By user12582982 on Jul 09, 2010
Last week I attended a training on Oracle Information Rights Management. Oracle Information Rights Management (IRM) is a Fusion Middleware security service that uses encryption to secure and track all copies of an organization's most sensitive documents and emails, regardless of how many copies are made, or where those copies are stored and used – even when those copies are sent outside the firewall. In Oracle IRM terminology the process of encrypting documents and emails is referred to as “sealing”. Oracle IRM servers expose a comprehensive set of IRM web services to enable the easy integration of “sealing” within the workflows of content management repositories, collaborative web applications, content filtering/monitoring systems, etc.
One of the features (not part of the product but available as a separate download from samplecode.oracle.com) gives you additional functionality to automatically seal files that are copied of moved into a folder. The Oracle IRM "Hot Folders" application monitors a set of file system folders and uses the IRM web services to automatically seal files copied or moved into them, to associated IRM classifications. This enables organizations to consistently and effectively apply IRM without requiring end users to explicitly seal files, by leveraging the familiar metaphor of placing confidential files “in a safe place”.
In communicating with Oracle IRM 11g all web services traffic is secured by the means of SSL encryption. Since in our setup all certificates are self-signed certificates, setting this up requires the CA certificate (in the TrustMyOwnSelf.jks keystore) to be trusted by the Hot Folders java application. For this we start the Hot Folders java application with the java option TRUST_HF:
set TRUST_HF=-Djavax.net.ssl.trustStore=%IRM_HF%\\TrustMyOwnSelf.jks -Djavax.net.ssl.trustStorePassword=welcome1 -Djavax.net.ssl.trustStoreType=JKS
java -Xms128m -Xmx512m %TRUST_HF% -Djava.util.logging.config.file=%IRM_HF%\\hotfolders-logging.properties -jar %IRM_HF%\\hotfolders.jar %IRM_HF%\\hot.properties
However, it appears that the certificate that I generated during the training (for one-way SSL encryption from the IRM server to e,g, a browser sesion) is not suitable for using this for the Hot Folders application. This clearly generated some exceptions when trying to establish a connection from the Hot Folders application to the IRM server, the most relevant being:
<Jul 8, 2010 11:48:43 PM PDT> <Warning> <Security> <BEA-090567> <The certificate chain received from irm.oracle.demo - 192.168.111.12 contained a V3 certificate which keyusage constraints forbid its key use by the key agreement algorithm.>
Looking again very carefully at the Hot Folders documentation it appears that the certificate should have very specific properties:
a. Subject CN: should match hostname of web service URL b. Basic constraints: Subject Type=CA c. Key Usage: Non-critical, Key Encipherment and Certificate Signing
Especially 'c. Key Usage' was not what I had enabled when generating my self-signed certificates. This one was actually marked 'Critical, Certificate Signing' only.
So I went back to the server machine and regenerated a new keypair and certificate now with some extra options (-keyusagecritical and -keyusage) added to the utils.CertGen command:
java utils.CertGen -selfsigned -certfile MyOwnSelfCA.cer -keyfile MyOwnSelfKey.key -keyfilepass welcome1 -cn "irm.oracle.demo" -keyusagecritical false -keyusage digitalSignature,keyEncipherment
After restarting the IRM server and trusting again the new certificate for the Hot Folders application everything works as a charm as you can see in the following recording...! Here you can see the Hot Folders application doing its work and scanning (in this case every 30 seconds but configurable) for new to be sealed documents in the defined "hot folders". In this case I have only configured one such folder: C:\\Users\\Rene\\Desktop\\HF-Public. All files that are dropped into that (hot) folder are destined to be sealed to the Public context as defined in the Oracle IRM administration GUI.
First we take a look at the IRM admin GUI where we can see the application user _HotFolderApp having the "Sealer" Role in the Public context. This means in short that this user has all the rights to be able to seal documents to the Public context. Next, we see how we start the Hot Folders application and finally we drop a new document into the HF-Public folder and we see how the documents gets sealed automagically!