B Security Checklists and Recommendations

This chapter presents an overview of the tasks you should consider in order to build good security in a production environment.

The following topics are covered:

Securing Your Installation and Configuration
Securing OracleAS Metadata Repository Schemas
Securing the Welcome Page
Disabling and Removing Demos
Enabling Component Level Logging

B.1 Securing Your Installation and Configuration

Implement the recommendations outlined in this section to provide the basis for a secure installation and configuration.

B.1.1 Operating System Security

Prior to the installation of any Oracle Application Server component, the operating system on the installation machine should be updated with the latest available benchmarks and patches.

B.1.2 Install Only What You Need

Avoid installing options and products you do not need. Choose to install only those additional products and options that you clearly need. If you install an option or product and realize later that it is not needed, you should deinstall that option or product.

B.1.3 Enable SSL During and After Installation

During the Oracle Application Server installation, you will have the option to enable SSL with Oracle Internet Directory on one of the installation screens. For more information, see Oracle Application Server Installation Guide.

Oracle Internet Directory is the only Oracle Application Server component for which you can configure SSL during installation. All other components which can be SSL-enabled must be configured after installation. For more information, refer to the SSL section in Oracle Application Server Administrator's Guide.

B.1.4 Apply Product Security Patches and Workarounds

Always apply all relevant and most current security patches for all installed Oracle Application Server options and components. For the latest information about available patches:

Periodically check the security site on Oracle Technology Network for details about security alerts released by Oracle Corporation:

http://www.oracle.com/technology/deploy/security/alerts.htm
Periodically check the Oracle Worldwide Support Services site (MetaLink) for details on available and upcoming security-related patches:

http://metalink.oracle.com

B.2 Securing OracleAS Metadata Repository Schemas

If you install Oracle Application Server Infrastructure, an Oracle database is installed and configured with several default database server user accounts, or schemas. These pre-seeded schemas are created during installation to support both the Oracle database and Oracle Application Server.

To secure these schemas, you should take the following action:

Change the default passwords to prevent unauthorized access to the OracleAS Metadata Repository.
Lock your schemas to prevent them from being intentionally or accidentally deleted.

For additional information about the post installation status of each schema, changing a schema's password, locking a schema, and other useful schema information, see "Chapter 6, Managing an OracleAS Metadata Repository" in Oracle Application Server Administrator's Guide.

For a complete list of all OracleAS Metadata Repository schemas, see "Appendix E, Metadata Repository Schemas" in Oracle Application Server Administrator's Guide.

B.3 Securing the Welcome Page

By default, the Oracle Application Server Welcome page is accessible from this URL:

http://hostname.domain:7777

This page contains links to useful information like demos and code samples which can be used to compromise the security of your site. You can secure your Welcome page by:

Creating Your Own Custom Welcome Page
Protecting Your Welcome Page

B.3.1 Creating Your Own Custom Welcome Page

To deploy a new Welcome page for Oracle Application Server:

Create the new Welcome page you want to use. This page must be named index.html.
Save the new Welcome page in a directory. It is recommended that you save the page in a different directory than the htdocs directory.
Start the Application Server Control Console.
Select the OracleAS Infrastructure instance. You will be prompted to login.
Click HTTP Server.
Click Administration.
Click Properties.
Enter the directory for your new page in the Document Root field.
(Optional) Enter the administrator's e-mail address in the Administrator's Email field.
Click Apply.

B.3.2 Protecting Your Welcome Page

To secure your Welcome page, you should:

Put the page in a directory other than the default directory. This directory should be accessible only to those individuals with the proper permissions.
Make sure the file permissions are properly set, so that only those individuals with permission to access and modify the file may do so.

You can also configure your Welcome page to accept HTTPS requests instead of HTTP. To do so, you can do either one of the following:

Modify the HTTP_Server setting in the opmn.xml file and change ssl-disabled to ssl-enabled.
Run the SSL Configuration Tool with the -config_w_default parameter. For example:
```
SSLConfigTool -config_w_default -opwd welcome1
```
For more information about the SSL Configuration Tool, see "Chapter 14, Using the SSL Configuration Tool" in Oracle Application Server Administrator's Guide.

After making this change, your Welcome page should be accessible via this URL:

https://hostname.domain:4443

B.4 Disabling and Removing Demos

Oracle Application Server ships with several demos, which are available on the "Demonstrations" tab on the Welcome Page. Demos are available for configured components only.

These demos should not be available in a production environment as some demos contain system default information that can be used to gain unauthorized access to your system. A simple way to prevent unauthorized access to the demos is to protect your Welcome page or create a custom Welcome page. For more information about how to do this, see Section B.3.

In the event that you want to keep the default Welcome page, you can manually disable each of the demos. The remainder of this section describes how to disable each demo.

Oracle HTTP Server

This demo executes the following script and displays the client's environment settings:

(UNIX) ORACLE_HOME/Apache/Apache/fcgi-bin/echo
(Windows) ORACLE_HOME\Apache\Apache\fcgi-bin\echo.exe

To disable this demo, move the echo.exe and echo2.exe scripts from the ORACLE_HOME\Apache\Apache\fcgi-bin directory to another protected directory.

Oracle Application Server Containers for J2EE (OC4J)

This demo links to an Oracle Technology Network (OTN) page with samples, examples, and demonstrations for Oracle Application Server 10g Release 2 (10.1.2).

Because no sensitive information is revealed, there is no need to disable this demo.

Oracle Application Server Web Cache

This demo shows an example of caching, expiration, and edge-side page assembly.

To disable this demo:

Go to the Oracle Enterprise Manager 10g Application Server Control Console. In the "Standalone Instances" section, click on your Oracle Application Server instance.
Click on the home link in the "System Components" section.
Click on the Applications tab in the "OC4J:home" section.
Select the button next to the IsWebCacheWorking link, then click the Undeploy button.
Click Yes on the "Confirmation" page to confirm your actions.

Oracle Application Server Portal

This demo links to an OracleAS Portal page which includes a sample document repository, along with links to Portal Center and Oracle Application Server Portal Developer Kit pages on Oracle Technology Network.

The page that is displayed is part of the OracleAS Portal product, and not a separate page for demonstration purposes only. As such, there is not need to disable this page.

Oracle Application Server Wireless

This demo provides multi-channel access for small-screen devices using an expense report example.

To disable this demo, run the following script:

(UNIX) ORACLE_HOME/wireless/bin/disable_samples.sh
(Windows) ORACLE_HOME\wireless\bin\disable_samples.bat

Oracle Business Intelligence Discoverer Portlet Provider

This demo displays the Oracle Business Intelligence Discoverer Portlet Provider test page, which is used to determine whether or not the OracleBI Discoverer Portlet Provider is working and available in your Oracle Application Server instance.

This is the page you should use to register OracleBI Discoverer Portlet Provider with OracleAS Portal. No sensitive information is revealed on this page, so there is no need to disable this demo.

Oracle Business Intelligence Samples

This demo links to the Oracle Business Intelligence page on Oracle Technology Network for Oracle Business Intelligence samples and examples.

Because no sensitive information is revealed, there is no need to disable this demo.

Oracle Application Server Forms Services

This demo provides a test to verify your installation. The test form runs when you access an OracleAS Forms Services URL but do not specify an application to run. For example, normally you call an OracleAS Forms Services application with the following syntax:

http://host:port/forms/frmservelet?config=myApp

The Forms Servlet will locate [myApp] in the formsweb.cfg file and launch that application. However, when no application is specified:

http://host:port/forms/frmservelet

the Forms Servlet uses the settings in the default section of the formsweb.cfg file. The default section has the following setting:

form=test.fmx

The test.fmx form is the test form accessed by this demo, which allows you to test your OracleAS Forms Services installation and configuration.

The optimal way to securely disable this demo is described below. This procedure redirects requests to an informational HTML page that is presented to the client. Because you have complete control over the contents of this page, you can ensure that no sensitive information is passed to the client.

Create an informational HTML page that you want displayed when you run the demo. For example, you could create a page called forbidden.html in the ORACLE_HOME/forms/server (for UNIX) or ORACLE_HOME\forms\server (for Windows) directory:

<html>
   <head>
      <title>Forbidden</title>
   </head>

   <body>
      <h1>Forbidden!</h1>
      <h2>You may not access this Forms application.</h2>
   </body>
</html>

Note:

This redirecting of client information and presenting a message page instead is not the same Web page that the Web server returns when the requested content has restricted permissions on it.

Modify the following parameters in the formsweb.cfg file. Comment out the original values by placing a hash (#) character at the beginning of the original line, then inserting a line with the desired values. For example:

# System parameter: default base HTML file
#baseHTML=base.htm
baseHTML=forbidden.html
# System parameter: base HTML file for use with JInitiator client
#baseHTMLjinitiator=basejini.htm
baseHTMLjinitiator=forbidden.html
# System parameter: base HTML file for use with Sun's Java Plug-In
#baseHTMLjpi=basejpi.htm
baseHTMLjpi=forbidden.html
# System parameter: base HTML file for use with Microsoft Internet Explorer
# (when using the native JVM)
#baseHTMLie=baseie.htm
baseHTMLie=forbidden.html

Now, when a user enters the URL

http://host:port/forms/frmservelet

the customized Web page is presented. Of course, you can customize forbidden.html, including its contents, its filename, and its location as long as you make the corresponding changes to these parameters in the formsweb.cfg file. Administrators can put any information, such as warnings, errors, time stamps, IP logging, or contact information in this information Web page with minimal impact on the server configuration.

Note:

Overriding the base HTML template entries in the default section of formsweb.cfg requires that you add the same entries pointing to the original values (or some other valid HTML file) in your application-specific named configuration:

myApp
form=myApplication.fmx
lookandfeel=oracle
baseHTML=base.htm
baseHTMLjinitiator=basejini.htm
baseHTMLjpi=basejpi.htm
baseHTMLie=baseie.htm

If you don't specify these base HTML values, and when a user runs an application, they will see the forbidden.html page because the application-specific configuration section has not overridden the default values.

Oracle Forms

This demo links to the Oracle Forms page on Oracle Technology Network for additional demos and sample code.

Because no sensitive information is revealed, there is no need to disable this demo.

Oracle Application Server Reports Services

This demo enables you to verify that your reports server is properly installed and operational. As such, this demo can also be used for diagnostic and troubleshooting purposes. Therefore, it is recommended that the files used in this demo be renamed or moved to a secure location, rather than deleted from the system.

The files used in this demo are test.rdf and test.jsp. The default location of test.rdf is:

(UNIX) ORACLE_HOME/reports/samples/demo
(Windows) ORACLE_HOME\reports\samples\demo

The test.jsp file is contained in the reports.ear file, and is extracted to this location by default:

(UNIX) ORACLE_HOME/j2ee/OC4J_BI_Forms/applications/reports/web/examples/Tools
(Windows) ORACLE_HOME\j2ee\OC4J_BI_Forms\applications\reports\web\examples\Tools

B.5 Enabling Component Level Logging

Oracle Application Server components generate log files containing messages that record all types of events, including startup and shutdown information, errors, warning messages, access information on HTTP requests, and additional information. You can use Oracle Enterprise Manager 10g Application Server Control Console to manage these log files, as well as configure the logging options for each component.

For detailed component logging information, see "Chapter 5, Managing Log Files" in Oracle Application Server Administrator's Guide.