11 Oracle Web Cache

11.1.1 Reset the Random Password Generated When Installing Oracle Portal, Forms, Reports, and Discoverer

For enhanced security, no default hard-coded passwords are used for managing Oracle Web Cache.

When you install the Oracle Web Tier installation type, the Oracle Universal Installer prompts you to choose a password. The Web Cache Administrator page of the Oracle Universal Installer prompts you to enter a password for the administrator account. The administrator account is the Oracle Web Cache administrator authorized to log in to Oracle Web Cache Manager and make configuration changes through that interface.

When you install Oracle Portal, Forms, Reports, and Discoverer, the prompt for the administrator password is missing. Instead, the Oracle Portal, Forms, Reports and Discoverer install type uses a random value chosen at install time.

Regardless of the installation type, before you begin configuration, change the passwords for these accounts to a secure password. If you are configuring a cache cluster, all members of the cluster must use the same password for the administrator account.

To change the password, use the Passwords page of Fusion Middleware Control, as described in "Configuring Password Security" in the Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache.

11.1.2 Running Oracle Web Cache Processes as a Different User Is Not Supported

Running Oracle Web Cache as a user other than the installed user through the use of the webcache_setuser.sh setidentity command is not supported.

Specifically, you cannot change the user ID with the following sequence:

1. Change the process identity of the Oracle Web Cache processes in the Process Identity page using Oracle Web Cache Manager (Properties > Process Identity).

2. Use the webcache_setuser.sh script as follows to change file and directory ownership:

   webcache_setuser.sh setidentity user_ID 
   

   user_ID is the user you specified in the User ID field of the Process Identity page.

3. Restart Oracle Web Cache using opmnctl.

   Oracle Web Cache will start and then immediately shut down.

   In addition, messages similar to the following are displayed in the event log:

   [2009-06-02T21:22:46+00:00] [webcache] [ERROR:1] [WXE-13212] [logging] [ecid: ] 
   Access log file /scratch/webtier/home/instances/instance1/diagnostics/logs/WebCache/webcache1/access_log could not be opened.
   [2009-06-02T21:22:46+00:00] [webcache] [WARNING:1] [WXE-13310] [io] [ecid: ] 
   Problem opening file /scratch/webtier/home/instances/instance1/config/WebCache/webcache1/webcache.pid (Access Denied).
   [2009-06-02T21:22:46+00:00] [webcache] [ERROR:1] [WXE-11985] [esi] [ecid: ] 
   Oracle Web Cache is unable to obtain the size of the default ESI fragment page 
   /scratch/webtier/home/instances/instance1/config/WebCache/webcache1/files/esi_fragment_error.txt.
   [2009-06-02T21:22:46+00:00] [webcache] [WARNING:1] [WXE-11905] [security]
   [ecid: ] SSL additional information: The system could not open the specified file. 
   

For more information about the webcache_setuser.sh script, see "Running webcached with Root Privilege" in the Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache.

11.1.3 Using Web Cache in an IPv6 Network

Oracle Web cache supports the IPv6 address family by default. However, before using IPv6, you must ensure that IPv6 support is enabled in the operating system. This issue is not applicable for IPv4-only systems and for systems that support IPv6 at the kernel level.

11.2.1 Procedure to Enable Generation of Core Dump

Information about enabling generation of core dump is not available in the Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache.

To enable generation of a core dump when Oracle Web Cache is shut down, add CORE="YES" to the TRACEDUMP element in the $INSTANCE_HOME/config/WebCache/webcache_name/webcache.xml file.

The updated TRACEDUMP element would look like the following:

<TRACEDUMP FILENAME=file_name CORE="YES"/>

The core dump file with the specified name is created in the $INSTANCE_HOME/config/WebCache/webcache_name directory.

11.2.2 Clarification About Support for CRLs

Section 5.1.1.2.2, "Certificate" of the Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache states the following:

"Although the Oracle HTTP Server supports OpenSSL certificate revocation lists, Oracle Web Cache does not."

This statement is incorrect. Oracle Web Cache does support CRLs.

11.2.3 Clarifications About Configuring the CRL Location

Section 5.5.3, "Configuring Certificate Revocation Lists (CRLs)" of the Oracle Fusion Middleware Administrator's Guide for Oracle Web Cache has the following incorrect statements:

• Incorrect statement: "Fusion Middleware Control or Oracle Web Cache Manager do not provide support for client certificate validation with Certificate Revocation Lists (CRLs). You can configure this support by manually editing the webcache.xml file."

  Clarification: This statement is incorrect. You can enable and configure support for CRLs by using the Oracle Web Cache Manager, as follows:

  1. Go to the Listen Ports page.

  2. Select the HTTPS port for which you want to configure CRL settings, and click Edit Selected.

     The Edit/Add Listen Port dialog box is displayed.

  3. Select the Certificate Revocation List Enabled option.

  4. In the CRL Path field, specify the fully qualified path to the directory in which the CRLs are stored. For example, /home/crl.

  5. In the CRL File field, specify the fully qualified path and filename of the CRL file. For example, /home/oracle/crl/CA/crl.

• Incorrect statement: Step 4 of the procedure to configure certificate validation using CRLs: "Configure CRL file location by adding the SSLCRLPATH and SSLCRLFILE parameters to the HTTPS LISTEN directive."

  Clarification: This statement is incorrect. You must add either SSLCRLPATH or SSLCRLFILE to the HTTPS LISTEN directive, not both.