Oracle® Application Server 10g Security Guide 10g (9.0.4) Part Number Part No. B10377-01 |
|
Oracle Application Server provides a comprehensive security framework supporting all Oracle Application Server components, as well as third-party and custom applications deployed on the application server. The framework is based on Oracle Application Server Single Sign-On for authentication, Oracle Internet Directory for authorization and centralized user provisioning, Oracle HTTP Server for Web access, and OracleAS JAAS Provider for security in Java2 Enterprise Edition (J2EE) applications.
This chapter provides an overview of the security architecture and features of Oracle Application Server. It contains the following topics:
Oracle Application Server is a reliable, scalable, secure middle-tier application server designed to support a company's evolution into e-business. With this product, the technological complexity of assembling a complete middle-tier Internet foundation is managed for you. The technological foundation that Oracle Application Server provides can grow with your business. Your application can start small and support growing numbers of users and sophisticated functionality on all of your Web sites.
Oracle Application Server components provide a general framework for development and deployment of applications, as well as specific application services and functionality. This chapter focuses on the security services provided by OracleAS Infrastructure 10g, which includes Oracle Application Server Single Sign-On and Oracle Internet Directory, an LDAP version 3-compliant directory service. This chapter also provides an overview of the security services provided by Oracle HTTP Server, OracleAS Web Cache, OracleAS Portal, and OracleAS JAAS Provider (Java Authentication and Authorization Service), which provide support for a broad range of application development and deployment strategies.
Security is a system issue, not a single-product issue. Each component of your computer application affects the security of the entire system. Proper security requires careful configuration of the following non-Oracle system components:
Oracle Application Server was designed and coded to integrate smoothly with all these external components.
In the overall system security picture, the Web browser is the component over which e-business sites have least control. When running a Web storefront, for example, you may not be able to control the browser that customers use. The customer's browser nonetheless impacts the security of your system, and must be taken into consideration. To securely implement Web transactions, your application must support specific communications and security technologies, including HTTP, LDAP, SSL, x.509 certificates, and Java.
Most commercially available Web browsers support several of these security-related features. However, users must configure the browser properly to take advantage of its security capabilities.
By default, information sent to and from a Web browser is transmitted in the clear; any intermediate site can read the data and potentially alter it in midstream. Web browsers and servers partially address this problem by using the Secure Sockets Layer to encrypt HTTP transmissions (referred to as HTTP/SSL or HTTPS). This ensures the security of data transmitted between the client to the server. However, because commercially available Web browsers do not ship with client certificates, most HTTP/SSL transmissions are authenticated in only one direction, from server to client; the client does not authenticate itself to the server.
Because the HTTP protocol does not support sessions, many e-commerce applications use cookies to store session data for individual customers. These cookies are transmitted as cleartext; this means that they can be intercepted by a third party. For this reason, it is wise for the application to encrypt or obfuscate information that is stored in cookies.
Note:
The W3C has a useful discussion of cookie security issues at |
Firewalls control access between the full Internet and a corporation's internal network. A firewall defines which sorts of Internet communications will be permitted into the corporate network, and which will be blocked. A well-designed firewall can foil many common Internet-based security attacks. However, a firewall is only as secure as its maintenance. New Internet-based attacks are constantly being designed, and firewall configurations must constantly be updated to keep abreast of these attacks.
Firewalls monitor communications methods, not communications content. Therefore, firewalls cannot protect your application against misuse of permitted communications channels. For instance, to permit the use of the Web, a firewall must permit HTTP communication. Because firewalls do not monitor content, a firewall cannot protect against security attacks transmitted within valid HTTP messages. Similarly, because a firewall does not monitor the content of e-mail messages, it cannot prevent the transmission of e-mail viruses.
Load balancing distributes an application's load over many identically configured servers. This distribution ensures consistent application availability, even when one or more server fails. Load balancing has a significant impact on security design, especially on encryption issues. For instance, in many installations, SSL keys are unique to a particular server in a cluster, and are not necessarily shared with other servers. This sharing complicates moving an SSL session from one server to another.
A Virtual Private Network (VPN) allows applications to use the public Internet to communicate securely with the corporate LAN. All IP communications between the application and the corporate LAN are encrypted so that they cannot be read or altered by intermediate sites. A VPN prevents a third party from monitoring or altering communications. Like other network-based security solutions, VPNs cannot prevent the transmission of viruses, nor can they control the content of the information being transmitted.
The security objectives for Oracle Application Server derive from the overall architecture and functions of the product, as well as the range of operational environments and risk scenarios in which Oracle anticipates the product will be deployed.
Oracle Application Server was designed to meet the following objectives:
Certain security services are fundamental to providing security in a multi-user, networked environment. Oracle Application Server has been designed to provide all these services, including:
Oracle Application Server is an open standards-based product. It complies with the J2EE framework and supports standard protocols, such as HTTP, and markup languages, such as HTML and XML. Corresponding Oracle Application Server security services also comply with relevant standards, facilitating interoperation with third-party products. For example, most Oracle Application Server applications support browser-based clients, typically Internet Explorer or Netscape Navigator. Oracle Application Server therefore supports the security standards that these browsers implement, including SSL for encryption, and X.509v3 when certificates are used to authenticate users. Similarly, OC4J supports the J2EE security standards such as the Java Authentication and Authorization Service (JAAS), so that customers can deploy third-party Java applications securely.
Oracle Application Server supports a wide range of potential configurations and deployment options. These configurations span the range from standalone developer installations of Oracle Application Server Java Edition on a small desktop computer to large, distributed, multi-server deployments of Oracle Application Server serving hundreds of thousands of users in a worldwide enterprise.
Oracle Application Server security services have been designed to support the full range of product deployment options. In particular, the security services deployed on each edition of Oracle Application Server have been chosen to support the particular deployment scenarios and types of applications for which that edition of Oracle Application Server is targeted. Moreover, security mechanisms in Oracle Application Server have been designed to ensure that practical, real-world constraints on deployment can be met, such as the need to deploy certain components of Oracle Application Server in the DMZ, other components in the corporate intranet, and allow those components to communicate through firewalls.
See Also:
Chapter 4, "Recommended Deployment Topologies" for more information about deployment options, typical configurations for Oracle Application Server, and specific examples of real-world constraints and how to deploy Oracle Application Server in the face of them. |
Oracle Application Server serves as a development and deployment environment for web applications. Oracle Application Server is designed to provide services and tools that reduce the time, effort, and expense to develop and deploy such applications. Because security is an important part of deploying applications in a production environment, Oracle Application Server has been designed to provide the essential security services common to most web applications. Individual components work together with your application and the application server to furnish a complete assortment of security services.
Working in cooperation, the security services provided in Oracle Application Server ensure the following:
An important design objective for Oracle Application Server is to provide security in depth, meaning that:
This section gives a brief overview of the Oracle Application Server middle-tier components. You should be aware of three important points about application servers and the middle tier:
Oracle Application Server provides the following middle-tier components that are particularly important in developing secure applications:
OracleAS Web Cache can be configured to receive HTTPS browser requests and send HTTPS requests to origin servers. OracleAS Web Cache caches frequently accessed Web pages or partial pages.
Oracle HTTP Server is the Web server component of Oracle Application Server. It is based on the Apache HTTP Server. The Apache open source Web server is among the most widely adopted Web server products; it supports a rich set of existing applications, and provides a flexible and well-understood security model. Apache is a very well-tested platform on which to deploy secure applications. Customers familiar with Apache should find it easy to build and deploy secure Web applications using Oracle HTTP Server.
Oracle HTTP Server extends Apache with several standard enhancements, called mods
(a shortened form of "modules"), as well as with mods developed by Oracle Corporation. Oracle HTTP Server allows users with Web browsers to access Oracle Application Server using standard Web protocols. Oracle HTTP Server provides an HTTP listener that supports HTTP and HTTPS and serves up information to users in standard HTML format. Oracle HTTP Server provides access to both static Web pages and dynamic content.
Oracle HTTP Server security services include the ability to restrict or allow access to files and services based on the identity of users established by means of basic authentication, by client- supplied X.509 certificates, and by IP or hostname addresses.
Another important feature of Oracle HTTP Server security is protection of data exchanged between clients and the server. This is provided by means of the SSL protocol, which also provides data integrity and strong authentication of both users and HTTP servers.
Note: At this release, Oracle HTTP Server is not installed with SSL enabled. You must explicitly create a security certificate and enable SSL. For details, see the Oracle HTTP Server Administrator's Guide. |
In addition, Oracle HTTP Server supplies logging and other facilities needed to detect and resolve intrusion attempts. It provides integration with the other Oracle Application Server components, such as mod_osso
, which enables the HTTP server to receive and route requests for single sign-on services to Oracle Application Server Single Sign-On server. Oracle HTTP Server is also well integrated with other Oracle products such as Oracle applications and the database. In this way, the Oracle HTTP Server offers a comprehensive set of security services for building and deploying Web applications.
See Also:
Oracle HTTP Server Administrator's Guide for detailed information about configuring and using the HTTP server |
Oracle Application Server Containers for J2EE provides the Java runtime environment for Oracle Application Server components. Oracle Application Server Java Authentication and Authorization Service ensures secure access to and execution of Java applications, as well as integration of Java-based applications with Oracle Application Server Single Sign-On.
The following products may also be installed with Oracle Application Server:
These products have their own product-specific security features, which are discussed in their individual documentation.
Enterprise portals are specifically designed to be the single source of interaction with corporate information and to be the focal point for conducting day-to-day business. OracleAS Portal is a complete and integrated solution for building, deploying, and maintaining a world-class enterprise portal. It combines a rich, declarative environment for creating a portal Web interface, publishing and managing information, accessing dynamic data, and customizing the portal experience with an extensible framework for J2EE-based application access. Using OracleAS Portal, e-businesses have the power to connect employees, partners, and suppliers with the information they need and the flexibility to create views tailored to each community.
In addition to core security capabilities, OracleAS Portal leverages Oracle Identity Management to manage and provide secure access to content and applications.
Oracle Identity Management is an integrated infrastructure on which Oracle products rely for distributed security. Oracle Identity Management ships with Oracle Application Server but it also ships as part of the infrastructure of other Oracle products. The Oracle Identity Management infrastructure is discussed in detail in Chapter 3, "Oracle Identity Management".
An Oracle Application Server application uses at least two different data repositories: one or more Metadata Repositories and the repository for your application data.
These repositories can be housed on the same server, and indeed in the same database, but should not be stored in the same database tables. In particular, your application must not store its data in the Metadata Repository.
The following are common installation and configuration options for Oracle Application Server. For full information on these topologies, see Chapter 4, "Recommended Deployment Topologies", and the Oracle Application Server 10g Installation Guide.
This is a single-computer development topology on which you can build, run, and test J2EE applications. It does not have an OracleAS Infrastructure 10g; it includes Oracle HTTP Server, Oracle Application Server Containers for J2EE, and Oracle Application Server Web Cache.
This is a single-computer development topology containing an OracleAS Infrastructure 10g and a OracleAS Portal and Oracle Application Server Wireless middle tier. The OracleAS Infrastructure 10g installation creates a new Oracle Database and Oracle Internet Directory.
This topology enables Oracle Application Server Forms Services and Oracle Application Server Reports Services developers to build and test their applications. Developers use Forms Builder and Reports Builder to develop their applications. This is a single-computer development topology containing:
This development topology enables Oracle Application Server ProcessConnect architects and modelers to design applications that can communicate with external applications using Oracle Application Server and Oracle Application Server ProcessConnect. This development topology includes:
This topology consists of an OracleAS Infrastructure 10g with two metadata repositories and multiple middle tiers, including at least one Portal and Wireless middle tier. This topology uses two metadata repositories:
This deployment topology is optimized to support J2EE applications. It contains the components required to run J2EE applications in a secure, high availability environment. This topology is intended for enterprises that have users internal as well as external to the organization. Requests from external users go through firewalls.
This deployment topology supports J2EE applications as well as applications that use components in the OracleAS Portal and OracleAS Wireless, and the Business Intelligence and OracleAS Forms Services middle tiers. This topology is intended for enterprises that have users internal as well as external to the organization. Requests from external users go through firewalls.
This topology is a combination of other topologies to support moving applications from test to stage to production environments.
In this topology, Oracle Application Server Certificate Authority has its own Oracle Application Server Metadata Repository, and both these components run on a computer separate from other infrastructure components. The other components use a different metadata repository.
Oracle Identity Management is a new security solution for Oracle Application Server 10g. In addition, security enhancements have been made across the entire product.
This section discusses the following security enhancements:
Oracle Identity Management is an integrated package of directory, security and user management functionality. Oracle Identity Management provides the integrated infrastructure on which Oracle products rely for distributed security.
Oracle Identity Management includes the following components:
The following new features and capabilities for Oracle Identity Management components are described:
Oracle Internet Directory introduces several new features and capabilities with Oracle Application Server 10g,including Windows integration, new password policy options, and partial replication features.
New features for OracleAS Single Sign-On include support for:
For example, customers could configure Oracle Application Server to obtain and accept authenticated user identities from the identity management systems of business partners.
For example, users may get partial privileges if they authenticate using password, but more complete privileges if they use stronger authentication, such as X.509v3.
OracleAS Certificate Authority is a new component in 10g (9.0.4). It completes the Oracle public key infrastructure (PKI) offering by allowing customers to create and manage X.509v3 digital certificates for use in Oracle or third-party software. OracleAS Certificate Authority is fully standards compliant and is seamlessly integrated with Oracle Application Server Single Sign-On and Oracle Internet Directory. It provides an out-of- the-box PKI solution for Oracle customers that is easy to use and manage. OracleAS Certificate Authority provides Web-based certificate management and administration, as well as XML-based configuration. It leverages the identity management infrastructure, high availability, and scalability of the Oracle Application Server platform.
Oracle Application Server has added many other security enhancements across the entire product, including:
To incorporate the latest optimizations and security features of Apache, the Oracle HTTP Server uses Apache v1.3.28. In addition, Oracle HTTP Server has the following security enhancements:
This release of Oracle Application Server provides fine-grained control over system administration and management privileges, allowing you to:
Oracle Application Server Integration adds robust secure communication, including SSL encryption, digital certificates, and digital signatures. The product ensures guaranteed exactly once delivery, provides end-to-end auditing and tracing, and supports non-repudiation. It also supports Oracle Wallet Manager for management of digital credentials.
With Oracle Application Server 10g (9.0.4), Oracle Workflow supports Oracle Application Server Single Sign-On. All users can be authenticated using Oracle Application Server Single Sign-On technology with the users stored in Oracle Internet Directory. As a result, the default Oracle Workflow directory service is based on users stored in Oracle Internet Directory. Oracle Workflow also provides fine-grained security using VPD, which can be used in a hosted environment. Each subscriber's or organization's data is secured from other subscribers or organizations. The subscribers in the hosted environment are stored in Oracle Internet Directory.
Oracle Business Components for Java has added support for implementing application-level security using J2EE security standards (Oracle Application Server Java Authentication and Authorization Service).
|
![]() Copyright © 2003 Oracle Corporation. All Rights Reserved. |
|