Skip Headers
Oracle9
i
Application Server Security Guide
Release 2 (9.0.2)
Part Number A90146-01
Home
Solution Area
Index
Contents
Title and Copyright Information
Send Us Your Comments
Preface
Audience
Organization
Related Documentation
Conventions
Documentation Accessibility
1 Security Fundamentals in a Web Environment
Promises and Problems of the Internet
Introduction to Security Issues
Security Vulnerabilities
Changed Processes
Higher Volumes
More Valuable Data
Attributes Needed for Successful Security
Hosted Systems and Exchanges
Trade-offs Between Security and Other Business Needs
Security Needs in an Internet Environment
Confidentiality
Authentication
Password-Related Threats
Authorization
Unauthorized Access to Data
Intrusions
Non-Repudiation
Network Attacks
Data Corruption
Loss or Display of Confidential Information
Denial of Service
Fault Containment
Complex User Management Requirements
Multitier Systems
Scaling the Security Administration of Multiple Systems
Security Considerations in an Internet Environment
Considerations for Use of Public Key Infrastructure (PKI)
Authentication Considerations
Passwords
Certificates and Certificate Authorities
Secure Sockets Layer (SSL) Authentication and X.509v3 Digital Certificates
Storing Secure Credentials in an LDAP-Compliant Directory
Single Sign-on
Authorization Considerations
Encryption Considerations
Data Integrity Considerations
Web Browser Security
Security for Database Access
Enterprise User Security
Authentication and Digital Certificates
Connecting From the Middle Tier to the Database
Proxy Authentication
JAAS
Firewalls
Summary
2 Oracle9
i
Application Server Security Architecture and Features
Introduction to Oracle9
i
AS
Security Architecture of Oracle9
i
AS
Elements of Oracle9
i
AS Security Architecture
Oracle9
i
Application Server Implementation of Public Key Infrastructure (PKI)
Secure Sockets Layer
Oracle Wallets
Oracle Wallet Manager
Oracle Internet Directory
What to Install to Get the Security You Require
Default User Password Policy in Oracle9
i
AS
Centralized User Provisioning and Single Sign-On in Oracle9
i
AS
Overview of Centralized User Provisioning and Single Sign-On Model
Benefits of Centralized User Provisioning and Single Sign-On
Oracle Internet Directory Overview
Overview of Security in Oracle Internet Directory
The Oracle Context: A Directory Administration and Delegation Model
How Oracle Internet Directory is Implemented
Delegated Administration Service (DAS)
Oracle9
i
AS Single Sign-On Overview
Oracle9
i
AS Single Sign-On Components
Functional Overview of Oracle9
i
AS Single Sign-On
Authorization, Authentication, and SSL in Oracle9
i
AS
Oracle HTTP Server Security
Oracle HTTP Server Security Services Overview
Access Control, User Authentication, and Authorization with Oracle HTTP Server
Secure Sockets Layer (SSL) and PKI with Oracle HTTP Server
Secure Access to an Oracle Database with Oracle HTTP Server
Oracle Wallet Manager Overview
Oracle9
i
AS Portal Security Overview
Introduction to Oracle9
i
AS Portal
Portal Users
Portal Groups
Portal Authentication
Portal Authorization
Application Integration with Oracle9
i
AS Portal
Oracle9
i
AS Portal Support for HTTPS
Auditing in Oracle9
i
AS Portal
JAAS Security
Authentication Features of JAAS
Authorization Features of JAAS
Delegation Features of JAAS
Oracle9
i
AS Web Cache Security
How to Proceed from Here
3 Configuring Oracle9
i
AS Single Sign-On
Single Sign-On Overview
Configuring Security Features for Oracle9
i
AS Single Sign-On
Enabling the Single Sign-On Server for SSL
Configuring Oracle9
i
AS Single Sign-On for Digital Certificates
System Requirements
Configuration Tasks
Oracle HTTP Server (SSL)
Single Sign-On DAD (mod_plsql)
User Name Mapping Module
Oracle Internet Directory
Single Sign-On Server
Enabling Timeouts
Configuring the SSO Session Timeout
Configuring the Global User Inactivity Timeout
Enabling IP Checking
Enabling IP Checking for the Oracle9
i
AS Single Sign-On Server
Enabling IP Checking for Mod_osso
Managing Password Policies
4 Configuring HTTP Server Security
Overview of Oracle HTTP Server Security
Specifying Configuration Parameters in httpd.conf
Understanding Host-Based Access Control
Access Control for Virtual Hosts
Overview of Host-Based Access Control Schemes
Controlling Access by IP Address
Controlling Access by Domain Name
Controlling Access by Network or Netmask
Controlling Access with Environment Variables
Overview of User Authentication
Using Basic Authentication and Authorization with mod_auth
What Directives to Use for Basic Authentication Configuration with mod_auth
User Authorization
Using Secure Sockets Layer (SSL) to Authenticate Users
About Securing HTTP Communication with mod_ossl
Understanding Classes of Directives Used for Configuring SSL
Using mod_ossl Directives
SSLWallet
SSLWalletPassword
SSLPassPhraseDialog
SSLCARevocationPath
SSLCARevocationFile
SSLMutex
SSLSessionCache
SSLSessionCacheTimeout
SSLProtocol
SSLCipherSuite
SSLVerifyClient
SSLLog
SSLLogLevel
SSLOptions
SSLRequireSSL
SSLRequire
Using the iasobf Utility to Encrypt Wallet Passwords
5 Using Oracle Wallet Manager
About Public Key Infrastructure (PKI)
Wallet Password Management
Strong Wallet Encryption
Microsoft Windows Registry
Oracle Wallet Functions
Backward Compatibility
PKCS #12 Support
Importing Third-Party Wallets
Exporting Oracle Wallets
Multiple Certificate Support
LDAP Directory Support
Managing Wallets
Starting Oracle Wallet Manager
Creating a New Wallet
Opening an Existing Wallet
Closing a Wallet
Saving Changes
Saving the Open Wallet to a New Location
Saving in System Default
Deleting the Wallet
Changing the Password
Using Auto Login
Enabling Auto Login
Disabling Auto Login
Managing Certificates
Managing User Certificates
Adding a Certificate Request
Importing the User Certificate into the Wallet
Removing a User Certificate from a Wallet
Removing a Certificate Request
Exporting a User Certificate
Exporting a User Certificate Request
Managing Trusted Certificates
Importing a Trusted Certificate
Removing a Trusted Certificate
Exporting a Trusted Certificate
Exporting All Trusted Certificates
Exporting a Wallet
6 Configuring Oracle9
i
AS Portal Security
Portal Security Model
User Authentication and Privilege Model
Portal Security Architecture
Relationship between Oracle9
i
AS Portal and Oracle9
i
AS Single Sign-On
Relationship between Oracle9
i
AS Portal and Oracle Internet Directory
Relationship between Oracle9
i
AS Portal and the Oracle Directory Integration Server
Relationship between Oracle9
i
AS Portal and Delegated Administration Service
Creating Users and Groups
User Portlet
Portal User Profile Portlet
Group Portlet
Portal Group Profile Portlet
Granting Access Privileges
Access Tab
Administering Portal Security
Security Settings Upon Installation
Oracle9
i
AS Portal Default Schemas and Accounts
Post-Installation Security Checklist
Configure mod_plsql Settings
Safeguard Passwords for Lightweight Oracle9
i
AS Portal Users
Remove Unnecessary Objects
Revoke Public Access to Provider Components
Control Access to Administration Pages
Protect Oracle9
i
AS Portal Monitoring Packages
Consider SSL and the Login Portlet
Consider LDAP over SSL for Oracle Internet Directory Connections
Change the Application Entity Password
Changing LDAP Settings on the Global Settings Page
Cache for Oracle Internet Directory Parameters
Oracle Directory Integration Server Synchronization
Group creation base DN
Group Search Base Distinguished Name (DN)
7 Configuring JAAS Support
What JAAS Components Do You Need to Configure?
Sample Files
Performing Configuration Tasks Common to J2SE and J2EE Environments
Task 1: Ensure That You Installed the Correct Components
Task 2: Load the JAZN Schema and Default Entries into Oracle Internet Directory (Optional)
Task 3: Specify JAAS as the Policy Provider (optional)
Task 4: Configure a Java2 Policy File (optional)
Task 5: Create a LoginModule Configuration File (optional)
Task 6: Perform Configuration Tasks Unique to Your Java Environment
Performing Configuration Tasks Unique to J2SE Environments
Task 1: Configure the JAAS Property File
Task 1a: Configure the LDAP-Based Provider Type for J2SE
Task 1b: Configure the XML-Based Provider Type for J2SE
Performing Configuration Tasks Unique to J2EE Environments
Task 1: Configure the JAAS Provider and Enable the JAZNUserManager
Task 1a: Configure the LDAP-Based Provider Type for J2EE (Optional)
Task 1b: Configure the XML-Based Provider Type for J2EE
Task 2: Configure an Authentication Method and Filter Modes
Task 3: Configure Your Application for SSL Environments
Task 4: Configure mod_oc4j to Delegate HTTP Requests to OC4J
Task 5: Configure the Security Role (run-as)
RealmPrincipal Class
Differences between <jazn> Tags and the <user-manager> Property
8 Configuring Security for Oracle9
i
AS Web Cache
Modifying Default Security Settings
Configuring HTTPS Protocol Support
Task 1: Create Wallets
Enabling Wallets to Open on Windows
Task 2: Configure HTTPS Listening Ports and Wallet Location
Task 3: Permit Only HTTPS Requests for a Site
9 Configuring Secure Database Access by Oracle9
i
Application Server
Providing for Secure Access to the Oracle9
i
Database Server
Proxy Authentication with Oracle9
i
AS
Auditing for Multitier Applications
Secure Application Roles
Application Query Rewrite: Virtual Private Database (VPD)
Selective Encryption of Stored Data
Middle-Tier Connection Management
Java Security Implementation in the Database
Class Execution
SecurityManager Class
Securing Application Database Access Through mod_plsql
Introduction to mod_plsql
Authenticating Users Through mod_plsql
Basic (Database Controlled Authentication)
Oracle9
i
Application Server Basic Authentication Mode
Deauthentication
Global OWA, Custom OWA, and Per Package (Custom Authentication)
Protecting the PL/SQL Procedures Granted to PUBLIC
Providing Secure Database Connections with JDBC
Introduction to Java Database Connectivity (JDBC)
Java Encryption Features of Oracle Advanced Security
JDBC-Oracle Call Interface Driver
JDBC Thin Driver for Applets and Application
JDBC Server-Side Thin Driver
Oracle Java SSL
Secure Connections for Virtually Any Client
Glossary
Index
Copyright © 2002 Oracle Corporation.
All Rights Reserved.
Home
Solution Area
Index