Skip Headers

Oracle9i Application Server Security Guide
Release 2 (9.0.2)

Part Number A90146-01
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

4
Configuring HTTP Server Security

As described in the introductory chapter of this document, security can be organized into the three categories of authentication, authorization, and encryption. Oracle HTTP Server provides support for all three of these categories. It is based on the Apache Web server and its security infrastructure is primarily provided by the Apache module, mod_auth, and the Oracle modules, mod_ossl and mod_osso. The module mod_auth provides authentication based on user name and password pairs, mod_ossl provides confidentiality and authentication with X.509 client certificates over SSL, and mod_osso enables single sign-on for Web applications.

This chapter provides an overview of Oracle HTTP Server security features and configuration information for setting up a secure Web site using them. It contains these topics:

Overview of Oracle HTTP Server Security

Based on the Apache model, Oracle HTTP Server provides access control, authentication, and authorization methods that can be configured with access control directives that are used in the httpd.conf file. When URL requests arrive at Oracle HTTP Server, they are processed in a number of steps determined by the default design of the server and by what configuration parameters you set in the configuration files. The steps for handling URL requests are implemented through a module or plug-in architecture that is common to many Web listeners. Figure 4-1 shows how URL requests are handled by the server. Each step in this process is handled by a different server module depending on how the server is configured. For example, if only basic authentication is used, then the step labeled "Authentication" in Figure 4-1 represents the module, mod_auth.

Figure 4-1 Steps for Handling URL Requests in Oracle HTTP Server

Text description of ohsurlpr.gif follows

Text description of the illustration ohsurlpr.gif

Oracle HTTP Server provides user authentication and authorization at two stages:

Specifying Configuration Parameters in httpd.conf

Parameters for all Oracle HTTP Server configuration directives that are described in this chapter must be entered in the main HTTP server configuration file called httpd.conf, which is located in the following directory:

The following sections explain how host-based access control and user authentication is handled in the HTTP server and how to configure them.

Understanding Host-Based Access Control

Early in the request processing cycle access control is applied, which can inhibit further processing based on the host name, IP address, or other characteristics such as browser type. You use the deny, allow, and order directives to set this type of access control. These restrictions are configured with Oracle HTTP Server configuration directives and can be based on particular files, directories, or URL formats using the <files>, <directory>, and <location> configuration directives as shown in the sample below:

<Directory /internalonly/>

order deny, allow
deny from all
allow from 192.168.1 us.oracle.com
</Directory>

In this example, requests originating from any IP address in the 192.168.1.* range or with the host name us.oracle.com are allowed access to files in the directory /internalonly/.

If you want to match objects at the file system level, then you must use <Directory> or <Files>. If you want to match objects at the URL level, then you must use <Location>. However, if you want to direct proxy control, then you must use <Directory>.


Note:

Allowing or restricting access based on a host name for Internet access is not considered a very good method of providing security, because host names are easy to spoof. While the same is true of IP addresses, sabotage is more difficult. However, setting access control with IP addresses and host names for intranet use is reasonable because the same risks do not apply. This assumes that your firewalls have been properly configured.


Access Control for Virtual Hosts

To set up access control for virtual hosts, place the AccessConfig directive inside a virtual host container in the server configuration file, httpd.conf. When used in a virtual host container, the AccessConfig directive specifies an access control policy contained in a file. The following example shows an excerpt from an httpd.conf file which provides the syntax for using AccessConfig this way:

...
<VirtualHost ip.address.of.host.some_domain.com>

... virtual host directives ...
AccessConfig conf/access.conf
</VirtualHost>

Overview of Host-Based Access Control Schemes

Using host-based access control schemes you can control access to restricted areas based on where HTTP requests originate. Oracle HTTP Server uses mod_access and mod_setenvif to perform host-based access control. When you enter configuration directives into the httpd.conf that use these modules, the server fulfills or denies requests based on the address or name of the host, or based on the HTTP request header contents.

You can use host-based access control to protect static HTML pages, CGI applications, or components.

Oracle HTTP Server supports four host-based access control schemes:

All of these allow you to specify the machines from which access to protected areas is granted or denied. Your decision to choose one or more of the host-based access control schemes is determined by which scheme most efficiently protects your restricted content and applications, or which scheme is easiest to maintain.


Note:

Although the Oracle HTTP Server is based on the open source Apache server, it contains some access control enhancements which improve security. For example, the Apache server provides for access restrictions per directory or folder by means of files that have the suffix .htaccess. The processing of these files is disabled in Oracle HTTP Server, because .htaccess processing can produce security problems and degrade performance.


Controlling Access by IP Address

Controlling access with IP addresses is a preferred method of host-based access control. It does not require DNS lookups that consume time, system resources, and make your server vulnerable to DNS spoofing attacks. However, if IP addresses change without warning, your server is left unprotected.

To configure IP address-based access control, use the syntax shown in the following example:

<Directory /secure_only/>
     order deny,allow
     deny from all
     allow from 207.175.42.154 192.220.208.9
</Directory>

In this example, requests originating from all IP addresses except 207.175.42.154 and 192.220.208.9 are denied access to the /secure_only/ directory.

Controlling Access by Domain Name

Domain name-based access control can be used with IP address-based access control to solve the problem of IP addresses changing without warning. When you combine these methods, if an IP address changes, then the secure areas of your site are still protected because the domain names you want to keep out will still be denied access.

To combine domain name-based with IP address-based access control, use the syntax shown in the following example:

<Directory /co_backgr/>
     order allow,deny
     allow from all
     # 141.217.24.179 is the IP for malicious.cracker.com
     deny from malicious.cracker.com 141.217.24.179
</Directory>

In this example all requests for directory /co_backgr/ are accepted except those that originate from the domain name malicious.cracker.com or the IP address 141.217.24.179. Although this is not a foolproof precaution against domain name or IP address spoofing, it protects your site from malicious.cracker.com even if they change their IP address.

Controlling Access by Network or Netmask

You can control access based on subsets of networks, specified by IP address. The syntax is shown in the following example:

<Directory /payroll/>
     order deny,allow
     deny from all
     allow from 10.1.0.0/255.255.0.0
</Directory>

In this example, access is allowed from a network/netmask pair. A netmask shows how an IP address is to be divided into network, subnet, and host identifiers. Netmasks enable you to refer to only the host ID portion of an IP address.

The netmask in the example above, 255.255.0.0, is the default netmask setting for a Class B address. The binary ones (decimal 255) mask the network ID and the binary zeroes (decimal 0) retain the host ID of a given IP address.

Controlling Access with Environment Variables

You can use arbitrary environment variables for access control, instead of using IP addresses or domain names. Two directives, BrowserMatch and SetEnvIf, can be used for this type of access control.


Note:

Typically, BrowserMatch and SetEnvIf are not used to implement security policies. Instead they are used to provide different handling of requests based on browser types and versions.


Use BrowserMatch when you want to base access on the type of browser used to send a request. For example, if you want to allow access only to requests that come from a Netscape browser, then use the syntax shown in the following example:

BrowserMatch ^Mozilla netscape_browser
<Directory /mozilla-area/>
     order deny,allow
     deny from all
     allow from env=netscape_browser
</Directory>

Use SetEnvIf when you want to base access on header information contained in the HTTP request. For example, if you want to deny access from any browsers using HTTP version 1.0 or earlier, then use the syntax shown in the following example:

SetEnvIf Request_Protocol ^HTTP/1.1 http_11_ok
<Directory /http1.1only/>
     order deny,allow
     deny from all
     allow from env=http_11_ok
</Directory>

Overview of User Authentication

User authentication is a term for a process used to ensure that users are who they claim to be. Basic authentication uses a user name and password. SSL uses an exchange of keys and client certificates. Oracle9iAS Single Sign-On initially uses a user name and password that are stored on Oracle Internet Directory, but after initial authentication, it places a cookie in the user's browser. During subsequent user logins to applications that are registered to use single sign-on, the browser cookie authenticates users transparently until the cookie expires.

The type of user authentication that you choose to use depends on the type of content you want to protect. Typically, basic authentication that is based on user name and password pairs is adequate for static content that only requires minimal security within an intranet. For Internet communications, SSL, which encrypts data and supports X.509 client certificates, is usually used for transmitting sensitive information such as passwords and authenticating users to Web applications and databases. To provide additional security and convenience, Oracle HTTP Server also supports single sign-on, which allows users to log in to multiple Web applications using a single user name and password.

The following sections describe how to use basic authentication and SSL with Oracle HTTP Server:

Using Basic Authentication and Authorization with mod_auth

Basic authentication prompts for a user name and password before serving an HTTP request. When a browser requests a page from a protected area, Oracle HTTP Server responds with an Unauthorized message (status code 401) containing a WWW-Authenticate: header and the name of the realm configured by the configuration directive, AuthName. When the browser receives this response, it prompts for a user name and password. After the user enters a user name and password combination, the browser sends this information back to the server in an Authorization header. In the Authorization header message, the user name and password are encoded as a base 64 encoded string.

Frequently, basic user authentication and authorization are implemented together. User authentication, the second stage of security provided by Oracle HTTP Server, is based on user names and passwords that are checked against a list of known users and passwords. These user name and password pairs may be stored in a variety of forms, such as a text file, database, or directory service. Then configuration directives are used in httpd.conf to configure this type of user authentication on the server. For example, mod_auth uses the AuthUserFile directive to set up basic authentication.

What Directives to Use for Basic Authentication Configuration with mod_auth

Any authentication scheme that you devise requires that you use a combination of the configuration directives listed in Table 4-1.

Table 4-1 Authentication Configuration Directives  
Directive Name Description

AuthName

Defines the name of the realm in which the user names and passwords are valid. Use quotation marks if the name includes spaces

AuthType

Specifies the authentication type. Most authentication modules use basic authentication, which transmits user names and passwords in clear text. This is not recommended.

AuthUserFile

Specifies the path to a file that contains user names and passwords.

AuthGroupFile

Specifies the path to a file that contains group names and their members.

User Authorization

User authorization involves checking the authenticated user against an access control list that is associated with a specific server resource such as a file or directory. To configure user authorization, place the require directive in the httpd.conf file, usually within a virtual host container. User authorization is commonly used in combination with user authentication. After the server has authenticated a user's user name and password, then the server compares the user to an access control list associated with the requested server resource. If Oracle HTTP Server finds the user or the user's group on the list, then the resource is made available to that user.

Using Secure Sockets Layer (SSL) to Authenticate Users

SSL is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the application layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.

SSL provides secure communication between client and server by allowing mutual authentication, the use of digital certificates for integrity, and encryption for confidentiality. The protocol is designed to support a range of choices for specific algorithms used for cryptography, message digests, and certificates. This allows algorithm selection for specific servers to be made based on legal, export, or other concerns, and also enables the protocol to take advantage of new algorithms. Choices are negotiated between client and server at the start of establishing a protocol session.

About Securing HTTP Communication with mod_ossl

One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (named HTTPS). The differences are that HTTPS uses the URL scheme https:// rather than http://, and its default communication port is 443.

mod_ossl is the Oracle Secure Sockets Layer (SSL) implementation in use with the Oracle database. mod_ossl replaces mod_ssl in the Oracle HTTP Server distribution. Oracle no longer supports mod_ssl. A tool is provided to enable you to migrate from mod_ssl to mod_ossl, and convert your text certificates to Oracle wallets.

mod_ossl supports SSL v. 3.0, and provides:

Table 4-2 identifies the differences between the Oracle module, mod_ossl, and mod_ssl.

Table 4-2 Differences between mod_ossl and mod_ssl  
Feature mod_ossl mod_ssl

SSL versions supported

3.0

2.0, 3.0, TLS 1.0

Certificate management

Oracle WalletFoot 1, Foot 2

Text file

Per-directory SSL renegotiation

no

yes

1 Oracle Wallet Manager is a tool that manages certificates for mod_ossl.
2 Supports obfuscated passwords.

The mod_ssl directives listed below are not supported by mod_ossl.

Understanding Classes of Directives Used for Configuring SSL

Directives are classified according to the context in which they can be used: global, per-server, and per-directory.

Table 4-3 Classes and Directives  
Class Context Where Used

global

server configuration

Inside server configuration files, but only outside of container directives (directives such as VirtualHost that have a start and end directive).

per-server

server configuration, virtual host

Inside server configuration files, both outside (for the main server) and inside VirtualHost directives.

per-directory

server configuration, virtual host, directory

Everywhere; particularly inside the server configuration files.

Note that each class is a subset of the class above it. For example, directives from the per-directory class can also be used in the per-server and global contexts, and directives from the per-server class can be used in the global context.

See Also:

Oracle HTTP Server Administration Guide in the Oracle9iAS Documentation Library for information about using all of the configuration directives available with Oracle HTTP Server.

Using mod_ossl Directives

To configure SSL for your HTTP server, you enter the mod_ossl directives you want to use in the httpd.conf file. Each directive is described below.

See Also:

"Specifying Configuration Parameters in httpd.conf" for general information about how to use these parameters in the main HTTP server configuration file.

SSLWallet

Description:

Specifies the location of the wallet with its WRL.

Oracle Corporation recommends that you use wallets created with the Auto Login feature of Oracle Wallet Manager. Wallets that are created with the Auto Login feature do not require a password, so when they are used, the SSLWalletPassword directive does not need to be set.

Syntax:

SSLWallet wrl

The format of wrl is: file:path to wallet

Example:

SSLWallet file:/etc/ORACLE/WALLETS/server

Other values of wrl may be used as permitted by the Oracle SSL product.

Default:

None

Context:

server configuration, virtual host


Caution:

When Auto Login is enabled for a wallet, that wallet is only available to the operating system user who created it.


See Also:

"Using Auto Login" for information about using the Auto Login feature of Oracle Wallet Manager.

SSLWalletPassword

Description:

Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf described below.

If you must use a regular wallet, Oracle Corporation recommends that you use the obfuscated password instead of a cleartext password.

Syntax:

SSLWalletPassword password

If no password is required do not set this directive.

Note: If a wallet created with the Auto Login feature of Oracle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.

Default:

None

Context:

server configuration, virtual host

See Also:

"Using the iasobf Utility to Encrypt Wallet Passwords"

SSLPassPhraseDialog

Description:

Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet.

Valid Values

  • builtin - when the server is started, mod_ossl prompts for a password for each wallet.

  • exec:path/to/program - when the server is started, mod_ossl calls an external program configured for each wallet. This program is invoked with two arguments: servername:portnumber and RSA or DSA.

Syntax:

SSLPassPhraseDialog type

Example:

SSLPassPhraseDialog exec:/usr/local/apache/sbin/pfilter

Default:

SSLPassPhraseDialog builtin

Context:

server configuration, virtual host

SSLCARevocationPath

Description:

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

Syntax:

SSLCARevocationPath path/to/CRL_directory/

Example:

SSLCARevocationPath /ias2/Apache/conf/ssl.crl/

Default:

None

Context:

server config, virtual host

SSLCARevocationFile

Description:

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Syntax:

SSLCARevocationFile file_name

Example:

SSLCARevocationFile /ias2/Apache/conf/ssl.crl/ca_bundle.crl

Default:

None

Context:

server config, virtual host

SSLMutex

Description:

Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between HTTP Server processes.

Valid Values:

  • none - Uses no mutex at all

    Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you don't configure a mutex, the session cache can become garbled.

  • file:path/to/mutex - Uses a file for locking. The process ID (PID) of the HTTP Server parent process is appended to the filename to ensure uniqueness. If the filename does not begin with a slash ('/'), it is assumed to be relative to ServerRoot.

    This setting is not available on Windows.

  • sem - Uses an operating system semaphore to synchronize writes. On UNIX, it would be a Sys V IPC semaphore; on Windows, it is a Windows Mutex.

    This is the best choice, if the operating system supports it.

Example:

SSLMutex file:/usr/local/apache/logs/ssl_mutex

Syntax:

SSLMutex type

Default:

SSLMutex none

Context:

server configuration

SSLSessionCache

Description:

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing.

Valid Values:

  • none - disables the global/interprocess session cache

    Produces no impact on functionality, but produces a noticeable performance penalty.

  • shmht:/path/to/datafile[bytes] - Uses a high-performance hash table (bytes specifies approximate size) inside a shared memory segment in RAM, which is established by the /path/to/datafile. This hash table synchronizes the local SSL memory caches of the server processes.

  • shmcb:/path/to/datafile[bytes] - Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes.

    The performance of shmcb is more uniform in all environments when compared to shmht.

Syntax:

SSLSessionCache type

Examples:

SSLSessionCache shmht:/iasv2/Apache/Apache/logs/ssl_scache(512000)
SSLSessionCache shmcb:/iasv2/Apache/Apache/logs/ssl_scache(512000)

Default:

SSLSessionCache none

Context:

server configuration

SSLSessionCacheTimeout

Description:

Number of seconds before an SSL session in the session cache expires.

Syntax:

SSLSessionCacheTimeout seconds

Default:

300

Context:

server configuration

SSLProtocol

Description:

SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols.

Valid Values:

  • SSLv3

    SSL version 3.0

  • All

    SSL version 3.0 and any other version supported by Oracle products

Example:

To specify only SSL version 3.0, set this directive to the following:

SSLProtocol +SSLv3

Syntax:

SSLProtocol [+-] protocol

Default:

SSLProtocol +SSLv3

Context

server configuration, virtual host

SSLCipherSuite

Description:

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table 4-4 shows the tags you can use in the string to describe the cipher suite you want.

The tags are joined together with prefixes to form the cipher specification string.

Valid Values:

  • none

  • +:

  • -:

  • !:

Adds the cipher to the list

Adds the cipher to the list and place them in the correct location in the list

Remove the cipher from the list (can be added later)

Remove the cipher from the list permanently

Example:

SSLCipherSuite ALL:!LOW:!DH

In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm.

Syntax:

SSLCipherSuite cipher-spec

Default:

None

Context

server configuration, virtual host, directory

Table 4-4 SSLCipher Suite Tags  
Function Tag Meaning

Key exchange

kRSA

RSA key exchange

Key exchange

kDHr

Diffie-Hellman key exchange with RSA key

Authentication

aNULL

No authentication

Authentication

aRSA

RSA authentication

Authentication

aDH

Diffie-Hellman authentication

Encryption

eNULL

No encryption

Encryption

DES

DES encoding

Encryption

3DES

Triple DES encoding

Encryption

RC4

RC4 encoding

Data Integrity

MD5

MD5 hash function

Data Integrity

SHA

SHA hash function

Aliases

SSLv3

All SSL version 3.0 ciphers

Aliases

EXP

All export ciphers

Aliases

EXP40

ALl 40-bit export ciphers only

Aliases

EXP56

All 56-bit export ciphers only

Aliases

LOW

All low strength ciphers (export and single DES)

Aliases

MEDIUM

All ciphers with 128-bit encryption

Aliases

HIGH

All ciphers using triple DES

Aliases

RSA

All ciphers using RSA key exchange

Aliases

DH

All ciphers using Diffie-Hellman key exchange


Note:

  • Not all of the ciphers shown in the tags listed in Table 4-4 are supported by Oracle Advanced Security. Table 4-5 lists those supported as of version 9i.

  • There are restrictions if export versions of browsers are used. Oracle module, mod_ossl, supports RC4-40 encryption only when the server uses 512 bit key size wallets.


Table 4-5 Cipher Suites Supported in Oracle Advanced Security 9i  
Cipher Suite Authentication Encryption Data Integrity

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

3DES EDE CBC

SHA

SSL_RSA_WITH_RC4_128_SHA

RSA

RC4 128

SHA

SSL_RSA_WITH_RC4_128_MD5

RSA

RC4 128

MD5

SSL_RSA_WITH_DES_CBC_SHA

RSA

DES CBC

SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

DH anon

3DES EDE CBC

SHA

SSL_DH_anon_WITH_RC4_128_MD5

DH anon

RC4 128

MD5

SSL_DH_anon_WITH_DES_CBC_SHA

DH anon

DES CBC

SHA

SSL_RSA_EXPORT_WITH_RC4_40_MD5

RSA

RC4 40

MD5

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

RSA

DES40 CBC

SHA

SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

DH anon

RC4 40

MD5

SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

DH anon

DES40 CBC

SHA

SSLVerifyClient

Description:

Specifies whether or not a client must present a certificate when connecting.

Valid Values:

  • none - No client certificate is required

  • optional - Client may present a valid certificate

  • require - Client must present a valid certificate

Syntax:

SSLVerifyClient level

Default:

None

Context

server configuration, virtual host


Note:

The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.


SSLLog

Description:

Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard HTTP server log file specified by the ErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash ('/'), it is assumed to be relative to the ServerRoot. If the filename begins with a bar ('|'), then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Syntax:

SSLVerifyClient path/to/filename

Default:

None

Context

server configuration, virtual host

SSLLogLevel

Description:

Specifies the verbosity degree of the SSL engine log file.

Valid Values:

The levels are (in ascending order, where each level is included in the levels above it):

  • none - No dedicated SSL logging is done. Messages of type 'error' are duplicated to the standard HTTP server log file specified by the ErrorLog directive.

  • error - Only messages of the type 'error' (conditions that stop processing) are logged.

  • warn - Messages that notify of non-fatal problems (conditions that do not stop processing) are logged.

  • info - Messages that summarize major processing actions are logged.

  • trace - Messages that summarize minor processing actions are logged.

  • debug - Messages that summarize development and low-level I/O operations are logged.

Syntax:

SSLLogLevel level

Default:

None

Context

server configuration, virtual host

SSLOptions

Description:

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Valid Values:

  • StdEnvVars - Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.

  • ExportCertData - Enables the following additional CGI/SSI variables:

    SSL_SERVER_CERT

    SSL_CLIENT_CERT

    SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...)

    These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is off by default because there is a performance cost associated with using it.

  • FakeBasicAuth - Translates the subject Distinguished Name (DN) of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. Note that no password is obtained from the user; the string 'password' is substituted.

Valid Values: (for SSLOptions continued)

  • StrictRequire - Denies access when, according to SSLRequireSSL or SSLRequire directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.

    Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases.

  • CompatEnvVars - Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.

  • OptRenegotiate - This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.

Syntax:

SSLOptions [+-] option

Default:

None

Context

server configuration, virtual host, directory

SSLRequireSSL

Description:

Denies access to clients not using SSL.

This is a useful directive for absolute protection of an SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Syntax:

SSLRequireSSL

Default:

None

Context

directory

SSLRequire

Description:

Denies access unless an arbitrarily complex boolean expression is true. The expression must match the syntax below (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table 4-6 and Table 4-7 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Syntax:

SSLRequire expression

Default:

None

Context

directory

Table 4-6 Standard variables for SSLRequire varname

Standard Variables

HTTP_USER_AGENT

PATH_INFO

AUTH_TYPE

HTTP_REFERER

QUERY_STRING

SERVER_SOFTWARE

HTTP_COOKIE

REMOTE_HOST

API_VERSION

HTTP_FORWARDED

REMOTE_IDENT

TIME_YEAR

HTTP_HOST

IS_SUBREQ

TIME_MON

HTTP_PROXY_CONNECTION

DOCUMENT_ROOT

TIME_DAY

HTTP_ACCEPT

SERVER_ADMIN

TIME_HOUR

HTTP:headername

SERVER_NAME

TIME_MIN

THE_REQUEST

SERVER_PORT

TIME_SEC

REQUEST_METHOD

SERVER_PROTOCOL

TIME_WDAY

REQUEST_SCHEME

REMOTE_ADDR

TIME

REQUEST_URI

REMOTE_USER

ENV:variablename

REQUEST_FILENAME

Table 4-7 SSL variables for SSLRequire varname  

SSL Variables

HTTPS

SSL_PROTOCOL

SSL_CIPHER_ALGKEYSIZE

SSL_CIPHER

SSL_CIPHER_EXPORT

SSL_VERSION_INTERFACE

SSL_CIPHER_USEKEYSIZE

SSL_VERSION_LIBRARY

SSL_SESSION_ID

SSL_CLIENT_V_END

SSL_CLIENT_M_SERIAL

SSL_CLIENT_V_START

SSL_CLIENT_S_DN_ST

SSL_CLIENT_S_DN

SSL_CLIENT_S_DN_C

SSL_CLIENT_S_DN_CN

SSL_CLIENT_S_DN_O

SSL_CLIENT_S_DN_OU

SSL_CLIENT_S_DN_G

SSL_CLIENT_S_DN_T

SSL_CLIENT_S_DN_I

SSL_CLIENT_S_DN_UID

SSL_CLIENT_S_DN_S

SSL_CLIENT_S_DN_D

SSL_CLIENT_I_DN_C

SSL_CLIENT_S_DN_Email

SSL_CLIENT_I_DN

SSL_CLIENT_I_DN_O

SSL_CLIENT_I_DN_ST

SSL_CLIENT_I_DN_L

SSL_CLIENT_I_DN_T

SSL_CLIENT_I_DN_OU

SSL_CLIENT_I_DN_CN

SSL_CLIENT_I_DN_S

SSL_CLIENT_I_DN_I

SSL_CLIENT_I_DN_G

SSL_CLIENT_I_DN_Email

SSL_CLIENT_I_DN_D

SSL_CLIENT_I_DN_UID

SSL_CLIENT_CERT

SSL_CLIENT_CERT_CHAINn

SSL_CLIENT_VERIFY

SSL_CLIENT_M_VERSION

SSL_SERVER_M_VERSION

SSL_SERVER_V_START

SSL_SERVER_V_END

SSL_SERVER_M_SERIAL

SSL_SERVER_S_DN_C

SSL_SERVERT_S_DN_ST

SSL_SERVER_S_DN

SSL_SERVER_S_DN_OU

SSL_SERVER_S_DN_CN

SSL_SERVER_S_DN_O

SSL_SERVER_S_DN_I

SSL_SERVER_S_DN_G

SSL_SERVER_S_DN_T

SSL_SERVER_S_DN_D

SSL_SERVER_S_DN_UID

SSL_SERVER_S_DN_S

SSL_SERVER_I_DN

SSL_SERVER_I_DN_C

SSL_SERVER_S_DN_Email

SSL_SERVER_I_DN_L

SSL_SERVER_I_DN_O

SSL_SERVER_I_DN_ST

SSL_SERVER_I_DN_CN

SSSL_SERVER_I_DN_T

SSL_SERVER_I_DN_OU

SSL_SERVER_I_DN_G

SSL_SERVER_I_DN_I

Using the iasobf Utility to Encrypt Wallet Passwords

If you are using an Oracle Wallet that has been created with Auto Login enabled (an SSO wallet), then you do not need to use this utility. However, if you must use a regular wallet with a password, then Oracle Corporation recommends that you use the password obfuscation tool iasobf, which is located in the HTTP server bin directory to generate an obfuscated wallet password from a cleartext password.

To generate an obfuscated wallet password, the command syntax is:

iasobf -p password 

The obfuscated password is printed to the terminal. The arguments are optional. If you do not type them, the tool will prompt you for the password.


For Windows systems:

The corresponding tool for Windows environments is called osslpassword, which can be used in the same way as iasobf.


See Also:

All of the following documents can be found in the Oracle9iAS Documentation Library unless otherwise specified.

  • Oracle HTTP Server Administration Guide for complete information about administering Oracle HTTP Server.

  • Oracle9i Application Server Performance Guide for server performance tuning information.

  • Oracle9i Application Server Administrator's Guide for information about using the management console GUI tool for Oracle HTTP Server.

  • Chapter 5, "Using Oracle Wallet Manager" for information about creating wallets and using them.


Go to previous page Go to next page
Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index