In the Oracle Utilities Application Framework, the software is now installed in a mode called "Secure By Default". This has a number of connotations for new and existing installations:
- HTTPS is the now the default protocol for accessing the product. The installer supplies a demonstration trust and demonstration identity store that can be used for default installations.
- The permissions on the files and directories are now using common Oracle standards.
Now there are a few clarifications about these features:
- Customers that are upgrading from older versions will use the same regime for the file permissions and access protocols that were in past releases for backward compatibility.
- Customers on past releases can convert to the new file and directory permissions using the "setpermissions" utility shipped with the product. The Administration and Security guides outline the new permissions.
- Customers on past releases can convert to the new HTTPS protocol like they did in the past releases. The new keystore is provided as a way of adopting it quickly.
- We supply a basic certificate to be used for HTTPS. This is a demonstration certificate is limited in strength and scope (much the same scope and strength as the demonstration one supplied with Oracle WebLogic). It is not supported for use in production systems. It is recommended that customers who want to use HTTPS should use a valid certificate from a valid certificate issuing authority or build a self signed certificate. Note, if you use a self signed certificate some browsers may issue a warning upon login. Additionally, Customers using native mode installations can use the Oracle WebLogic demonstration certificates as well.
- HTTPS was always supported in Oracle Utilities Application Framework. In past releases it was, what is termed, an opt-in decision (you are opt'ing in to use HTTPS). This meant that we installed using HTTP by default and then you configured HTTPS separately with additional configuration on your domain. In this new release, we have shifted the decision to an opt-out decision. We install HTTPS with a demonstration certificate as the default and you must disable it using additional steps (basically you do not specify a HTTPS port and only supply a HTTP port to reverse the decision). This is an opt-out decision as you are deciding to opt-out of the secure setup. The decision whether to use HTTPS or HTTP is an implementation one (we just have a default of HTTPS).
- Customers using native mode (or IBM WebSphere) can manage certificates from the console or command lines supplied by the that product.
Secure by default now ensures that Oracle Utilities Application Framework products are consistent with installations standards employed by other Oracle products.