Oracle® Application Server Security Guide
10g Release 2 (10.1.2) Part No. B13999-01 |
|
![]() Previous |
![]() Next |
This document presents basic Web security concepts and describes the Oracle Application Server security framework and how to use it. First, it provides a survey of security issues and requirements that arise when operating private business systems in the public Internet environment. Then it introduces the security features of Oracle Application Server and provides configuration information for setting up a secure middle tier.
This preface contains the following sections:
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Links to External Web Sites in Documentation This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
The Oracle Application Server Security Guide is intended for security administrators, application developers, database administrators, system operators, and other Oracle users who perform the following tasks:
Configure middle-tier system security
Analyze application security requirements
Implement security technologies
Administer middle-tier system security
To use this document, you need to have general knowledge of Web server administration, Internet concepts, and networking concepts.
This document contains:
Chapter 1, " Oracle Application Server Security Overview"—Basic overview of Oracle Application Server.
Chapter 2, "Oracle Application Server Security Architecture"—Discussion of the Oracle Application Server security framework, including its architecture. It describes each element and how they work together.
Chapter 3, "Recommended Deployment Topologies"—Recommended security topologies for Oracle Application Server.
Chapter 4, "Oracle Identity Management"—Oracle Application Server deployment options.
Chapter 5, "Privilege Delegation"—Common security considerations for Oracle Application Server administrators.
Chapter 6, "Security Best Practices"—Best practices for developing secure applications.
Glossary—Terms that are pertinent to Web security and Oracle environments.
For Oracle Application Server Application Administrators
This section lists common administration tasks and the manuals that describe them.
General administration tasks
Managing static content
Controlling user access to Web content using portals
Managing Oracle Application Server Web Cache
Writing and deploying secure OC4J applications
Oracle Application Server Containers for J2EE Security Guide
Managing Oracle Application Server Wireless for security mechanisms
Managing users, passwords, and privileges
Configuring security for Oracle Application Server Workflow
Administering SSO
Oracle Application Server Single Sign-On Administrator's Guide
Managing certificate issues
Oracle Application Server Certificate Authority Administrator's Guide
For Oracle Identity Management Infrastructure Administrators
For all tasks pertaining to administering and deploying Oracle Identity Management, see the Oracle Identity Management Concepts and Deployment Planning Guide.
For Oracle Application Server Application Developers
This section lists common development tasks and the manuals that describe them.
Configuring SSO
Oracle Application Server Single Sign-On Administrator's Guide
Configuring Web Services
Using keys and certificates for SSL communication in OC4J
Oracle Application Server Containers for J2EE Servlet Developer's Guide
For Oracle Application Server Application Deployers
This section lists common deployment tasks and the manuals that describe them.
Configuring SSO
Oracle Application Server Single Sign-On Administrator's Guide
Configuring security mechanisms in Oracle Business Intelligence Discoverer
For further information on security issues that are not addressed here, see the Oracle Application Server Release Notes in the Oracle Application Server Platform-specific documentation.
For Oracle Application Server Application Users
This section lists common development tasks and the manuals that describe them.
Using Oracle Ultra Search
Setting up the database and PL/SQL to avoid known security problems
Guide to Oracle Documentation
For more information, see these Oracle resources. Descriptions of documents have been added to some listings to guide you to where specific security information can be found. Where document titles are self-explanatory, no description is provided.
The Oracle Application Server Documentation Library contains the following documents:
Oracle Application Server Quick Tour
A brief graphical overview of the application server.
Oracle Application Server Concepts
An overview of the application server features.
Oracle Identity Management Concepts and Deployment Planning Guide
An overview of the Identity Management features.
Oracle Internet Directory Administrator's Guide
Detailed description of Oracle Internet Directory, including Delegated Administration Service and Directory Integration Service, and how to use them.
Oracle Identity Management Application Developer's Guide
Detailed description of how to enable applications to access Oracle Internet Directory by using the C API and the PL/SQL API.
Oracle Application Server Single Sign-On Administrator's Guide
Detailed description of how to enable single sign-on for Oracle Application Server.
Oracle Application Server Containers for J2EE Services Guide
Discuss how to make effective use of the Oracle Application Server Containers for J2EE security features.
Oracle Application Server mod_plsql User's Guide
Detailed descriptions of how to configure and use Oracle HTTP Server plug-in mod_plsql
, which enables communication between the middle tier and an Oracle database.
Oracle Application Server Platform-Specific Documentation contains the following documents:
Oracle Application Server Installation Guide
Detailed description of what you must install to get the security functionality you require.
Oracle Application Server Release Notes
Oracle Application Server Upgrade and Compatibility Guide
Detailed description of what you must do if you are migrating from a previous version of Oracle Application Server, such as migrating digital certificates.
Oracle Application Server Best Practices
Detailed description of Oracle Application Server best practices, including security best practices.
Oracle Database Documentation Library contains the following documents:
Oracle Database Advanced Security Administrator's Guide
Detailed description of how to configure and use Oracle Advanced Security, the Oracle database option that provides encryption, integrity protection, and advanced authentication to Oracle database clients and servers.
Oracle Database Administrator's Guide
Description of the Oracle Database 10g feature proxy authentication, which allows Oracle Application Server to establish an authenticated session with the database.
Oracle Database Application Developer's Guide - Fundamentals
Detailed description of how to enable Oracle Application Server to use database proxy authentication.
Printed documentation is available for sale in the Oracle Store at
http://oraclestore.oracle.com/
To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free of charge and can be done at:
http://www.oracle.com/technology/index.html
If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at
http://www.oracle.com/technology/documentation/index.html
This manual uses the following conventions:
Convention | Meaning |
---|---|
. . . | Vertical ellipsis points in an example mean that information not directly related to the example has been omitted. |
. . . | Horizontal ellipsis points in statements or commands mean that parts of the statement or command not directly related to the example have been omitted |
boldface text | Boldface type in text indicates a term defined in the text, the glossary, or in both locations. |
italic text | Italicized text indicates placeholders or variables for which you must supply particular values. |
[ ] | Brackets enclose optional clauses from which you can choose one or none. |