330 likes | 513 Views
Session id: 40112. Simplify and Strengthen Security with Oracle Application Server. Allan L Haensgen Senior Principal Instructor Oracle Corporation. Security Risks in an Internet Environment. Data tampering and fraud Eavesdropping and data theft Falsifying user identities
E N D
Session id: 40112 Simplify and Strengthen Security with Oracle Application Server Allan L HaensgenSenior Principal Instructor Oracle Corporation
Security Risks in an Internet Environment • Data tampering and fraud • Eavesdropping and data theft • Falsifying user identities • Password-related threats • Unauthorized access to data • Lack of accountability • Hacking
Addressing the Security Challenges • Deep data protection • Multi-Layer protection through encryption, extensive auditing, and access control • Internet-scale security • SSL • Proxy authentication • Java • Secure hosting and data exchange • Public key infrastructure • Enterprise wide user security
Application Server Security • The Oracle Application Server can be used as a client to the database and therefore you can employ the following security features: • Enterprise user security • Authentication and digital certificates • Proxy authentication • Connecting from the middle tier to the database
Java Authentication and Authorization Service • Java Authentication and Authorization Service (JAAS) provides key security services to the Java programmer in the following areas: • Authentication to identify users • Authorization to limit what users can do • Delegation to enable code to be run securely
Securing the Oracle HTTP Server Itself The Oracle HTTP Server supports the following security schemes: • IP-based or domain name–based restriction • Basic authentication through the username and password combination • Certificate distinguished name (DN)-based authorization • Secure Sockets Layer (SSL) protocol
Oracle HTTP Server Security Modules • mod_access is used for restriction. • mod_authand mod_auth_anon are used for authentication. • mod_ossl is used with SSL. OHS 1 2 3 4 5 Translation AccessControl MIMEType Response Logging
Host-Based Access Control • mod_access: IP- or domain-based access control • You can use the allow and deny directives within the <Directory> ... </Directory> <Location> ... </Location>context of your httpd.conf or .htaccess file: allow from host host ... deny from host host ...
Host-Based Access Control • The order directive specifies the order in which the allow and deny commands are applied: • The ordering argument can be one of the following: order ordering 1. deny,allow 2. allow,deny
Host-Based Access Control • The allow from or deny from directive: <Directory /docroot> order deny,allowdeny from allallow from 144.25.192.170 </Directory>
User Authentication • Basic authentication is performed by the following modules: • mod_auth • mod_auth_anon • A resource can be a protected user or group-based, or both. • To access the resource, you also need to have the permission as defined by the Require directive.
Combining User- andHost-Based Authentication <Location /> AuthName "Who are you" AuthType Basic AuthUserFile /ias/Apache/Apache/auth/password Require valid-user order deny,allow deny from all allow from hq1.us.oracle.com Satisfy all </Location>
Establishing Secure Web Sessions • The SSL protocol is a standard for secure data transmission over the Internet. • SSL involves three mechanisms: • Encryption • Authentication • Data integrity • SSL is implemented through mod_ossl.
How SSL Works https 1 Public certificate 2 Session key 3 Browser Request client certificate (opt) 4 Oracle9iAS
Oracle Wallet Manager • Oracle Wallet Manager is a stand-alone Java application for: • Generating a public/private key pair and creating a certificate request for submission to a CA. • Installing a certificate for the entity. • Configuring trusted certificates for the entity. • Uploading or downloading a wallet to or from an LDAP directory such as Oracle Internet Directory. • Importing wallets and exporting wallets.
Oracle HTTP Server with SSL Enabled • Oracle HTTP Server is already SSL enabled after the installation: • SSL is enabled in opmn.xml • There is no specific command to start the Oracle HTTP Server with SSL enabled: <ohs> <start-mode mode="ssl"/> </ohs> $> cd $ORACLE_HOME/dcm/bin $> dcmctl start -ct ohs
What is Single Sign-On? • Oracle Application Server Single Sign-On (SSO) is a service that enables: • Authentication to multiple applications in an enterprise by entering a username and password only once • Centralized administration of username and password combinations for all users in an enterprise
Single Sign-On • SSO technology utilizes : • mod_osso: An HTTP module that provides single sign-on authentication to Oracle9iASapplications • Oracle Internet Directory: A Lightweight Directory Access Protocol (LDAP) server using an Oracle9i database as its information store. • Oracle Wallet Manger. A container utility that stores and manages X.509 certificates and trusted certificates
Single Sign-On • Oracle9iAS SSO technology provides: • Public key infrastructure (PKI) support when using Oracle Internet Directory • Multitier integration
Authenticating Partner Applications Partner ApplicationOracle HTTP Server 1 7 7 3 2 6 4 SSO Server 5 Oracle Internet Directory
Administering Users With the Delegated Administration Service (DAS) http://<hostname>:<port>/oiddas
Lightweight DirectoryAccess Protocol (LDAP) • LDAP offers the following features: • Simplified ISO X.500 Directory Access Protocol • Lightweight, browser-friendly client implementation • Protocol standard defined and maintained by the Internet Engineering Task Force (IETF) • Need for interoperability is driving rapid adoption in the IT community
Oracle Internet Directory (OID) • OID is: • Compliant with LDAP, version 3 • Implemented as an Oracle9i application • OID includes: • Oracle Directory Server • Oracle Directory Replication Server • Oracle Directory Manager • Command-line tools • Delegated Administration Service (DAS)
OID Architectural Overview OID clients LDAP OID LDAP over SSL Oracle Net connections Directory administration Oracle database
Benefits of OID • OID provides: • Delegated Administration Service (DAS) • Failover in cluster configurations • Support for Oracle Real Application Clusters • Oracle Directory Integration platform, to synchronize with other enterprise repositories including third-party LDAP directories • Password policy management
Identity Management • Centralizes and automates many application user management functions • Faster deployments • Brings OID, SSO, DAS, and other security components into one management system
Q & Q U E S T I O N S A N S W E R S A