13
Maintaining data security with Discoverer

13.1 Maintaining data security with Discoverer

This chapter describes the different security mechanisms that protect data accessed by Discoverer users, and contains the following topics:

• Section 13.2, "About Discoverer and data security"

• Section 13.3, "About Database security"

• Section 13.4, "About End User Layer security"

• Section 13.5, "About network security"

• Section 13.6, "Frequently asked questions about security"

13.2 About Discoverer and data security

Discoverer supports a number of security mechanisms to prevent unauthorized access to data.

The diagram below describes the different levels of security protecting data accessed by Discoverer users:

Text description of the illustration secure1.gif

Security is applied at three separate levels:

• database security, such as database privileges, roles, and usernames (for more information, see Section 13.3, "About Database security").

• End User Layer (EUL) security, such as business areas, connections, and Single Sign-On (for more information, see Section 13.4, "About End User Layer security").

• network security, such as JRMP, HTTP, and HTTPS (for more information, see Section 13.5, "About network security").

13.3 About Database security

At the most basic level, a user must log on to a database using a database username and password. Beyond that, access to information is regulated by the database privileges granted to the database user. The database privileges might be granted explicitly to the database user or indirectly by a database role. Discoverer users never see information to which they do not have database access.

Typically, you will set up database security using SQL*Plus or a DBA tool.

13.4 About End User Layer security

This section explains the Discoverer's End User Layer (EUL) security mechanisms.

13.4.1 About business areas

Discoverer managers can control access to information by creating and managing business areas. Discoverer users can only access information to which they have been granted access through a business area. Discoverer users can share information amongst themselves using shared workbooks, but they never see information to which they do not have database access.

Discoverer managers use Discoverer Administrator to set up EUL security. For more information about creating and maintaining business areas, see Oracle9i Discoverer Administrator Administration Guide.

13.4.2 About Discoverer connections

Discoverer managers can further control users' access to information by defining Discoverer connections, which contain Discoverer login information. Each connection specifies an End User Layer containing one or more business areas. Discoverer users can be restricted to using public connections or can be given permission to create their own private connections (see Oracle9i Discoverer Administrator Administration Guide).

Discoverer managers use Oracle9iAS Enterprise Manager to create public connections and give end users permission to create their own private connections. For more information about creating and maintaining Discoverer connections, see Oracle9i Discoverer Administrator Administration Guide.

13.4.3 About Single Sign-On

This section describes the relationship between Oracle9iAS Discoverer and Oracle9iAS Single Sign-On.

13.4.3.1 What is Oracle9iAS Single Sign-On?

Oracle9iAS Single Sign-On is a component of Oracle9i Application Server that enables users to log in to all features of the Oracle9iAS product complement, as well as to other Web applications, using a single user name and password that is entered once.

Note: Oracle9iAS Single Sign-On is implemented using Oracle Sign-On Server.

13.4.3.2 About Single Sign-On and Discoverer

When you install Oracle9i Application Server, the Oracle9iAS Single Sign-On service is installed automatically, but it is not enabled by default.

Discoverer connections work in both Single Sign-On and non-Single Sign-On environments. In an Oracle9iAS Single Sign-On environment, if a Discoverer end user starts Discoverer without having been authenticated by Oracle9iAS Single Sign-On, the user is challenged for Single Sign-On details (username and password). Having provided Single Sign-On details, the user can display the Discoverer connections page and start Discoverer without having to enter a username or password again.

Note: To enable Single Sign-On, open the mod_osso.conf file and enable SSO for discoverer/viewer and /discoverer/plus. Because Discoverer relies on Oracle9iAS Portal to protect the /discoverer/portlet provider URL, do not enable SSO for /discoverer/portlet provider.

13.4.3.3 About authentication in non-Single Sign-on environments

If you are not deploying Discoverer with Single Sign-On, when a Discoverer end user chooses a private connection for the first time in a browser session, they are prompted to confirm the database password. They are not prompted for SSO login details.

If the end user closes their browser and then starts it again (i.e. creates a new browser session), they will be prompted to confirm their database password. End users must confirm the database password each time a private connection is used. End users do not have to confirm passwords for public connections (for more information, see Oracle9i Discoverer Administrator Administration Guide).

Notes:

• In non-SSO environments, Discoverer end users can only access private connections created using the current machine (and Web browser). In other words, if an end user connects to Discoverer from a different machine or Web browser, they do not have access to private connections created on a different machine. In this scenario, end users must re-create the private connections on the new machine.

• To store private Discoverer connections in non-SSO environments, cookies must be enabled in the Web browser.

13.4.4 About Discoverer and Portal security

When you publish Discoverer content in a portlet produced using Oracle9iAS Portal, you give portal users access to the workbooks. However, portal users accessing Discoverer workbooks only see data to which they have database access. In other words, two different users accessing the same workbook might see different data, depending on their database privileges. For more information, see Section 11.1, "Using Discoverer with Oracle9iAS Portal".

13.5 About network security

You can use Discoverer in different network environments that might or might not include firewalls using different communication protocols (i.e. JRMP, HTTP, HTTPS).

The most appropriate network environment depends on both existing network strategies in your organization as well as your requirements for:

• performance (how long it takes to display information)

• accessibility (whether data has to be accessed through a firewall)

• security (how secure the data needs to be during transmission)

Discoverer Viewer and Discoverer Plus require different security configuration:

• For information about configuring security for Discoverer Viewer, see Section 13.5.1, "About Discoverer Viewer security".

• For information about configuring security for Discoverer Plus, see Section 13.5.2, "About Discoverer Plus security".

13.5.1 About Discoverer Viewer security

Discoverer Viewer uses standard HTTP or HTTPS protocols to connect Discoverer clients to the Discoverer servlet.

Text description of the illustration sec1.gif

Note: Discoverer Viewer client machines require only a standard Web browser to run Discoverer Viewer.

In an out-of-the-box Oracle9iAS install, Discoverer Viewer is configured as follows, depending on the environment:

• In an Intranet environment (i.e. inside firewalls), no additional security configuration is required

• In a HTTP environment, no additional security configuration is required. If you are using a firewall, a typical firewall security policy allows HTTP traffic to pass through (e.g. on the default port 80).

• In a HTTPS environment, you need to configure the mod_ossl file on the Oracle9iAS machine (for more information, see Oracle9iAS Security Guide). If you are using a firewall, a typical firewall security policy allows HTTPS traffic to pass through (e.g. on the default port 443).

• In a HTTPS environment, Discoverer uses security certificates on the client machine's browser.

13.5.2 About Discoverer Plus security

Discoverer Plus uses standard Java Remote Method Protocol (JRMP), HTTP or HTTPS protocols to connect clients to the Discoverer servlet.

Text description of the illustration sec2.gif

Discoverer Plus uses two communication channels:

• when a Discoverer Plus client first connects to the Discoverer servlet, the Discoverer Plus applet is downloaded to the client machine

• after the Discoverer Plus applet is installed on the Discoverer client machine, the Discoverer Plus client machine uses one of JRMP, HTTP, or HTTPS to communicate with the Discoverer servlet

In an out-of-the-box Oracle9iAS install, Discoverer Plus is configured as follows, depending on the environment:

• In an Intranet environment (i.e. inside firewalls), no additional security configuration is required. Discoverer Plus clients connect to the Discoverer servlet using the JRMP protocol (i.e. the default Discoverer Plus communication protocol).

  Make sure that the default Discoverer Plus communication protocol (i.e. Default) is selected (for more information, Section 13.5.2.4, "How to set up Discoverer Plus to use the default communication protocol").

• In a HTTP environment, no additional security configuration is required. If you are using a firewall, a typical firewall security policy allows HTTP traffic to pass through (e.g. on the default port 80).

  Although a HTTP connection will work with the Discoverer Plus communication protocol option set to Default (i.e. JRMP), you can improve performance by specifying the Tunneling option on the Discoverer Plus communication protocol page (for more information, Section 13.5.2.5, "How to set up Discoverer Plus to use the Tunneling communication protocol").

• In a HTTPS environment, you might need to configure the certdb.txt file on the clients if you are using a non-standard signing authority (for more information, see Section 13.5.2.1, "About configuring Discoverer Plus for a non-standard signing authority"). If you are using a firewall, a typical firewall security policy allows HTTPS traffic to pass through (e.g. on the default port 443).

  Although a HTTPS connection will still work with Discoverer Plus communication protocol option set to Default (i.e. JRMP), you can improve performance by specifying the Tunneling option or Secure Tunneling option on the Discoverer Plus communication protocol page (for more information, Section 13.5.2.2, "About specifying a Discoverer Plus communication protocol").

Notes:

• Discoverer Plus client machines require browser certificates and JInititator (for more information, see Section 3.3, "About running Discoverer Plus for the first time on a client machine").

• You typically use the same communication protocol to download the Discoverer applet as you do for communication with the Discoverer servlet (for more information, see Section 13.5.2.2, "About specifying a Discoverer Plus communication protocol").

• In a HTTPS environment, security certificates have to be installed for JInititator to provide SSL support for the Discoverer Plus applet.

13.5.2.1 About configuring Discoverer Plus for a non-standard signing authority

If you are deploying Discoverer Plus using a non-standard or private SSL signing authority, you need to make sure that the certificate information is in the \lib\security\certdb.txt file on each client machine. This additional configuration is required because Discoverer ignores the browser's signing authority and uses Oracle JInititator's SSL technology.

13.5.2.2 About specifying a Discoverer Plus communication protocol

Using Oracle Enterprise Manager, you can specify which communication protocol the Discoverer Plus applet (i.e. the Discoverer client) and the Discoverer servlet (i.e. on the Discoverer server) use to communicate. The three communication protocol options are:

• Default

  Specify this option if you want the Discoverer Plus applet to attempt to use JRMP and if this fails, to use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet. This option works regardless of whether the applet is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first.

  For more information about specifying this Discoverer Services Configuration option, see Section 13.5.2.4, "How to set up Discoverer Plus to use the default communication protocol".

• Tunneling

  Specify this option if you want the Discoverer Plus client to connect using the same method to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS depending on the URL). This option works regardless of whether a firewall is being used.

  For more information about specifying this Discoverer Services Configuration option, see Section 13.5.2.5, "How to set up Discoverer Plus to use the Tunneling communication protocol".

• Secure Tunneling

  Specify this option if you want the Discoverer Plus client to always use HTTPS to communicate with the Discoverer servlet.

  For more information about specifying this Discoverer Services Configuration option, see Section 13.5.2.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol".

13.5.2.3 How to display the Oracle9iAS Discoverer Plus Configuration page in OEM

You use the Discoverer Plus Configuration page in Oracle Enterprise Manager to specify a Discoverer Plus communication protocol. For example, if you want to encrypt Discoverer Plus data, you might want to configure Discoverer Plus to use the HTTPS communication protocol.

How to display the Oracle9iAS Discoverer Plus Configuration page in OEM:

1. Start Oracle Enterprise Manager.

   If you are connected to the Oracle HTTP Server locally, the URL will be in the form:

   http://hostname:1810

   If you are connecting to the Oracle HTTP server remotely, contact the contact the Oracle9iAS system manager for information about which URL to use.

   Note: For more information about starting OEM, see Oracle Enterprise Manager Configuration Guide.

2. When prompted, enter a user name and password.

   Note: If you need an OEM user name and password, contact the Oracle9iAS system manager.

3. Click OK to start Oracle Enterprise Manager.

   The Oracle Enterprise Manager main page is displayed.

   
   
   Text description of the illustration oem1.gif

4. In the Name column, select the instance that you want to update to display a list of components on that machine (e.g. iasdb.host1.uk.companyname.com).

   A list of Oracle9iAS components on that machine is displayed (e.g. HTTP Server, OC4J_BI_Forms, Web Cache, OC4J_Portal).

5. In the Name column, select the OC4J_BI_Forms link to display the Oracle9iAS Discoverer Services Configuration page.

   Figure 13-1 Oracle9iAS Discoverer Services Configuration page

   
   
   Text description of the illustration oem2.gif

   The Oracle9iAS Discoverer Services Configuration table contains a row for each part of Discoverer that you can configure.

6. In the Update column, select the Update icon in the Discoverer Plus row to display the Discoverer Plus configuration page.

   
   
   Text description of the illustration oem3.gif

   The Discoverer Plus configuration page enables you to change the Discoverer Plus communication protocol (for more information, Section 13.5.2.2, "About specifying a Discoverer Plus communication protocol").

13.5.2.4 How to set up Discoverer Plus to use the default communication protocol

To set up Discoverer Plus to use the default communication protocol:

1. Start Oracle Enterprise Manager and navigate to the Oracle9iAS Discoverer Plus Configuration page (for more information, see Section 13.5.2.3, "How to display the Oracle9iAS Discoverer Plus Configuration page in OEM").

   
   
   Text description of the illustration oem3.gif

2. Select the Default radio button from the Select a communication protocol for Discoverer Plus options.

   The Discoverer Plus applet will attempt to use JRMP. If JRMP is not available, the Discoverer Plus applet will use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.

   Note: This option works regardless of whether the applet is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first. For more information about the other options on this page, refer to "About specifying a Discoverer Plus communication protocol"

3. Click Apply to save the details and display the Oracle9iAS Discoverer Services Configuration page.

4. Give Discoverer Plus users the URL of the Discoverer servlet:

   For example, http://machinename.myorganization.com:7777/discoverer/plus

13.5.2.5 How to set up Discoverer Plus to use the Tunneling communication protocol

To set up Discoverer Plus to use the tunneling communication protocol:

1. Start Oracle Enterprise Manager and navigate to the Oracle9iAS Discoverer Plus Configuration page (for more information, see Section 13.5.2.3, "How to display the Oracle9iAS Discoverer Plus Configuration page in OEM").

   
   
   Text description of the illustration oem3.gif

2. Choose the Tunneling radio button from the Select a communication protocol for Discoverer Plus options.

   The Discoverer Plus applet will use the same protocol to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS). This option works regardless of whether a firewall is being used.

3. Click Apply.

4. Open the appropriate port on the Oracle HTTP Server to accept HTTP or HTTPS traffic as appropriate.

5. Give Discoverer Plus users the URL of the Discoverer servlet:

   For example, http://machinename.myorganization.com:7777/discoverer/plus

13.5.2.6 How to set up Discoverer Plus to use the Secure Tunneling communication protocol

To set up Discoverer Plus to use the secure tunneling communication protocol:

1. Start Oracle Enterprise Manager and navigate to the Oracle9iAS Discoverer Plus Configuration page (for more information, see Section 13.5.2.3, "How to display the Oracle9iAS Discoverer Plus Configuration page in OEM").

   
   
   Text description of the illustration oem3.gif

2. Choose the Secure Tunneling radio button from the Select a communication protocol for Discoverer Plus options.

   The Discoverer Plus applet will use the HTTPS protocol to communicate with the Discoverer servlet.

3. Click Apply.

4. Open the appropriate port on the Oracle HTTP Server to accept HTTPS traffic.

5. Give Discoverer Plus users the URL of the Discoverer servlet:

   For example, https://machinename.myorganization.com:7777/discoverer/plus

13.5.3 What are the differences between Oracle9iAS Discoverer Plus version 9.0.2 and version 4.1

Oracle9iAS Discoverer Plus does not require Visibroker Gatekeeper.

13.5.4 About security vulnerabilities

If you are deploying Oracle9iAS Discoverer with Oracle9iAS Web Cache, there are security implications for some restricted user environments.

For more information, see:

• Section 9.5, "When to use Discoverer Viewer with Oracle9iAS Web Cache"

• Oracle9i Application Server Security Guide

13.6 Frequently asked questions about security

13.6.1 What is a firewall?

A firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.

In other words, a firewall is an electronic `fence' around a network to protect it from unauthorized access.

Figure 13-2 A typical Internet connection with a Client-side and Server-side firewall

Text description of the illustration firewal0.gif

Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its Oracle HTTP Server machine and the Internet. This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall. Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.

13.6.2 What is a demilitarized zone (DMZ)?

A demilitarized zone (DMZ) is a firewall configuration that provides an additional level of security. In this configuration, the DMZ is an extra network placed between a protected network and the Internet. Resources residing within the DMZ are visible on the public Internet, but are secure. DMZs typically hold servers that host a company's public web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server.

Figure 13-3 A Demilitarized Zone (DMZ)

Text description of the illustration dmz0.gif

Firewall policies vary across organization and there are a wide variety of bespoke and off-the-shelf firewall packages in use.

A good firewall configuration assumes that resources in the DMZ will be breached, and should minimize damage to the internal network and any sensitive data residing on the network when this happens. This involves two steps:

• move sensitive private resources (at a minimum, databases and application logic) from the DMZ to the internal network behind the internal firewall

• restrict access to sensitive private resources from the DMZ itself, as well as from internal networks

Notes:

• An alternative security solution is to deploy the Oracle HTTP Server in the DMZ and deploy the Discoverer Server and the database behind the internal firewall. Note that this configuration is not supported.

13.6.3 What is HTTPS and why should I use it?

The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer (SSL) to establish secure connections between clients and servers.

The SSL protocol enables sensitive data to be transmitted over an insecure network, such as the Internet, by providing the following security features:

• authentication - a client can determine a server's identity and be certain that the server is not an impostor (and optionally, a server can also authenticate the identity of its client applications)

• privacy - data passed between the client and server is encrypted so that if a third party intercepts their messages, the third party will not be able to unscramble the data

• integrity - the recipient of encrypted data will know if a third party has corrupted or modified that data

You can tell when SSL is enabled in Discoverer as follows:

• the URL to start Discoverer Plus begins with https:// and a closed padlock appears at the left hand side of the applet's status bar

• the URL to start Discoverer Viewer starts with https:// and a closed padlock or other equivalent symbol (browser dependent) appears in the browser's status bar

13.6.4 How do I configure Discoverer to work in an intranet

You configure Discoverer to work in an intranet as follows:

• Discoverer Viewer

  Deploying Discoverer Viewer in an intranet (i.e. inside a firewall) requires no additional configuration after an Oracle9iAS installation. Discoverer Viewer uses a HTTP connection.

• Discoverer Plus

  Deploying Discoverer Plus in an intranet (i.e. inside a firewall) requires no additional configuration after an Oracle9iAS installation. Discoverer Plus uses a direct connection using JRMP (i.e. the Discoverer default communication protocol).

Figure 13-4 A typical network configuration for Discoverer in an intranet

Text description of the illustration secure2.gif

13.6.5 How do I configure Discoverer to work through a firewall?

You configure Discoverer to work through firewalls as follows:

• Discoverer Viewer

  Discoverer Viewer with no encryption (i.e. HTTP) requires no additional security configuration as long as the firewall allows HTTP traffic to pass through (e.g. on the default port 80).

• Discoverer Plus

  Discoverer Plus with no encryption (i.e. HTTP) requires no additional security configuration. To improve performance, you might want to change the Discoverer Plus communication protocol to tunneling to prevent the Discoverer client from first trying to connect using JRMP, then by HTTP (for more information, see Section 13.5.2.5, "How to set up Discoverer Plus to use the Tunneling communication protocol").

Figure 13-5 A typical firewall configuration for Discoverer using HTTP

Text description of the illustration secure3.gif

13.6.6 Can I configure Discoverer to work through multiple firewalls?

Yes, if you are using HTTP or HTTPS Discoverer will work through multiple firewalls (for more information, see Section 13.6.5, "How do I configure Discoverer to work through a firewall?").

13.6.7 How do I configure Discoverer to use encryption in an intranet?

You configure Discoverer to use encryption as follows:

• Discoverer Viewer

  Configure mod_ossl to use HTTPS (for more information, see Oracle9iAS Security Guide) and deploy Discoverer Viewer on a HTTPS URL.

• Discoverer Plus

  Deploy Discoverer Viewer on a HTTPS URL. To improve performance, you might want to change the Discoverer Plus communication protocol to Secure Tunneling to prevent the Discoverer client from first trying to connect using JRMP, then by HTTP, then by HTTPS (for more information, see Section 13.5.2.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol").

13.6.8 How do I configure Discoverer to use encryption through firewalls?

You configure Discoverer to use encryption through firewalls as follows:

• Discoverer Viewer

  Configure Discoverer Viewer to work through a firewall (for more information, see Section 13.6.5, "How do I configure Discoverer to work through a firewall?". Then, make sure that your firewall(s) allow HTTPS traffic to pass through (e.g. on the default port 443).

• Discoverer Plus

  Configure Discoverer Plus to work through a firewall (for more information, see Section 13.6.5, "How do I configure Discoverer to work through a firewall?". Then, make sure that your firewall(s) allow HTTPS traffic to pass through (e.g. on the default port 443).

Figure 13-6 A typical firewall configuration for Discoverer using HTTPS

Text description of the illustration secure5.gif

13.6.9 How can I verify that Discoverer is encrypting communications?

In Discoverer Viewer, make sure that client browsers displays a closed padlock or key symbol in the bottom left-hand corner of the Discoverer Viewer browser window.

In Discoverer Plus, make sure that the client displays a closed padlock symbol in the bottom left-hand corner of the Discoverer Plus applet window.

13.6.10 Can I configure Discoverer for both SSL and non-SSL communication?

Yes, you can configure Discoverer for both SSL and non-SSL communication. For example, you might use the default Discoverer Plus communication protocol that uses a direct JRMP connection inside the firewall, but automatically uses a HTTP or HTTPS for users outside the firewall.

13.6.11 Can I configure Discoverer for both intranet users and users accessing Discoverer through a firewall?

Yes. Discoverer can be configured to first attempt a JRMP connection, then HTTP and HTTP connection. Users inside a firewall will connect using JRMP, but because JRMP is a direct connection that only works inside a firewall, users outside the firewall are connected as HTTP or HTTPS (depending on the URL).

13.6.12 Can I use Discoverer with a NAT device?

You can deploy Discoverer using any standard Network Address Translation (NAT) device.