Oracle9i Application Server Security Guide -- Contents

Promises and Problems of the Internet

Introduction to Security Issues

Security Vulnerabilities

Changed Processes

Higher Volumes

More Valuable Data

Attributes Needed for Successful Security

Hosted Systems and Exchanges

Trade-offs Between Security and Other Business Needs

Security Needs in an Internet Environment

Confidentiality

Authentication

Password-Related Threats

Authorization

Unauthorized Access to Data

Loss or Display of Confidential Information

Denial of Service

Fault Containment

Complex User Management Requirements

Multitier Systems

Scaling the Security Administration of Multiple Systems

Security Considerations in an Internet Environment

Considerations for Use of Public Key Infrastructure (PKI)

Authentication Considerations

Passwords

Certificates and Certificate Authorities

Secure Sockets Layer (SSL) Authentication and X.509v3 Digital Certificates

Storing Secure Credentials in an LDAP-Compliant Directory

Single Sign-on

Authorization Considerations

Encryption Considerations

Data Integrity Considerations

Web Browser Security

Security for Database Access

Enterprise User Security

Authentication and Digital Certificates

Connecting From the Middle Tier to the Database

Proxy Authentication

JAAS

Firewalls

Summary

Introduction to Oracle9iAS

Security Architecture of Oracle9iAS

Elements of Oracle9iAS Security Architecture

Oracle9i Application Server Implementation of Public Key Infrastructure (PKI)

Secure Sockets Layer

Oracle Wallets

Oracle Wallet Manager

Oracle Internet Directory

What to Install to Get the Security You Require

Default User Password Policy in Oracle9iAS

Centralized User Provisioning and Single Sign-On in Oracle9iAS

Overview of Centralized User Provisioning and Single Sign-On Model

Benefits of Centralized User Provisioning and Single Sign-On

Oracle Internet Directory Overview

Overview of Security in Oracle Internet Directory

The Oracle Context: A Directory Administration and Delegation Model

How Oracle Internet Directory is Implemented

Delegated Administration Service (DAS)

Oracle9iAS Single Sign-On Overview

Oracle9iAS Single Sign-On Components

Functional Overview of Oracle9iAS Single Sign-On

Authorization, Authentication, and SSL in Oracle9iAS

Oracle HTTP Server Security

Oracle HTTP Server Security Services Overview

Access Control, User Authentication, and Authorization with Oracle HTTP Server

Secure Sockets Layer (SSL) and PKI with Oracle HTTP Server

Secure Access to an Oracle Database with Oracle HTTP Server

Oracle Wallet Manager Overview

Oracle9iAS Portal Security Overview

Introduction to Oracle9iAS Portal

Portal Users

Portal Groups

Portal Authentication

Portal Authorization

Application Integration with Oracle9iAS Portal

Oracle9iAS Portal Support for HTTPS

Auditing in Oracle9iAS Portal

JAAS Security

Authentication Features of JAAS

Authorization Features of JAAS

Delegation Features of JAAS

Oracle9iAS Web Cache Security

How to Proceed from Here

Single Sign-On Overview

Configuring Security Features for Oracle9iAS Single Sign-On

Enabling the Single Sign-On Server for SSL

Configuring Oracle9iAS Single Sign-On for Digital Certificates

System Requirements

Configuration Tasks

Oracle HTTP Server (SSL)

Single Sign-On DAD (mod_plsql)

User Name Mapping Module

Oracle Internet Directory

Single Sign-On Server

Enabling Timeouts

Configuring the SSO Session Timeout

Configuring the Global User Inactivity Timeout

Enabling IP Checking

Enabling IP Checking for the Oracle9iAS Single Sign-On Server

Enabling IP Checking for Mod_osso

Managing Password Policies

Overview of Oracle HTTP Server Security

Specifying Configuration Parameters in httpd.conf

Understanding Host-Based Access Control

Access Control for Virtual Hosts

Overview of Host-Based Access Control Schemes

Controlling Access by IP Address

Controlling Access by Domain Name

Controlling Access by Network or Netmask

Controlling Access with Environment Variables

Overview of User Authentication

Using Basic Authentication and Authorization with mod_auth

What Directives to Use for Basic Authentication Configuration with mod_auth

User Authorization

Using Secure Sockets Layer (SSL) to Authenticate Users

About Securing HTTP Communication with mod_ossl

Understanding Classes of Directives Used for Configuring SSL

Using mod_ossl Directives

SSLSessionCacheTimeout

Using the iasobf Utility to Encrypt Wallet Passwords

About Public Key Infrastructure (PKI)

Wallet Password Management

Strong Wallet Encryption

Microsoft Windows Registry

Oracle Wallet Functions

Backward Compatibility

PKCS #12 Support

Importing Third-Party Wallets

Exporting Oracle Wallets

Multiple Certificate Support

LDAP Directory Support

Managing Wallets

Starting Oracle Wallet Manager

Creating a New Wallet

Opening an Existing Wallet

Closing a Wallet

Saving Changes

Saving the Open Wallet to a New Location

Saving in System Default

Deleting the Wallet

Changing the Password

Using Auto Login

Enabling Auto Login

Disabling Auto Login

Managing Certificates

Managing User Certificates

Adding a Certificate Request

Importing the User Certificate into the Wallet

Removing a User Certificate from a Wallet

Removing a Certificate Request

Exporting a User Certificate

Exporting a User Certificate Request

Managing Trusted Certificates

Importing a Trusted Certificate

Removing a Trusted Certificate

Exporting a Trusted Certificate

Exporting All Trusted Certificates

Exporting a Wallet

Portal Security Model

User Authentication and Privilege Model

Portal Security Architecture

Relationship between Oracle9iAS Portal and Oracle9iAS Single Sign-On

Relationship between Oracle9iAS Portal and Oracle Internet Directory

Relationship between Oracle9iAS Portal and the Oracle Directory Integration Server

Relationship between Oracle9iAS Portal and Delegated Administration Service

Creating Users and Groups

User Portlet

Portal User Profile Portlet

Group Portlet

Portal Group Profile Portlet

Granting Access Privileges

Access Tab

Administering Portal Security

Security Settings Upon Installation

Oracle9iAS Portal Default Schemas and Accounts

Post-Installation Security Checklist

Configure mod_plsql Settings

Safeguard Passwords for Lightweight Oracle9iAS Portal Users

Remove Unnecessary Objects

Revoke Public Access to Provider Components

Control Access to Administration Pages

Protect Oracle9iAS Portal Monitoring Packages

Consider SSL and the Login Portlet

Consider LDAP over SSL for Oracle Internet Directory Connections

Change the Application Entity Password

Changing LDAP Settings on the Global Settings Page

Cache for Oracle Internet Directory Parameters

Oracle Directory Integration Server Synchronization

Group creation base DN

Group Search Base Distinguished Name (DN)

What JAAS Components Do You Need to Configure?

Sample Files

Performing Configuration Tasks Common to J2SE and J2EE Environments

Task 1: Ensure That You Installed the Correct Components

Task 2: Load the JAZN Schema and Default Entries into Oracle Internet Directory (Optional)

Task 3: Specify JAAS as the Policy Provider (optional)

Task 4: Configure a Java2 Policy File (optional)

Task 5: Create a LoginModule Configuration File (optional)

Task 6: Perform Configuration Tasks Unique to Your Java Environment

Performing Configuration Tasks Unique to J2SE Environments

Task 1: Configure the JAAS Property File

Task 1a: Configure the LDAP-Based Provider Type for J2SE

Task 1b: Configure the XML-Based Provider Type for J2SE

Performing Configuration Tasks Unique to J2EE Environments

Task 1: Configure the JAAS Provider and Enable the JAZNUserManager

Task 1a: Configure the LDAP-Based Provider Type for J2EE (Optional)

Task 1b: Configure the XML-Based Provider Type for J2EE

Task 2: Configure an Authentication Method and Filter Modes

Task 3: Configure Your Application for SSL Environments

Task 4: Configure mod_oc4j to Delegate HTTP Requests to OC4J

Task 5: Configure the Security Role (run-as)

RealmPrincipal Class

Differences between <jazn> Tags and the <user-manager> Property

Modifying Default Security Settings

Configuring HTTPS Protocol Support

Task 1: Create Wallets

Enabling Wallets to Open on Windows

Task 2: Configure HTTPS Listening Ports and Wallet Location

Task 3: Permit Only HTTPS Requests for a Site

Providing for Secure Access to the Oracle9i Database Server

Proxy Authentication with Oracle9iAS

Auditing for Multitier Applications

Secure Application Roles

Application Query Rewrite: Virtual Private Database (VPD)

Selective Encryption of Stored Data

Middle-Tier Connection Management

Java Security Implementation in the Database

Class Execution

SecurityManager Class

Securing Application Database Access Through mod_plsql

Introduction to mod_plsql

Authenticating Users Through mod_plsql

Basic (Database Controlled Authentication)

Oracle9i Application Server Basic Authentication Mode

Deauthentication

Global OWA, Custom OWA, and Per Package (Custom Authentication)

Protecting the PL/SQL Procedures Granted to PUBLIC

Providing Secure Database Connections with JDBC

Introduction to Java Database Connectivity (JDBC)

Java Encryption Features of Oracle Advanced Security

JDBC-Oracle Call Interface Driver

JDBC Thin Driver for Applets and Application

JDBC Server-Side Thin Driver

Oracle Java SSL

Secure Connections for Virtually Any Client

Contents

Title and Copyright Information

Send Us Your Comments

Preface

1 Security Fundamentals in a Web Environment

2 Oracle9i Application Server Security Architecture and Features

3 Configuring Oracle9iAS Single Sign-On

4 Configuring HTTP Server Security

5 Using Oracle Wallet Manager

6 Configuring Oracle9iAS Portal Security

7 Configuring JAAS Support

8 Configuring Security for Oracle9iAS Web Cache

9 Configuring Secure Database Access by Oracle9i Application Server

Glossary

Index