Oracle® Application Server Security Guide
10g Release 2 (10.1.2) B13999-03 |
|
Previous |
Next |
This chapter outlines the dependency of Oracle Application Server on Oracle Identity Management and the role that Oracle Identity Management infrastructure plays in Oracle Application Server deployments. This chapter contains the following topics:
Oracle Identity Management is a key deployment platform capability of Oracle Application Server. The Oracle Identity Management infrastructure centralizes management of security across the enterprise, simplifying management and reducing administrative overhead. This capability increases security while reducing administrative costs and enhancing the end-user experience.
Oracle Identity Management is a well-integrated suite of services that all Oracle products, including Oracle Database, Oracle Collaboration Suite, and Oracle E-Business Suite, can leverage out of the box. This allows rapid deployment of Oracle products in the enterprise without the cost and complexity associated with integrating disparate systems. Oracle Identity Management also serves as a single point of integration between the Oracle environment and any third-party Identity Management environments.
Oracle Identity Management infrastructure is not required in all Oracle Application Server deployments. The components of Oracle Application Server involved in the deployment, and the nature of the deployment, determine the need for an Oracle Identity Management infrastructure. Some components, such as OracleAS Portal, require the Oracle Identity Management infrastructure for their operation. A simple OC4J customer application might not have any need or awareness for such an infrastructure. It is also possible to design an OC4J application to leverage an enterprise Oracle Identity Management infrastructure for its authentication and authorization services.
For some Oracle Application Server components, such as OracleAS Portal, the Oracle Identity Management infrastructure is always required. However, Oracle Identity Management is not mandatory for all Oracle Application Server components. Many Oracle Application Server components can be deployed with or without leveraging the Oracle Identity Management infrastructure. When deployed without the Oracle Identity Management infrastructure, these services would rely on their own standalone interfaces for user management and security.
OC4J applications developed by ISVs and customers need not rely on Oracle Identity Management or any other infrastructure. These applications can instead use third-party identity management services, such as Sun Java Enterprise System (formerly iPlanet) Directory or Microsoft Active Directory. Thanks to configurable OracleAS JAAS Provider LoginModule
s, OC4J applications can also be integrated with any other custom user management and authentication services in the customer environment.
All Oracle products that rely on centralized user management and single sign-on services, including products such as OracleAS Portal, require Oracle Identity Management infrastructure for their operation. If you have already deployed a non-Oracle Identity Management infrastructure, the Oracle products can be deployed to fully leverage your investment in such infrastructure. In such environments, Oracle product security still depends on Oracle Identity Management infrastructure, but that infrastructure is configured to fully utilize your existing infrastructure. For instance, you need not reimplement or alter your implementation of directory tree structure, practices, and policies for user management, password management, and so on. Oracle Identity Management integration services transparently adopt your existing policies without requiring any additional implementation effort.
This section outlines the various capabilities offered by Oracle Identity Management and the benefits that enterprise applications based on Oracle Application Server can leverage.
These benefits include:
Oracle Internet Directory, a key component of the Oracle Identity Management infrastructure, facilitates centralized user management for the Oracle technology environment, as well as for the rest of the enterprise. Users are defined centrally in Oracle Internet Directory; all other Oracle Identity Management and security services, as well as all applications that in turn rely on these services, share this single definition of user identity, credentials, profiles and preferences. This centralized management not only facilitates administrative convenience, it also enhances security for applications that share this infrastructure.
Password policies help strengthen the security of password-based authentication environments. Password policies allow an enterprise to establish rules that users must follow while setting and using passwords to authenticate themselves to the applications on the network. Oracle Identity Management password policies can be customized at deployment.
Oracle Identity Management supports complex password policies that enterprises can leverage to make the user passwords more secure. Oracle Internet Directory and the OracleAS Single Sign-On services support value-based as well as state-based password policies.
Value-based password policies make it difficult to guess passwords. These policies enforce the password values to be arbitrarily complex, such as minimum lengths, presence of minimum number of special characters, and so on.
State-based password policies help enforce user discipline, such as periodically resetting password values. State-based password policies also facilitate detection and prevention of malicious attempts to break into these environments. Password expiration policies and lockout policies based on maximum number of retries are examples of such state-based password policies.
The Oracle Internet Directory plug-in capability can be exploited by customers to implement custom password policies.
Each application server instance that uses an infrastructure has an entry in Oracle Internet Directory. The instance uses this entry to manage configuration information in Oracle Internet Directory.
Oracle Application Server generates random passwords for the instances in Oracle Internet Directory. You do not need to know what the passwords are, because there are no procedures that you need to run that require the passwords.
However, if your corporate security policy requires that passwords be changed on a regular basis, you can use the resetiASpasswd
tool to change the password.
Note: You cannot use Oracle Directory Manager, Oracle Delegated Administration Services, orldapmodify to change the instance passwords; you can only use resetiASpasswd . The reason for this is that the password needs to be synchronized on the instance host and on Oracle Internet Directory.
|
To reset the password to a new randomly generated password, execute the following command in the Oracle home of the application server instance whose password you would like to change:
(UNIX) ORACLE_HOME/bin/resetiASpasswd.sh cn=orcladmin password ORACLE_HOME (Windows) ORACLE_HOME\bin\resetiASpasswd cn=orcladmin password ORACLE_HOME
password
is the orcladmin
password. ORACLE_HOME
is the full path of the Oracle home for the application server instance. Note that this directory is the Oracle home in which you run the command.
See Also: Oracle Internet Directory Administrator's Guide for full details on password policies and their configuration. |
OracleAS Single Sign-On allows users to sign on to the enterprise network once instead of being prompted for sign-on credentials each time they access other Web applications. When you deploy an application with OracleAS Single Sign-On, after the first sign-on, a user's identity is validated by the OracleAS Single Sign-On only once, no matter how many different Oracle Application Server applications the user invokes during a session.
OracleAS Single Sign-On provides two interfaces to transparently integrate with non-Oracle environments in two modes:
OracleAS Single Sign-On is certified for integration and interoperation with leading third-party authentication services, such as Microsoft Windows and Netegrity SiteMinder.
OracleAS Single Sign-On supports transparent sign-on to non-Oracle web sites and external applications. In this mode, users can configure their account names and passwords for external applications; OracleAS Single Sign-On uses this information to transparently connect the users to the applications.
In typical enterprise deployments involving numerous Web applications and portals, OracleAS Single Sign-On greatly enhances end-user ease of use.
See Also: Oracle Application Server Single Sign-On Administrator's Guide for details on single sign-on. |
Middle-tier business intelligence components must access Oracle Database schema resources on behalf of users who have signed on to the middle-tier. To do so, the components must acquire the end user's account name and password information for relevant database resources. To facilitate this acquisition, Oracle Internet Directory supports an LDAP structure called Resource Access Descriptors, as well as APIs and Oracle Delegated Administration Services interfaces to securely administer this information. This ensures that access is restricted to the end user who owns it and to the applications that need it.
See Also: Oracle Internet Directory Administrator's Guide for full details on Resource Access Descriptors. |
Although centralized management of user identities and other security information has its obvious benefits, the process of administration could become unscalable without the means to delegate administration to different sets of administrators for different real-world administrative functions. To support this delegation, the Oracle Delegated Administration Services component of Oracle Identity Management infrastructure defines a delegation model based on Role-Based Access Control (RBAC).
The infrastructure also supports necessary interfaces to implement this model not only for Oracle Identity Management, but also within applications that rely on Oracle Identity Management.
Oracle Delegated Administration Services consists of the following:
Interfaces for enabling end-user self-service, such as:
User password updates, reset, and recovery
User preferences and profile management
Directory white page lookups
Interfaces for enabling directory administrator self service such as:
Creating and managing users
Creating and managing groups
Customizing Oracle Delegated Administration Services user and group management interfaces
Customizing end-user self-service interface characteristics
Oracle Identity Management service-related administration roles
Oracle Delegated Administration Services also supports APIs that applications can use to integrate all these services in their application-specific administration tools.
See Also: Oracle Internet Directory Administrator's Guide for full details on Oracle Delegated Administration Services. |
Many Oracle Application Server components, such as OracleAS Portal, support the Role-Based Access Control (RBAC) model to control access to their resources and operations. The associated application roles are implemented by using the underlying support of Oracle Internet Directory for managing groups and roles. APIs and Delegated Administration Services interfaces are leveraged by the Oracle Application Server components for managing these objects that represent their application-specific administrative roles.
Installing and deploying Oracle Application Server components involves creating identities for the applications being deployed and granting them run-time privileges to necessary resources, such as Oracle Application Server infrastructure database schema, and access to other application components. Without proper delegation, deployment of any application would require the directory administrator to be involved. On the other hand, with excessive privilege delegation, an administrator with privileges to deploy one application will also have unwarranted privileges over other applications. With proper delegation, specific administrators can be de granted privileges to specific applications.
The Oracle Application Server installation process supports many predefined roles to streamline the process of deploying Oracle Application Server components by enabling delegation of deployment privileges to application-specific administrators.
Provisioning Integration refers to integrating user account creation and privilege assignment tasks for all applications across the enterprise, based on Oracle Identity Management events. These activities are governed by application-specific rules, as well as by enterprise deployment policies. Oracle Identity Management infrastructure supports a feature called Provisioning Integration to facilitate both integration and automation of such provisioning related tasks.
Oracle Application Server components, such as OracleAS Portal and OracleAS Wireless, leverage this capability to be notified of events involving changes to user objects and specific group objects that have direct impact on user accounts and privileges within their environments.
To leverage this service, applications subscribe to directory events that have direct mappings to their application accounts and privileges. Provisioning Integration monitors change events in the directory and notifies applications whose registered interests match this change event.
APIs and configuration interfaces are available for integrating third-party enterprise applications with OracleAS Integration platform.
See Also: Oracle Internet Directory Administrator's Guide for full details on application provisioning integration. |
Oracle Application Server Certificate Authority (OCA) exposes a simple self-service interface for OracleAS Single Sign-On users to provision their own X.509 certificates. With OCA, customers who want to deploy PKI to enable higher levels of security for their environment can do so without incurring significant overhead.
Oracle Identity Management supports interfaces and procedures to integrate Oracle products with existing third-party identity management solutions in a customer environment. There are three categories of Identity Management integration considerations:
The Directory Integration and Provisioning platform of Oracle Identity Management includes connectors for integration with common commercial LDAP directories, such as Sun Java Enterprise System and Microsoft Active Directory. In addition, interfaces are available to develop custom connectors to any other third-party LDAP directories. The Directory Integration and Provisioning platform also supports connectors for user information stored within SQL-accessible RDBMS tables.
See Also: Oracle Internet Directory Administrator's Guide for full details about available connectors and integration methodologies. |
Oracle Identity Management supports certified integration with major single sign-on vendor solutions, such as Netegrity SiteMinder. In addition, OracleAS Single Sign-On provides APIs for seamless single sign-on integration with any third-party authentication service.
See Also: Oracle Application Server Single Sign-On Administrator's Guide for full details on third-party single sign-on integration. |
Oracle Identity Management supports certified integration with major third-party provisioning integration solutions. In addition, the Directory Integration and Provisioning platform provides interfaces for integrating with third-party provisioning platforms as well as automating the account provisioning of users for any application in the network.
See Also: Oracle Internet Directory Administrator's Guide for full details on supported interfaces for application provisioning integration. |