Oracle® Application Server Security Guide
10g Release 2 (10.1.2) B13999-03 |
|
Previous |
Next |
This chapter presents an overview of the tasks you should consider in order to build good security in a production environment.
The following topics are covered:
Implement the recommendations outlined in this section to provide the basis for a secure installation and configuration.
Prior to the installation of any Oracle Application Server component, the operating system on the installation machine should be updated with the latest available benchmarks and patches.
Avoid installing options and products you do not need. Choose to install only those additional products and options that you clearly need. If you install an option or product and realize later that it is not needed, you should deinstall that option or product.
During the Oracle Application Server installation, you will have the option to enable SSL with Oracle Internet Directory on one of the installation screens. For more information, see Oracle Application Server Installation Guide.
Oracle Internet Directory is the only Oracle Application Server component for which you can configure SSL during installation. All other components which can be SSL-enabled must be configured after installation. For more information, refer to the SSL section in Oracle Application Server Administrator's Guide.
Always apply all relevant and most current security patches for all installed Oracle Application Server options and components. For the latest information about available patches:
Periodically check the security site on Oracle Technology Network for details about security alerts released by Oracle Corporation:
Periodically check the Oracle Worldwide Support Services site (MetaLink) for details on available and upcoming security-related patches:
If you install Oracle Application Server Infrastructure, an Oracle database is installed and configured with several default database server user accounts, or schemas. These pre-seeded schemas are created during installation to support both the Oracle database and Oracle Application Server.
To secure these schemas, you should take the following action:
Change the default passwords to prevent unauthorized access to the OracleAS Metadata Repository.
Lock your schemas to prevent them from being intentionally or accidentally deleted.
For additional information about the post installation status of each schema, changing a schema's password, locking a schema, and other useful schema information, see "Chapter 6, Managing an OracleAS Metadata Repository" in Oracle Application Server Administrator's Guide.
For a complete list of all OracleAS Metadata Repository schemas, see "Appendix E, Metadata Repository Schemas" in Oracle Application Server Administrator's Guide.
By default, the Oracle Application Server Welcome page is accessible from this URL:
http://hostname.domain:7777
This page contains links to useful information like demos and code samples which can be used to compromise the security of your site. You can secure your Welcome page by:
To deploy a new Welcome page for Oracle Application Server:
Create the new Welcome page you want to use. This page must be named index.html
.
Save the new Welcome page in a directory. It is recommended that you save the page in a different directory than the htdocs
directory.
Start the Application Server Control Console.
Select the OracleAS Infrastructure instance. You will be prompted to login.
Click HTTP Server.
Click Administration.
Click Properties.
Enter the directory for your new page in the Document Root field.
(Optional) Enter the administrator's e-mail address in the Administrator's Email field.
Click Apply.
To secure your Welcome page, you should:
Put the page in a directory other than the default directory. This directory should be accessible only to those individuals with the proper permissions.
Make sure the file permissions are properly set, so that only those individuals with permission to access and modify the file may do so.
You can also configure your Welcome page to accept HTTPS requests instead of HTTP. To do so, you can do either one of the following:
Modify the HTTP_Server
setting in the opmn.xml
file and change ssl-disabled
to ssl-enabled
.
Run the SSL Configuration Tool with the -config_w_default
parameter. For example:
SSLConfigTool -config_w_default -opwd welcome1
For more information about the SSL Configuration Tool, see "Chapter 14, Using the SSL Configuration Tool" in Oracle Application Server Administrator's Guide.
After making this change, your Welcome page should be accessible via this URL:
https://hostname.domain:4443
Oracle Application Server ships with several demos, which are available on the "Demonstrations" tab on the Welcome Page. Demos are available for configured components only.
These demos should not be available in a production environment as some demos contain system default information that can be used to gain unauthorized access to your system. A simple way to prevent unauthorized access to the demos is to protect your Welcome page or create a custom Welcome page. For more information about how to do this, see Section B.3.
In the event that you want to keep the default Welcome page, you can manually disable each of the demos. The remainder of this section describes how to disable each demo.
Oracle HTTP Server
This demo executes the following script and displays the client's environment settings:
(UNIX) ORACLE_HOME/Apache/Apache/fcgi-bin/echo (Windows) ORACLE_HOME\Apache\Apache\fcgi-bin\echo.exe
To disable this demo, move the echo.exe
and echo2.exe
scripts from the ORACLE_HOME
\Apache\Apache\fcgi-bin
directory to another protected directory.
Oracle Application Server Containers for J2EE (OC4J)
This demo links to an Oracle Technology Network (OTN) page with samples, examples, and demonstrations for Oracle Application Server 10g Release 2 (10.1.2).
Because no sensitive information is revealed, there is no need to disable this demo.
Oracle Application Server Web Cache
This demo shows an example of caching, expiration, and edge-side page assembly.
To disable this demo:
Go to the Oracle Enterprise Manager 10g Application Server Control Console. In the "Standalone Instances" section, click on your Oracle Application Server instance.
Click on the home link in the "System Components" section.
Click on the Applications tab in the "OC4J:home" section.
Select the button next to the IsWebCacheWorking link, then click the Undeploy button.
Click Yes on the "Confirmation" page to confirm your actions.
Oracle Application Server Portal
This demo links to an OracleAS Portal page which includes a sample document repository, along with links to Portal Center and Oracle Application Server Portal Developer Kit pages on Oracle Technology Network.
The page that is displayed is part of the OracleAS Portal product, and not a separate page for demonstration purposes only. As such, there is not need to disable this page.
Oracle Application Server Wireless
This demo provides multi-channel access for small-screen devices using an expense report example.
To disable this demo, run the following script:
(UNIX) ORACLE_HOME/wireless/bin/disable_samples.sh (Windows) ORACLE_HOME\wireless\bin\disable_samples.bat
Oracle Business Intelligence Discoverer Portlet Provider
This demo displays the Oracle Business Intelligence Discoverer Portlet Provider test page, which is used to determine whether or not the OracleBI Discoverer Portlet Provider is working and available in your Oracle Application Server instance.
This is the page you should use to register OracleBI Discoverer Portlet Provider with OracleAS Portal. No sensitive information is revealed on this page, so there is no need to disable this demo.
Oracle Business Intelligence Samples
This demo links to the Oracle Business Intelligence page on Oracle Technology Network for Oracle Business Intelligence samples and examples.
Because no sensitive information is revealed, there is no need to disable this demo.
Oracle Application Server Forms Services
This demo provides a test to verify your installation. The test form runs when you access an OracleAS Forms Services URL but do not specify an application to run. For example, normally you call an OracleAS Forms Services application with the following syntax:
http://host:port/forms/frmservelet?config=myApp
The Forms Servlet will locate [myApp]
in the formsweb.cfg
file and launch that application. However, when no application is specified:
http://host:port/forms/frmservelet
the Forms Servlet uses the settings in the default section of the formsweb.cfg
file. The default section has the following setting:
form=test.fmx
The test.fmx
form is the test form accessed by this demo, which allows you to test your OracleAS Forms Services installation and configuration.
The optimal way to securely disable this demo is described below. This procedure redirects requests to an informational HTML page that is presented to the client. Because you have complete control over the contents of this page, you can ensure that no sensitive information is passed to the client.
Create an informational HTML page that you want displayed when you run the demo. For example, you could create a page called forbidden.html
in the ORACLE_HOME
/forms/server
(for UNIX) or ORACLE_HOME
\forms\server
(for Windows) directory:
<html> <head> <title>Forbidden</title> </head> <body> <h1>Forbidden!</h1> <h2>You may not access this Forms application.</h2> </body> </html>
Note: This redirecting of client information and presenting a message page instead is not the same Web page that the Web server returns when the requested content has restricted permissions on it. |
Modify the following parameters in the formsweb.cfg
file. Comment out the original values by placing a hash (#) character at the beginning of the original line, then inserting a line with the desired values. For example:
# System parameter: default base HTML file #baseHTML=base.htm baseHTML=forbidden.html # System parameter: base HTML file for use with JInitiator client #baseHTMLjinitiator=basejini.htm baseHTMLjinitiator=forbidden.html # System parameter: base HTML file for use with Sun's Java Plug-In #baseHTMLjpi=basejpi.htm baseHTMLjpi=forbidden.html # System parameter: base HTML file for use with Microsoft Internet Explorer # (when using the native JVM) #baseHTMLie=baseie.htm baseHTMLie=forbidden.html
Now, when a user enters the URL
http://host:port/forms/frmservelet
the customized Web page is presented. Of course, you can customize forbidden.html
, including its contents, its filename, and its location as long as you make the corresponding changes to these parameters in the formsweb.cfg
file. Administrators can put any information, such as warnings, errors, time stamps, IP logging, or contact information in this information Web page with minimal impact on the server configuration.
Note: Overriding the base HTML template entries in the default section offormsweb.cfg requires that you add the same entries pointing to the original values (or some other valid HTML file) in your application-specific named configuration:
myApp form=myApplication.fmx lookandfeel=oracle baseHTML=base.htm baseHTMLjinitiator=basejini.htm baseHTMLjpi=basejpi.htm baseHTMLie=baseie.htm If you don't specify these base HTML values, and when a user runs an application, they will see the |
Oracle Forms
This demo links to the Oracle Forms page on Oracle Technology Network for additional demos and sample code.
Because no sensitive information is revealed, there is no need to disable this demo.
Oracle Application Server Reports Services
This demo enables you to verify that your reports server is properly installed and operational. As such, this demo can also be used for diagnostic and troubleshooting purposes. Therefore, it is recommended that the files used in this demo be renamed or moved to a secure location, rather than deleted from the system.
The files used in this demo are test.rdf
and test.jsp
. The default location of test.rdf
is:
(UNIX) ORACLE_HOME/reports/samples/demo (Windows) ORACLE_HOME\reports\samples\demo
The test.jsp
file is contained in the reports.ear
file, and is extracted to this location by default:
(UNIX) ORACLE_HOME/j2ee/OC4J_BI_Forms/applications/reports/web/examples/Tools (Windows) ORACLE_HOME\j2ee\OC4J_BI_Forms\applications\reports\web\examples\Tools
Oracle Application Server components generate log files containing messages that record all types of events, including startup and shutdown information, errors, warning messages, access information on HTTP requests, and additional information. You can use Oracle Enterprise Manager 10g Application Server Control Console to manage these log files, as well as configure the logging options for each component.
For detailed component logging information, see "Chapter 5, Managing Log Files" in Oracle Application Server Administrator's Guide.