Oracle® Application Server Concepts
10g Release 2 (10.1.2) B13994-02 |
|
Previous |
Next |
This chapter provides an overview of Oracle Application Server security solutions. The topics include:
Oracle Application Server provides a comprehensive integrated security framework supporting all of its components, as well as third party and custom applications deployed on Oracle Application Server. The framework is based on Oracle Identity Management for single sign-on, user administration, group management, and provisioning.
In addition to the components involved in Identity Management, other Oracle Application Server components are also involved in providing security for your online applications. The main components involved are Oracle Application Server Web Cache, Oracle HTTP Server, Oracle Application Server Portal, Oracle Application Server Single Sign-On, Oracle Internet Directory, Oracle Application Server Certificate Authority, and Oracle Application Server Metadata Repository.
Identity management is the process by which the complete security life cycle for network entities is managed for an organization.
Identity management most commonly refers to the management of an organization's application users, where steps in the security life cycle include account creation, suspension, privilege modification, and account deletion. The network entities managed may also include devices, processes, applications, or anything else that needs to interact in a networked environment. Entities managed by an identity management process may also include users outside of the organization, such as customers and trading partners.
Identity management is important to IT deployments because it can reduce administrative costs while at the same time improving security. Identity Management benefits include:
Identity management saves money. For most enterprises, application user administration is a very expensive, laborious, and error-prone process. Identity management centralizes and automates many user administration tasks, reducing costs while improving accuracy and security.
Identity management enables faster deployments. Typically, provisioning of a new application means creating and managing separate user accounts and their privileges. Identity management enables the new applications to leverage the existing infrastructure for its user management, and thus reduces the time it takes to deploy and manage new applications.
Identity management improves the end-user experience. An identity management strategy allows new users to gain access to their applications quickly, eliminating wasted employee time. By providing single sign-on for all applications, users no longer have to keep track of different login and password information for different purposes. Further, identity management enables a customized application experience, enhancing usability.
Identity management improves application security. An identity management strategy allows users to have their passwords and security credentials managed centrally. This reduces the temptation for users to write down security information, raising the risk of unauthorized access.
Figure 11-1, illustrates how the elements of Oracle Application Server function together. Following is a list of the functionality of the various components:
OracleAS Web Cache is positioned closest to the client, where it provides efficiency and performance.
Oracle HTTP Server is the front-end Web server for Oracle Application Server. Through Apache-based modules as well as modules developed by Oracle, users can access a variety of Oracle Application Server services.
OracleAS Portal provides the infrastructure, including the ability to create and manage Web pages. It lets you display multiple portlets on each Web page, with links to content through Java applications.
The Java engine lies underneath Oracle Application Server Web Cache and Oracle HTTP Server, supporting their ability to link efficiently.
OracleAS Single Sign-On enables users to log in to Oracle Application Server and gain access to those applications for which they are authorized, without requiring them to re-enter a user name and password for each application.
Oracle Internet Directory is a general purpose directory service that enables fast retrieval and centralized management of information about dispersed users and network resources.
Oracle Application Server Certificate Authority generates and publishes X.509v3 certificates to support PKI-based (strong) authentication methods.
Oracle Application Server Metadata Repository is an Oracle database used to hold metadata, including identity information.
Figure 11-1 Oracle Application Server Security Architecture
The Oracle Application Server security framework involves many components, each of which contributes features that enable you to secure your Oracle Application Server deployment:
Oracle Identity Management is an integrated infrastructure that Oracle products rely on for distributed security. The Oracle Identity Management infrastructure includes the following components:
Oracle Internet Directory, a scalable, robust LDAP V3-compliant directory service implemented on the Oracle Database.
Oracle Directory Integration and Provisioning Platform, a component of Oracle Internet Directory, which consists of two parts:
Directory Provisioning Integration Service, which sends notifications to target applications to reflect changes including creating and deleting users, as well as changes to a user's status or information
Directory Integration, which allows you to synchronize data between Oracle Internet Directory and other connected directories, and develop and deploy custom connectors
Oracle Delegated Administration Services, which provides self-customizing administration of directory information by users and application administrators.
Oracle Application Server Single Sign-On, which provides single sign-on access to Oracle and third-party Web applications.
Oracle Application Server Certificate Authority, which generates and publishes X.509v3 certificates to support PKI-based (strong) authentication methods.
While Oracle Identity Management is designed to provide an enterprise infrastructure for Oracle products, it may also serve as a general-purpose, robust, and scalable enterprise-wide identity management platform for user-written and third-party applications, hardware, and network operating systems. Custom applications may leverage Oracle Identity Management through a set of documented and supported services and APIs, for example:
LDAP APIs for C, Java, and PL/SQL, each compatible with other LDAP SDKs.
Oracle Delegated Administration Services Web-based services for building customized administration interfaces that manipulate directory data.
Oracle Directory Integration Services to facilitate the development and deployment of custom solutions for synchronizing Oracle Internet Directory with third-party directories and other user repositories that are not configurable using existing Oracle connectors.
Oracle Provisioning Integration Services for provisioning Oracle and third-party applications, as well as a means of integrating the Oracle environment with other provisioning systems.
Oracle Application Server Single Sign-On provides APIs for developing and deploying partner applications that share a single sign-on session with other Oracle Web applications.
Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider, the Oracle implementation of the JAAS standard, allows applications developed for the Web using the Oracle J2EE environment to leverage the identity management infrastructure for authentication and authorization.
In addition, Oracle works with third-party application vendors to ensure their applications can leverage Oracle Identity Management out of the box.
An important security feature of Oracle Application Server is support of single sign-on to Web-based applications. Oracle Application Server Single Sign-On addresses the problem of "too many passwords." With the rapid growth of the Internet, this problem has become increasingly prevalent, causing users inconvenience that typically results in poor security practices and increased administrative costs.
Oracle Application Server Single Sign-On resolves this problem by enabling users to log in to Oracle Application Server and gain access to those applications for which they are authorized, without requiring them to re-enter a user name and password for each application.
It is fully integrated with Oracle Internet Directory, which stores user information. It supports LDAP-based user and password management through Oracle Internet Directory.
Oracle Application Server Single Sign-On provides the following functionality:
It authenticates users and passes their identities securely to partner applications, such as Oracle Application Server Portal. It prompts users for a username and password when they access the system for the first time in a given time period.
It uses cookies, which are formatted pieces of information stored on a browser client by a Web server. Cookies allow Web servers to store and retrieve information about the client user, effectively maintaining client state information in the otherwise stateless Web environment.
It supports Public Key Infrastructure (PKI) client authentication, which enables PKI authentication to a wide range of Web applications. By means of an API, Oracle Application Server Single Sign-On can integrate with third-party authentication mechanisms such as Netegrity SiteMinder.
With Oracle Application Server Single Sign-On, users typically sign on to a centrally administered Single Sign-On Server through a designated Web portal. Once it authenticates the user, Single Sign-On Server displays links to all the applications for that user.
Using a centrally administered Single Sign-On Server has these advantages:
Convenience: The user enters the user name and password only once, at a central corporate Web portal, to access all the needed applications. From the user's perspective, authentication to each application happens transparently.
Increased Security: Fewer user name and password combinations lower the risk of unauthorized access to a user's restricted information.
Ease of Administration: Oracle Application Server Single Sign-On provides centralized provisioning of user accounts, so that administrators can easily create new user accounts. Centralizing the authentication process also makes it possible to support additional authentication mechanisms in a localized manner. For example, you can implement password-based authentication, using Single Sign-On and Oracle Internet Directory, then switch to digital certificate-based authentication using OracleAS Certificate Authority, Single Sign-On, and Oracle Internet Directory, and the change would be localized to the Single Sign-on Server.
There are two kinds of applications to which Oracle Application Server Single Sign-On provides access:
Partner Applications
External Applications
Partner applications are integrated with the Single Sign-On Server. They are built upon an Oracle Application Server Single Sign-On API that enables them to delegate authentication to the Single Sign-On Server.
External applications are Web-based applications that retain their authentication logic. They do not delegate authentication to the Single Sign-On Server and, as such, require a user name and password to provide access. Currently, these applications are limited to those which employ an HTML form for accepting the user name and password. The user name may be different from the single sign-on user name, and the Single Sign-On Server provides the necessary mapping.
The single sign-on offering in Oracle Application Server is a critical differentiator for users seeking a robust, fully integrated single sign-on architecture. Oracle Application Server leverages JAAS, as well as Oracle Internet Directory, to deliver a comprehensive end-to-end security infrastructure across the entire Oracle Application Server product.
Oracle Internet Directory is a critical component of Oracle Application Server management and security infrastructure. It ensures that user accounts and groups are managed centrally through the LDAP Version 3 standard. Oracle Application Server enables users to be created centrally in Oracle Internet Directory and shared across all components in Oracle Application Server. When users log in, they are authenticated once by Oracle Application Server Single Sign-On against their Oracle Internet Directory credentials, and can thereby access multiple applications seamlessly.
Oracle Internet Directory includes Oracle Delegated Administration Services, which provides trusted proxy-based administration of directory information by users and application administrators. Oracle Delegated Administration Services includes a Self-Service Console, an easy-to-use, Web-based interface which allows end-users and application administrators to search for and manage data in the directory. Through this console, Oracle Delegated Administration Services provides Oracle Application Server with a means of provisioning end-users in the Oracle Application Server environment. Oracle Internet Directory also enables components of Oracle Application Server to broadcast data about users and group events, so that those components can update any user information stored in their local application instances.
Oracle Directory Integration and Provisioning enables customers to synchronize data between various directories and Oracle Internet Directory. The Oracle Directory Integration Platform is a set of services and interfaces that make it possible to develop synchronization solutions with third party metadirectories and other enterprise repositories, such as SunONE/iPlanet Directory Server. With Oracle Application Server, Oracle Internet Directory includes connectors for out-of-the-box synchronization with Oracle Human Resources, Active Directory, and SunONE/iPlanet Directory Server 4.2 and 5.0.
Oracle Internet Directory also provides a plug-in framework for applications that require customized functionality, such as referential integrity of data. The plug-in framework is delivered as a highly-flexible PL/SQL interface, allowing user-defined operations to be invoked by the directory server before, after, or in place of standard LDAP commands.
Oracle Internet Directory provides users with directory searches capabilities with sophisticated server-side caching capabilities. Oracle Internet Directory also provides two key features that ensure administrators can deliver seamless directory services to all users:
Alias De-reference: When a user or an application searches on an alias, Oracle Internet Directory automatically de-references the alias and returns the entry to which it refers. This feature enables administrators to change the names of objects in ways that are transparent to users and applications.
Enhanced Proxy Capabilities: Administrators can safely establish performant, auditable middle-tier application access to the directory on behalf of end user communities.
Oracle Internet Directory provides the following key directory features:
Native LDAP server complying with all LDAP v2 and v3 RFCs, along with the Open Group's "LDAP CERTIFIED" test specifications (VSLDAP test suite 2.2)
Supports the X.500 information, naming, and storage model
Extensible directory schema for online modifications with no downtime
LDAP APIs in Java, C, and PL/SQL to assist with application development
The middle tier components use Oracle Internet Directory in the following ways:
Application server instances and infrastructures store security and management information in Oracle Internet Directory. Oracle Internet Directory stores users' information, such as user names and privileges, required for internal operation of the application server.
Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider stores realm and JAAS policy in Oracle Internet Directory.
Oracle Application Server Single Sign-On validates the user name and password against user and group profiles stored in Oracle Internet Directory.
Oracle Application Server Certificate Authority (OCA) is a component of the Oracle public key infrastructure (PKI) offering that allows you to create and manage X.509v3 digital certificates for use in Oracle or third-party software. The Certificate Authority is fully standards-compliant, and is fully integrated with Oracle Application Server Single Sign-On and Oracle Internet Directory. Oracle Application Server Certificate Authority provides Web-based certificate management and administration, as well as XML-based configuration. It leverages the identity management infrastructure, high availability, and scalability of the Oracle platform.
Oracle Application Server provides an implementation of Java Authentication and Authorization Service (JAAS) that integrates with the Oracle Application Server J2EE security infrastructure to enforce security constraints for Web (servlets and JSPs) and EJB components.
Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider support provides the following benefits:
Integrates Java-based applications with Oracle Application Server Single Sign-On, includes authentication, thereby giving you extensible security for Java-based applications
Manages access control policies centrally in Oracle Internet Directory, controls access by role, and partitions security policy by subscriber
Supports impersonation of a specific user, allows an enterprise bean, servlet, or JSP to run with the permissions associated with the current client or a specified user
Oracle Application Server Web Cache provides the following security-related features:
OracleAS Web Cache restricts administration with the following features:
Password authentication for administration and invalidation operations
Control over ports from which administration and invalidation operations can be requested
IP and subnet administration restrictions
The secure sockets layer (SSL) protocol, developed by Netscape Corporation, is an industry standard for network transport layer security. SSL provides authentication, encryption, and data integrity in a public-key infrastructure (PKI). By supporting SSL, OracleAS Web Cache is able to cache pages from HTTPS requests.
Note that HTTPS traffic can be process intensive. If OracleAS Web Cache needs to have traffic travel over the open Internet, then configure OracleAS Web Cache to send HTTPS requests to the application server. If traffic only travels through a LAN in a data center, then the traffic can be sent with HTTP so as to reduce the load on the application servers.
SSL interacts with the following entities:
Certificate Authority: A certificate authority (CA) is a trusted third party that certifies the identity of third parties and other entities, such as users, databases, administrators, clients, and servers. The CA verifies the party identity and grants a certificate, signing it with its private key. The OracleAS Web Cache certificate must be signed by a CA. Oracle Application Server provides Oracle Application Server Certificate Authority (OCA), which allows you to create and manage X.509v3 digital certificates for use in Oracle or third-party software. For more information on OCA see "Oracle Application Server Certificate Authority" in this chapter.
Certificate: A certificate is created when a party's public key is signed by a trusted CA. A certificate ensures that a party's identification information is correct, and that the public key actually belongs to that party. A certificate contains the party's name, public key, and an expiration date, as well as a serial number and certificate chain information. It can also contain information about the privileges associated with the certificate. When a network entity receives a certificate, it verifies that it is a trusted certificate, one issued and signed by a trusted CA.
Wallet: A wallet is a transparent database used to manage authentication data such as keys, certificates, and trusted certificates needed by SSL. A wallet has an X.509 version 3 certificate, private key, and list of trusted certificates.
Security administrators use the Oracle Wallet Manager to manage security credentials on the OracleAS Web Cache server. Wallet owners use it to manage security credentials on clients. Specifically, Oracle Wallet Manager is used to do the following:
Generate a public-private key pair and create a certificate request for submission to a CA
Install a certificate for the identity
Configure trusted certificates for the identity
To support HTTPS between browsers and OracleAS Web Cache, configure a wallet on the OracleAS Web Cache server for each supported site. To support HTTPS between OracleAS Web Cache and the application servers, configure a wallet on the application server.
Oracle HTTP Server provides the following security-related features:
With session renegotiation support, individual directories can be protected by different levels of encryption. Some directories may only need a minimum level of encryption, while others require stronger encryption.
Software-based SSL encryption can sometimes be slow. Oracle HTTP Server supports the option of having dedicated SSL hardware through nCipher. nCipher is a third-party math accelerator that improves the performance of the PKI cryptography that SSL uses.
Port tunneling lets all communication between Oracle HTTP Server and OC4J happen on a single port or a small number of ports. Previously, the firewall configuration had to include port information for several ports to handle communication between Oracle HTTP Server and multiple OC4J instances. With the port tunnel, a daemon routes requests to the appropriate OC4J instances. Using this method, only one port has to be opened through the firewall regardless of the number of OC4J instances involved.
Oracle HTTP Server and OC4J can communicate using the AJP protocol over the Secure Sockets Layer (SSL). Previously, OHS and OC4J used the AJP 13 protocol unencrypted, without support for authentication. Now, OHS has been modified to extend support to the AJP13 protocol over SSL.
This section discusses the following security topics:
Oracle Application Server Single Sign-On provides a single point of validation for portal user credentials and governs user access to intranet resources based on employee profiles. When a user logs into a portal page, the single sign-on server validates the user name and credentials against user profiles stored in Oracle Internet Directory or another user credential repository.
Oracle Application Server Single Sign-On also supports external, partner applications. For these applications, the single sign-on server logs in to the application automatically for the user.
Most portal elements have an access control list (ACL). This list controls which users and groups may access the element, and to what extent. For example, if you wanted all of the users in a group to be able to see the items on a portal page, in the page's ACL you would grant that group View privileges.
Besides ACLs, you can also use global privileges to grant access to all objects of a given type in Oracle Application Server Portal. For example, granting the Create privilege for All Pages to a group enables all members of that group to create pages.