Setting Up and Managing Indexing and Search Service Security

Skip to end of metadata
Go to start of metadata
Starting with Oracle Communications Unified Communications Suite 7.0.6, and Delegated Administrator and Calendar Server 7.0.5, the documentation for Connector for Microsoft Outlook 8.0.2, Contacts Server 8.0, Instant Messaging Server 9.0.2, Delegated Administrator, and Calendar Server 7.0.5 is available on the Oracle Documentation site at

Setting Up and Managing Oracle Communications Indexing and Search Service Security

This information provides an overview about security for the Oracle Communications Indexing and Search Service (ISS) product. It also provides links to security topics that provide more indepth information for configuring and administering ISS security.


Overview of Indexing and Search Service

For an overview of the product, see Introducing Indexing and Search Service. For information on general security principals, such as security methods, common security threats, and analyzing your security needs, see Designing for Security. For an overview of operating system security, see Oracle Solaris Security for System Administrators.

Secure Installation and Configuration

Topics in this section:

Installation Overview

This section outlines the planning process for a secure installation and describes several recommended deployment topologies for the systems.

Understanding Your Environment

To better understand your security needs, ask yourself the following questions:

  1. Which resources am I protecting?
    In an ISS production environment, consider which of the following resources you want to protect and what level of security you must provide:
    • Web host (runs ISS search services)
    • Index host (runs ISS indexing services)
    • Dependent resources, such as GlassFish Server, Directory Server, and Messaging Server
  2. From whom am I protecting the resources?
    In general, resources must be protected from everyone on the Internet. But should the ISS deployment be protected from employees on the intranet in your enterprise? Should your employees have access to all resources within the GlassFish Server environment? Should the system administrators have access to all resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. On the other hand, perhaps it would be best to allow no system administrators access to the data or resources.
  3. What will happen if the protections on strategic resources fail?
    In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use ISS. Understanding the security ramifications of each resource help you protect it properly.

Deployment Topologies

You can deploy ISS on a single host or on multiple hosts, splitting up the components into multiple web and index hosts. For more information, see the following information:

The general architectural recommendation is to use the well-known and generally accepted Internet-Firewall-DMZ-Firewall-Intranet architecture. For more information on addressing network infrastructure concerns, see Determining Your Communications Suite Network Infrastructure Needs.

Installing Infrastructure Components

ISS is deployed within GlassFish Server. For information on how to install and configure GlassFish Server, see Installation Scenario - GlassFish Server. To operate GlassFish Server in secure mode, see Secure Administration Overview. For more information, see Oracle GlassFish Server 2.1.1 Security Guide. For more information on handling GlassFish SSL certificates, see Administering JSSE Certificates.

ISS requires GlassFish Message Queue. When you set up GlassFish Message Queue, you must:

Installing Indexing and Search Service Components

See Installation Scenario - Indexing and Search Service.

The installation prompts for authentication credentials for the following:

  • Messaging Server read-only message store administrator (store.indexeradmin)
  • Message Queue broker handling Messaging Server notifications (user account)
  • ISS Message Queue broker (user and administrator accounts)
  • Directory Server manager (bind DN and password)

Enabling SSL for User/Group Directory Server

The following procedure describes how to enable Secure Sockets Layer (SSL) from ISS components to the User/Group Directory Server.

Import the certificate for the User/Group Directory Server to the operating system before running the ISS setup command. Otherwise, the setup command fails when trying to verify Messaging Server parameters.
  1. On the User/Group Directory Server, use the dsadm command to display the certificate.
  2. Copy the user-group1.cert file to the ISS machine.
  3. Use the certutil command to import the certificate.
    On Red Hat Linux, you need to create the /var/ldap directory.
  4. When running the setup command to configure ISS, set the following option and adjust the port.
    mail.ldap.enablessl = true
    mail.ldap.port = 636
    mail.ldap =
  5. (Optional) If you are using a list of User/Group Directory Servers for mail.ldap, repeat for each server in the list.

Enabling SSL/TLS for IMAP Communications to the Messaging Server

  • To enable Secure Sockets Layer/Transport Layer Security (SSL/TLS)s between the ISS indexing node and the Messaging Server IMAP server, set the following options when running the setup command to configure ISS:

If necessary, you can change these values later by editing the iss-dir/etc/jiss.conf file. If you do edit the jiss.conf file, you need to restart the ISS indexing services by using the iss-dir/bin/ command.

Disabling SSLv3 on Front-End GlassFish Server Hosts

Identify the http-listener for the publicly accessible port that has SSL/TLS enabled (security-enabled=true) on which requests for Indexing and Search Service are received. Ensure that SSLv3 is disabled for this listener by setting the option ssl3-enabled to false.

To disable SSLv3 on GlassFish Server 3:

  1. Identify the HTTP listeners that have SSL/TLS enabled (security-enabled=true) and verify whether SSLv3 is enabled on that listener (ssl3-enabled=true).
  2. Disable those HTTP listeners.
  3. Restart GlassFish Server.

To disable SSLv3 on GlassFish Server 2:

  1. Identify the HTTP listeners that have SSL/TLS enabled (security-enabled=true) and verify whether SSLv3 is enabled on that listener (ssl3-enabled=true).
  2. Disable those HTTP listeners.
  3. Restart GlassFish Server.

Post Installation Configuration

To configure Convergence to access ISS, see Convergence Administrative Tasks. If you want a secure connection between Convergence and ISS, set the Convergence ISS.enablessl parameter to true, for example:

Correspondingly, you must also set the port number (ISS.port) to the SSL port number.

To configure the security protocol used by the IMAP connection to the Messaging Server, configure either the --protocol ssl or --protocol tls option. See Indexing and Search Service Command-Line Utilities for more information.

Uninstall Configuration

When uninstalling the ISS software, you also need to remove the indexing data that was created by ISS. The following steps describe how to uninstall ISS:

  1. Run the setup -u command.
  2. Remove all ISS generated data by running the iss-dir/bin/ -r script.
    Removing the data could take a long time, depending on the size of the index.
  3. Remove the ISS package (Solaris) or RPM (Red Hat Linux).

Security Features

Topics in this section:

Accessing Mail in the Message Store

ISS enables users to read their own files in the Messaging Server message store, but not other users' files. To search mail in the ISS store, users need to authenticate to LDAP to be able to use the RESTful web service. For more information, see ISS Security and Authentication.

Storing Passwords in the Java KeyStore

Starting with version, ISS stores passwords in the Java KeyStore. Use the jks utility to set, maintain, and retrieve password values. To refresh the keystore after adding or changing a password value, use the --refresh command. For more information, see Java KeyStore for Indexing and Search Service.

indexsearchservice indexsearchservice Delete
security security Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.

The individuals who post here are part of the extended Oracle community and they might not be employed or in any way formally affiliated with Oracle. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Oracle nor any other party necessarily agrees with them.