing the Mobile Security Access Server (MSAS) Install the RPM Configure the MSAS 22
Installing OMSS on Linux Installing the Mobile Security Notification Server (MSNS) Install pre requisite tomcat Install the MSNS rpm 23
Installing OMSS on Linux Installing the Mobile Security Notification Server (MSNS) Configure the Mobile Notification Server 24
Installing OMSS on Linux Installing the Mobile Security File Manager (MSFM) Install the MSFM rpm 25
Installing OMSS on Linux Installing the Mobile Security File Manager (MSFM) Configure the File Manager 26
Starting OMSS on Linux 1. MSAC & MSAS start/stop with Apache httpd commands $ sudo /usr/sbin/httpd.worker f /opt/oracle/omss/msas/conf/httpd.conf k start $ sudo /usr/sbin/httpd.worker f /opt/oracle/omss/msac/conf/httpd.conf k start 2. Notification Server & FileManager Run within Tomcat on linux $ sudo /sbin/service/omss start 27
Installing OMSS on Windows 1. Installer based 28
Installing OMSS on Windows 1. 25 sections 29
Installing OMSS on Windows Quick Walk through 30
Installing OMSS on Windows 31
Installing OMSS on Windows 32
Installing OMSS on Windows 33
Installing OMSS on Windows 34
Installing OMSS on Windows 35
Installing OMSS on Windows 36
Installing OMSS on Windows 37
Installing OMSS on Windows 38
OMSS Admin Console https:// FQDN /acp/ 39
OMSS Admin Console https:// FQDN /acp/ Dashboard Containers Groups Users Catalog Policies Settings Help Active & New Containers Policy Violation Active Logins Top Users, Apps, Devices Exceptions List of Containers Details /container Activity /container Effective Policy /container Lock, Unlock, Wipe /container List of Groups Corresponding Policies /group Lock, Unlock, Wipe, Invite /group List of Users /group General info /user Invite /user List of vapp Add, Update, Delete /vapp List of Policies Groups /pol Authentication /pol Catalog avaliable /pol Container & vapp /pol Time /pol Geo Access /pol Allowed Devices /pol Browser behavior / pol Doc Editing /pol File Manager /pol PIM Setting /pol Provisioning & Templ /pol Client Web Server Invite Invite Template LDAP CA Notification On line help Downloadable PDF 40
OMSS Security Role based access for admin console Roles = end user, helpdesk, company admin, system admin End User: invite, view container Helpdesk: + lock/wipe, reset PIN, view container(s) Company admin: + policy, company catalog, config System admin: + assign company admin role 41
Questions? 42
43