Skip Headers
Oracle® Application Server Security Guide
10
g
Release 2 (10.1.2)
B13999-03
Home
Solution Area
Index
Next
Contents
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
1
Oracle Application Server Security Overview
1.1
Introduction to Oracle Application Server
1.2
Security As a System Issue
1.2.1
Web Browsers
1.2.2
Firewalls
1.2.3
Load Balancers
1.2.4
Virtual Private Networks (VPNs)
1.3
Overview of SSL Keys and Certificates
1.4
Security Objectives
1.4.1
Providing Basic Security Services
1.4.2
Supporting Standards
1.4.3
Ensuring Deployment and Configuration Flexibility
1.4.4
Minimizing Application Development and Deployment Cost
1.4.5
Providing Security In Depth
1.5
Oracle Application Server Middle-Tier Components
1.5.1
Oracle Application Server Web Cache
1.5.2
Oracle HTTP Server
1.5.3
Oracle Application Server Containers for J2EE (OC4J) and OracleAS JAAS Provider
1.5.4
Applications and Tools
1.5.5
OracleAS Portal
1.6
Identity Management Infrastructure
1.7
Configuration Options and Common Topologies
1.8
Security Platform Capabilities in Oracle Application Server 10g
1.8.1
Oracle Identity Management Enhancements
1.8.2
General Security Enhancements
2
Oracle Application Server Security Architecture
2.1
Security Architecture of Oracle Application Server
2.1.1
Elements of Oracle Application Server Security Architecture
2.2
Oracle HTTP Server Security
2.2.1
Message Flow With Single Sign-On
2.2.2
Authenticating To an External Application For the First Time
2.2.3
SSL Acceleration
2.3
J2EE Security and JAAS
2.4
Oracle Application Server Portal Security
2.5
Oracle Application Server Web Cache Security
2.6
Security for Other Oracle Application Server Components
2.7
Oracle Advanced Security
3
Recommended Deployment Topologies
3.1
The Need for Firewalls and Hardware Load Balancers
3.2
General Architecture and Concepts
3.2.1
DMZ Zones
3.2.2
Configuring DMZ-Based Architectures
3.2.3
Hardware Load Balancers and HTTPS to HTTP Appliances
3.3
Enterprise Data Center Topologies
3.3.1
J2EE Applications
3.3.2
Mod_plsql Applications
3.3.3
OracleAS Portal, OracleAS Wireless, and Business Intelligence Applications
3.4
OracleAS Forms Services, OracleAS Reports Services, and OracleBI Discoverer Developer Topology
3.4.1
OracleAS Reports Services Recommended Topology
3.4.2
OracleAS Forms Services Recommended Topology
3.4.3
OracleBI Discoverer Recommended Topology
3.5
OracleAS Single Sign-On and OracleAS Web Cache Considerations
3.5.1
Oracle Application Server Single Sign-On Considerations
3.5.2
Oracle Application Server Web Cache Considerations
4
Oracle Identity Management
4.1
The Role Of Oracle Identity Management
4.1.1
Dependencies on Oracle Identity Management
4.1.2
Leveraging Third-Party Identity Management Services
4.2
Features and Benefits Of Oracle Identity Management
4.2.1
Centralized User Management
4.2.2
Password Management Policies
4.2.3
OracleAS Single Sign-On for Authentication
4.2.4
Secure and Transparent Sign-On To Oracle Database
4.2.5
Delegated Administration and Self-Service Interfaces
4.2.6
Role-Based Access Control and Privilege Delegation
4.2.7
Provisioning Integration
4.2.8
Public Key Infrastructure (PKI) and OracleAS Certificate Authority
4.2.9
Integrating Third-Party Identity Management Solutions
5
Privilege Delegation
5.1
Introduction
5.1.1
How Delegation Works
5.2
Delegating Privileges
5.2.1
How Privileges Are Granted for Managing User and Group Data
5.3
Security Goals for Privilege Model
5.4
Roles and Responsibilities
5.5
Delegation of Privileges for Component Runtime
6
Security Best Practices
6.1
General Best Practices
6.1.1
Best Practices for HTTPS Use
6.1.2
Assign Lowest Level Privileges Adequate for the Task
6.1.3
Best Practices for Cookie Security
6.1.4
Best Practices in Systems Setup
6.1.5
Best Practices for Certificates Use
6.1.6
Review Code and Content Against Already Known Attack
6.1.7
Follow Common Sense Firewall Practices
6.1.8
Leverage Declarative Security
6.1.9
Use Switched Connections in DMZ
6.1.10
Place Application Server in the DMZ
6.1.11
Secure Sockets Layer
6.1.12
Tune the SSL SessionCacheTimeout Directive
6.1.13
Plan Out Final Topology Before Installing Security Components
6.2
JAAS Best Practices
6.3
J2EE Security Best Practices
6.3.1
Avoid Writing Custom User Managers
6.3.2
Authentication Mechanism with the JAAS Provider
6.3.3
Use Fine-Grained Access Control
6.3.4
Use Oracle Internet Directory as the Central Repository
6.3.5
Develop Appropriate Logout Functionality for J2EE Applications
6.4
OracleAS Single Sign-On Best Practices
6.4.1
Configure for High Availability
6.4.2
Leverage Oracle Application Server Single Sign-On
6.4.3
Use an Enterprise-Wide Directory in Place
6.4.4
Use OracleAS Single Sign-On Instead of Writing Custom Authentication Logic
6.4.5
Always Use SSL with Oracle Application Server
6.4.6
Username and Password Only on Login Screen
6.4.7
Log Out So Cookies Do Not Remain Active
6.5
Oracle Internet Directory Deployment Best Practices
6.5.1
Use bulkload.sh Utility
6.5.2
Replicate for High Availability
6.5.3
Use SSL Binding
6.5.4
Use Backup and Restore Utilities
6.5.5
Monitoring and Auditing Oracle Internet Directory
6.5.6
Assign Oracle Internet Directory Privileges
6.5.7
Change Access Control Policies
6.5.8
Best Practice for Directory Integration Platform
6.5.9
Recommendations for Migrating Oracle9
i
AS Applications to an Existing Oracle Internet Directory
6.5.10
Configuration of the Self-Service Console
6.5.11
Use opmnctl instead of oidmon and oidctl
6.5.12
Configure Active Directory Synchronization
6.5.13
Use User Attributes and Password Hints for Resets
A
Oracle Application Server FIPS 140-2 Settings
A.1
Configuration
A.1.1
Setting the SQLNET.SSLFIPS_140 Parameter
A.1.2
Selecting Cipher Suites
A.2
Post-Installation Checks
A.3
Verifying FIPS Connections
B
Security Checklists and Recommendations
B.1
Securing Your Installation and Configuration
B.1.1
Operating System Security
B.1.2
Install Only What You Need
B.1.3
Enable SSL During and After Installation
B.1.4
Apply Product Security Patches and Workarounds
B.2
Securing OracleAS Metadata Repository Schemas
B.3
Securing the Welcome Page
B.3.1
Creating Your Own Custom Welcome Page
B.3.2
Protecting Your Welcome Page
B.4
Disabling and Removing Demos
B.5
Enabling Component Level Logging
Glossary
Index
