Академический Документы
Профессиональный Документы
Культура Документы
Telnet Communication
Using Network Encryption
The SSH (Secure Shell) open standards provide encryption and security of all traffic between the mobile device
and the application. This provides an equivalent security mechanism for Telnet traffic to that provided by
HTTPS. This document describes how to implement such a system.
Please note that this involves non-Oracle components, Oracle makes no warranty as to the effectiveness of this
solution.
Introduction
Oracle’s Warehouse Management and Mobile Supply Chain Applications enable most of the transactions to be
executed using the mobile devices connected by an RF network. Connectivity is provided using Telnet over TCP/IP
between a Telnet mobile client and the Oracle MWA Tenet Server. The user is required to login to the application,
and this then restricts access to a defined set of responsibilities using the standard Oracle Applications menu
security.
The traffic passing through the RF network may be protected using a variety of encryption schemes (such as
WEP2), which provide a level of protection. However, once the Telnet traffic passes beyond the RF network
decryption point it is “in the clear”. This includes the user and password used to sign on. This is analogous to
having no “HTTPS” support in the HTML world. An additional concern is that WEP encryption (including WEP2)
has known vulnerabilities to a concerted intrusion attack.
The result is that people have the potential to access data that travels across the network. When the data
includes sensitive and confidential information (such as logon information), it is desirable to make it
unintelligible to the unauthorized parties. It is also important to ensure that the data has not been modified,
either intentionally or unintentionally, during the transport.
There are various options available to make these wireless data transmissions more secure in both the
directions, from server to client and client to the server. This paper describes two encrypted tunneling
solutions that are highly effective in increasing the security of these data transmissions.
stunnel is a daemon program that can be used as either a server or a client endpoint; stunnel ships with Linux
and Solaris and is available for many other Operating systems. See http://www.stunnel.org if you need the
source.
The default setup is as follows for MWA where traffic between the client and the MWA server is unencrypted
If your mobile telnet client supports SSL, the SSL encrypted setup will look like this:
The stunnel process is running on the same host as the MWA server so the unencrypted traffic between the
stunnel proxy and the MWA server does not go on the network.
The number of MWA servers on a host is configurable and is controlled by the MWA configurations file.
By default the startup script will start 3 MWA servers listening for telnet connections on the following ports:
10200, 10202 and 10204. You can see the port numbers when starting the MWA server(s), for example:
The default number of servers and their port numbers is reflected in the configuration file examples below.
If your environment has a different number of servers or the portnumbers are different, adjust the
configuration files accordingly.
When running as root, stunnel supports changing of the runtime user to another, less privileged user such as
nobody. stunnel will also perform a chroot operation if required.
The choice of user for running stunnel depends on whether the OS administrator or the EBS administrator is
appointed to manage the stunnel server.
It is assumed that stunnel is provided by an OS package and is on the PATH of the applmgr OS user.
If you wish to use a self-signed certificate see "Creating a self-signed certificate" later in this document.
In this case we will create an stunnel directory in applmgr's home directory and use that to hold the required
files (certificate file, configuration file and the runtime pid and log file).
$ umask 077
$ mkdir ~/stunnel
Concatenate the key and certificate into a single file as per stunnel requirement.
$ cd ~/stunnel
$ cat key.pem cert.pem > stunnel.pem
$ pwd
/home/applmgr/stunnel
[mwa2]
accept = 11202
connect = localhost:10202
[mwa3]
accept = 11204
connect = localhost:10204
!
Review the config file and fix hostname and port numbers as required.
$ stunnel /home/applmgr/stunnel/mwa.conf
and we're done with the server side (except for integration with the MWA start/stop scripts).
If you wish to enable verification of the SSL certificate on the client, the certificate must be signed by a
Certificate Authority trusted by the clients SSL library. If you used a self-signed certificate you must import the
cert.pem file into the client's trust-store.
The following example configures a linux host with stunnel in client mode, this can be used with a plain-text
telnet client to validate the server side setup.
$ mkdir ~/stunnel
$ cd ~/stunnel
$ pwd
/home/handheld/stunnel
$ umask 77
[mwa1]
accept = localhost:10200
connect = mwahost.example.com:11200
[mwa2]
accept = localhost:10202
connect = mwahost.example.com:11202
[mwa3]
accept = localhost:10204
connect = mwahost.example.com:11204
!
Review the config file and fix hostname and port numbers as required.
$ stunnel /home/handheld/stunnel/mwa_client.conf
openssl req -new -keyout key.pem -nodes -x509 -days 365 -out cert.pem
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Washington
Locality Name (eg, city) [Newbury]:Seattle
Organization Name (eg, company) [My Company Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Example Security Team
Common Name (eg, your name or your server's hostname) []:mwahost.example.com
Email Address []:ssl@example.com
SSH Server
This is the server side component that resides on the same device/machine as the MWA Server. As both the
SSH Server and MWA Server reside on the same device/machine, the communication between these
components is not open for eavesdropping and need not be secured. The primary function of this component
is to acquire the data from the MWA Server and transmit the same to the SSH Client mthrough a secure
mechanism and vice-versa.
The communications between SSH Client and SSH Server will be secured.
SSH (Client) and SSH Deamon (Server) are together a replacement for telnet, rlogin etc and are available on all
the LINUX and UNIX servers by default and require no additional licensing costs. SSH port forwarding is a
feature of ssh where in the normal telnet, ftp, pop3, imap, net8 or any TCP/IP protocols could be routed
thruough ssh secure session. SSH port forwarding would simply forward the incoming connection to the target
port specified (could be Dispatcher or any TCP/IP port).
The only disadvantage is that IP address mapping will not work as all the clients would have to connect to the
same IP address (SSHD Server IP).
SSH Servers
http://www.foxitsoftware.com/wac/server_intro.php
http://www.jfitz.com/tips/ssh_for_windows.html
http://www.bitvise.com/winsshd.html
FIPS 140-2
This approach, while highly secure for most commercial applications, does not conform to all of the
requirements for military applications as defined by the US Department of Defense FIPS 140-2 standards. For
information regarding how to implement this highly stringent level of security, please contact your hardware
provider. The major suppliers of RF equipment for industrial uses have developed FIPS 140-2 compliant
solutions. The following are some references and helpful links.
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Symbol Offers Mobile Computing Wireless Security for Government ...
EXAMPLES
Example using SSH with PUTTY clients
MWA telnet client connection can be made more secured using SSH Port Forwarding. Any telnet client that
support SSH Port forwarding & VT100 Telnet Protocal can be used for this purpose.
The following are the four simple steps to make your MWA telnet client connection secure on a desktop using
PUTTY Telnet Client
Assumption: It is assumed that the server running MWA Telnet Server also supports SSH sessions
The following screenshots show the various attributes that are configurable on SSH using PUTTY client.
Options controlling
SSH Connections.
Please specify the URL with the MWA server and port number (Ex: http://xyz.abc.com:portnumber). For the
MSCA mobile app, please use the port number on which the MWA server is running. If the port is a SSL port,
then the user has to specify https instead of http.
To Start an SSL port on MWA server, please following the steps listed below -
1. A java keystore needs to be created with all the relevant certificates. Typically, this involves series of
steps
a. Create a private key and keystore
(Ex: keytool -genkey -alias <instancename> -keyalg RSA -keysize 2048 -keystore
<instancename>.jks)
# mwa.Security.KeyStore=
# mwa.Security.KeyStorePassword=
# mwa.Security.Protocols=TLSv1
#mwa.Security.CipherSuites=SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_
DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES
_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SH
A
5. If the java version is 1.7 and above, then set mwa.Security.Protocols to TLSv1.2
(Ex: mwa.Security.Protocols=TLSv1.2)
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
www.oracle.com