Oracle® Application Server Portal Configuration Guide
10g Release 2 (10.1.2) B14037-03 |
|
Previous |
Next |
One of the most important aspects of any portal solution is security. The ability to control user access to Web content and to protect your site against people breaking into your system is critical. This chapter describes the architecture of OracleAS Portal security in the following topics:
The sections that follow provide an overview of OracleAS Portal security and how it works with the OracleAS Security Framework.
When you make content available on the Web, it is very likely that you need to restrict access to at least some parts of it. For example, it is unlikely that you want every user to be able to see every document on your site. It is even less likely that you want every user to be able to change every document on your site. OracleAS Portal provides a comprehensive security model that enables you to completely control what users can see and change on your Web site.
Before a user logs on to OracleAS Portal, they can only view the content that the content contributors designate as public. Public content can be viewed by any user who knows the URL of a portal object (for example, a page) and can connect to the computer where it is stored. The user sees only those aspects of the object that are designated as public, such as the public portlets. If the object has no public contents, then the user is denied access to it.
Once the user logs in to the portal, they may or may not be able to see and change content depending upon their access privileges. Typically, an authenticated user can see and do more in the portal than a public user. For example, an authenticated user might see items or portlets on the page that the public user cannot view. An authenticated user might also be able to add and edit content, and change properties, privileges that would typically be denied to a public user. In the portal, you can control access to objects (pages, items, or portlets) by user and group. That is, you might grant access privileges for a page to specific named users, user groups, or a combination of both.
To support this flexible approach to controlling access to Web content, OracleAS Portal leverages the other components of Oracle Application Server and Oracle Database 10g to provide strong protection for your portal. OracleAS Portal interacts with all of the following components to implement its security model:
Oracle Application Server Single Sign-On authenticates users, who are attempting to gain access to non-public areas of your portal.
mod_osso is an Oracle HTTP Server module that redirects authentication requests to OracleAS Single Sign-On. It also keeps track of user activity in partner applications.
OracleAS Web Cache is the cache used to serve up pages generated by OracleAS Portal (or proxied to the Oracle HTTP Server if not able to service the request). Based on invalidation caching, OracleAS Portal invalidates the cache when the underlying page or metadata changes.
Oracle Internet Directory, Oracle's native LDAP version 3 service, acts as the repository for user credentials and group memberships.
The Oracle Internet Directory's Oracle Delegated Administration Services adds or updates the information stored inside the directory (users and groups).
Oracle Directory Integration Platform notifies OracleAS Portal upon the occurrence of any directory events (for example, user deletions) to which OracleAS Portal subscribes. In essence, the directory integration server informs OracleAS Portal when a change occurs in the directory that requires a change in OracleAS Portal.
OracleAS Portal Architecture
Figure 6-1 shows the components and relationships of the OracleAS Portal security architecture.
Figure 6-1 OracleAS Portal Security Architecture
The OracleAS Portal architecture consists of three basic tiers, including the client browser, the middle-tier server, and the infrastructure servers and repositories. By default, Oracle Internet Directory and OracleAS Single Sign-On are installed on the same host as part of the infrastructure installation. This tier is subsequently used for the OracleAS Portal installation.
While the default installation has all three servers and repositories installed on the same host, we recommend that you install these functions on separate servers.
In OracleAS Portal, the middle and infrastructure tier components have a number of components in common. These include a repository access component made up of a Database Access Descriptor (DAD) and Oracle Application Server Containers for J2EE (OC4J). The latter is used on the infrastructure tier to run Oracle Delegated Administration Services and to execute portal runtime engine on the middle tier.
To optimize the throughput and performance of OracleAS Portal, generated pages are cached in OracleAS Web Cache. If a request for a portal page can be served from OracleAS Web Cache, it will be returned without accessing the OracleAS Portal middle tier. If not, the request will be forwarded to the origin HTTP server and the Parallel Page Engine.
If the current user is not authenticated with the Single Sign-On environment, and if the requested page is not a public page, the user is prompted for a user name and password. This function is carried out through a redirection to OracleAS Single Sign-On for authentication, which in turn verifies the credentials against Oracle Internet Directory through an LDAP request. The credentials are compared to those found in the directory.
Upon successful authentication, OracleAS Single Sign-On creates a single sign-on session cookie. Once the user is authenticated and an appropriate OracleAS Portal session created, it is necessary to determine which pages and objects the user has the necessary access privileges to. For performance reasons the access control lists (ACLs) for all portal objects are stored in the OracleAS Portal schema in the OracleAS Metadata Repository along with the definition of the objects being secured.
User and Group provisioning is a function of Oracle Internet Directory. That is, all user and group membership information is stored in the Oracle Internet Directory. When a user first logs in to OracleAS Portal, their current group membership is read from the directory and cached in the same repository as the ACLs. This process allows for fast lookup of object privileges. Once the object and page privileges of the user are known, the appropriate page metadata can be generated to allow the Parallel Page Engine to assemble the secured page.
To simplify the provisioning of users and groups in Oracle Internet Directory for use in the portal, OracleAS Portal uses Oracle Delegated Administration Services to generate a user interface to allow direct access to Oracle Internet Directory. Calls to Oracle Delegated Administration Services are protected by the mod_osso plug-in, which verifies that the user has been properly authenticated before providing access to the Oracle Internet Directory.
One important feature of the security architecture is the ability to keep the local cached group membership list synchronized with Oracle Internet Directory. The Oracle Directory Integration Platform automatically keeps the locally cached information up-to-date with changes in Oracle Internet Directory.
If you need to authenticate against an external repository, Oracle Internet Directory supports both delegated and external authentication. Likewise, just as the Oracle Directory Integration Platform keeps the local cache synchronized with the Oracle Internet Directory, it also keeps the Oracle Internet Directory synchronized with any external repository.
OracleAS Portal provides a number of user accounts and groups by default.
Table 6-1 describes the user accounts created by default when OracleAS Portal is installed.
Table 6-1 Default OracleAS Portal Users
User | Description |
---|---|
Is the user account that identifies unauthenticated access to the OracleAS Portal. Once a user logs in, the user name changes from PUBLIC to the user name by which the user is authenticated. When granting portal privileges on individual objects that do not have an explicit check box for granting the object to Public, this user can be identified as the grantee of the privilege to grant access to it for unauthenticated users. |
|
Is the super-user for the portal. In a standard installation, the user name is PORTAL. This user account has the highest privileges because it is granted all the global privileges available in the portal. This user is also an Oracle Instant Portal administrator for every Oracle Instant Portal, regardless of who created them. |
|
Similar to portal, this account is granted the highest privileges in OracleAS Portal. This account is created for the Oracle Application Server administrators, and uses the password that is supplied during the Oracle Application Server installation. This user is also an Oracle Instant Portal administrator for every Oracle Instant Portal, regardless of who created them. |
|
Is a privileged OracleAS Portal user account with administrative privileges excluding those that would give the user the ability to obtain higher privileges or perform any database operations. This user cannot edit any group or manage privileges on any schema or shared object. This account is typically intended for an administrator who manages pages and provisions user accounts. |
Table 6-2 describes the groups created by default when OracleAS Portal is installed.
Table 6-2 Default OracleAS Portal Groups
Group Foot 1
|
Description |
---|---|
Is the group that includes any authenticated, or logged in, user. The purpose of this group is to provide a means to assign the default privileges you want every logged in user to have in the portal. By default, this group is given the Create Group privilege. This group is a member of OracleDASCreateGroup. |
|
Is a highly privileged group established for Oracle Application Server administrators. Components that are part of Oracle Application Server grant full component-specific privileges to members of this group. The DBA group is a member of the PORTAL_ADMINISTRATORS group. This group is also a member of the following Oracle Application Server privilege groups:
|
|
Is a highly privileged group established for OracleAS Portal. By default, this group is given the following OracleAS Portal global privileges:
This group is a member of the following Oracle Application Server privilege groups:
Members of PORTAL_ADMINISTRATORS do not have the necessary privileges to administer OracleAS Single Sign-On. If you want members of this group to administer OracleAS Single Sign-On, then you must grant them those privileges as described in the Oracle Application Server Single Sign-On Administrator's Guide. |
|
Is a privileged group established for users who need to publish portlets to other users of the portal. By default, this group is given the Publish All Portlets global privilege of OracleAS Portal. |
|
Is a privileged group established for users who are building portlets. By default, this group is given the following OracleAS Portal global privileges:
If you want PORTAL_DEVELOPERS to create database providers and portlets, you need to give this group privileges that enable them to modify schema, for example, Modify Data on all schemas. For more information, refer to Table 6-5. |
|
Is the group of users who administer OracleAS Reports Services reports, printers, calendars, and servers. You must assign this group any desired object privileges (for example, Manage). |
|
Is the group of users who develop OracleAS Reports Services reports. You must assign this group any desired object privileges (for example, Execute or Manage). |
|
Is the group of users who can modify OracleAS Reports Services reports. You must assign this group any desired object privileges (for example, Execute or Manage). |
|
Is the group of users who use OracleAS Reports Services reports. You must assign this group any desired object privileges (for example, Execute). |
|
Is the group of users who can both create Oracle Instant Portals and perform user administration on them. Both the PORTAL and ORCLADMIN users are members of this group. |
|
Is the group of users who can access Oracle Instant Portals. This list appears in the Manage User Rights dialog box in the Oracle Instant Portal user interface. Note: To designate OracleAS Portal users as Oracle Instant Portal users, use the Groups portlet to add them to the OIP_AVAILABLE_USERS group, which was created by default during the installation process. Then use the Manage User Rights dialog in Oracle Instant Portal to grant the appropriate privileges. |
Notes:
|
Within OracleAS Portal, you decide at what level of granularity you want to control access. You can assign privileges to any object for each user or for each group. For example, you can assign access privileges for each user for each and every item in your portal, but this approach creates considerable overhead for your content contributors.
If you want to lessen the burden on contributors, then you can assign privileges for each group at the page level and simply ensure that all of the items that you place on any given page have similar security requirements. With this approach, the security that items receive through the page that contains them is usually sufficient and content contributors only need to assign privileges for items that require higher security than the page.
See Also: Section 6.1.7.9, "Oracle Delegated Administration Services Public Roles" for information about how you might model privileges. |
For information about how you might model privileges, refer to the white paper "Strategies for Administering Privileges in OracleAS Portal Release 2", on the Oracle Technology Network (OTN), http://www.oracle.com/technology/
.
Use global privileges to give a user or group a certain level of privileges on all objects of a particular type.
Note: Global privileges confer a great deal of power on the user to whom they are granted. As a result, they should be granted very cautiously and only to users or groups who truly require them. You should only have a small number of users with global privileges. |
There are three types of privilege groups:
Table 6-3 Page Group Privileges
Object Type | Privileges |
---|---|
None: No global page group privileges are granted. Manage All: Perform any task on any page group. This privilege supersedes any other privilege in the other global page group privileges. For example, this also allows managing of any page. Manage Classifications: Create, edit, and delete any category, perspective, custom attribute, custom page type, or custom item type in any page group. Manage Templates: Create, edit, and delete any page template in any page group. Grant access to any page template. Manage Styles: Create, edit, and delete any style in any page group. View: View any page in any page group. Create: Create page groups, and create any page group object in those page groups. Users or groups with these privileges can also edit and delete the page groups and page group objects they create. Note: These users cannot create any objects in the existing page groups. |
|
None: No global page privileges are granted. Manage: Create, edit, customize, or delete any page in any page group. Grant access to any page in any page group. Manage Content: Add, edit, hide, show, share, or delete any item, portlet, or tab on any page in any page group. Manage Items With Approval: Create new items on any page in any page group. These items are not published until approved through a specified approval process. Users or groups with these privileges can also edit the items they create. Users with these privileges cannot add portlets to a page. Manage Styles: Apply an available or new style to any page in any page group. Create, edit, and delete new styles. Note: Only allows editing of styles created by user (cannot modify or delete other user's styles). Customize Portlets (Full): Customize any page in any page group to add, show, hide, delete, move, or rearrange portlets. Customize any page to show, hide, delete, or rearrange tabs, or add tabs to existing tabbed regions. Customize any page in any page group to use a different style. Customize Portlets (Add-only): Customize any page in any page group to add portlets or add tabs to existing tabbed regions. Users or groups with these privileges can also delete the portlets they add. Customize any page in any page group to use a different style. Customize Portlets (Hide-Show): Customize any page in any page group to show or hide portlets or tabs. Customize any page in any page group to use a different style. Arrange portlets in any page in any page group. Customize (Style): Customize any page in any page group to use a different style. View: View any page in any page group. Create: Create subpages in any page group. Users or groups with these privileges can also edit and delete the subpages they create. Note: You must have Manage privileges on the root page in a page group in which you want to create the pages. |
|
None: No global style privileges are granted. Manage: Create, edit, and delete any style in any page group. View: View any style in any page group. Publish: Make any style in any page group public for other users to use. Create: Create styles in any page group. Users or groups with these privileges can also edit and delete the styles they create. |
|
None: No global provider privileges are granted. Manage: Register, edit, deregister any provider, and display and refresh the Portlet Repository. Also allowed to grant edit abilities on any provider. Edit: Edit any registered provider. Publish: Register and deregister any provider. Execute: View the contents of any provider. Create: Register portlet providers. On the provider the user (or group) creates, the user gets a Manage privilege; therefore, the user can perform all operations (including edit and deregister) on the particular provider that the user has created. |
|
None: No global portlet privileges are granted. Manage: Create, edit, or delete any portlet in any provider. Edit: Edit any portlet in any provider. Execute: Execute any portlet in any provider. Users or groups with these privileges can see all portlets even if the portlet security is enforced. The Show link appears in the Navigator for all portlets. Access: View any portlet in any provider. Publish: Publish any page, navigation page, or Portal DB Provider portlet to the portal, making it available for adding to pages. |
Table 6-4 Portal DB Provider Privileges
Object Type | Privileges |
---|---|
None: No global application privileges are granted. Manage: Edit, delete, or export any Portal DB Provider. Create, edit, delete, or export any portlet in any Portal DB Provider. Grant access to any Portal DB Provider and any portlet in any Portal DB Provider. Edit Contents: Edit or export any portlet in any Portal DB Provider. View Source: View the package specification and body and run any portlet in any Portal DB Provider. Intended primarily for users or groups who may want to look at a portlet's source so they know how to call it. Customize: Run and customize any portlet in any Portal DB Provider. Run: Run any portlet in any Portal DB Provider. Create: Create Portal DB Providers. Users or groups with these privileges can edit, delete, and export the providers they create and create, edit, delete, and export any portlet in them. |
|
None: No global shared component privileges are granted. Manage: Create, view, copy, edit, delete, and export any shared component in any Portal DB Provider. View and copy any system shared component. Grant access to any non-system shared component. Create: Create shared components in any Portal DB Provider. View and copy any system shared component. View any shared component. Users and groups with these privileges can view, copy, edit, delete, and export the shared components they create. |
Table 6-5 Administration Privileges
Object Type | Privileges |
---|---|
None: No global user profile privileges are granted. Manage: Edit any user profile. Grant this privilege to other users and groups. Edit: Edit any user profile. |
|
None: No global group profile privileges are granted. Manage: Edit any group profile. Grant this privilege to other groups. The Privileges tab of the group profile allows the user to assign those privileges to the group. The Manage privilege provides the edit privilege and the ability to grant it to others. Edit: Edit any portal group profile (setting the default home page and default mobile home page). Note: The ability to change any group's description, memberships, and owners is controlled by the Oracle Internet Directory access control policies, which are administered through membership in the OracleDASEditGroup group. |
|
None: No global schema privileges are granted. Manage: Create, edit, and drop any schema. Grant access to any schema. Create, edit, drop, and rename any database object in any schema. Query, update, delete, and insert data in any table or view in any schema. Compile any function, procedure, package, or view in any schema. Execute any function, procedure, or package in any schema. Grant access to any database object in any schema. Modify Data: Create schemas. Query, update, delete, and insert data in any table or view in any schema. Compile any function, procedure, package, or view in any schema. Execute any function, procedure, or package in any schema. Users or groups with these privileges can edit, drop, and grant access to the schemas they create. Insert Data: Create schemas. Query and insert data in any table or view in any schema. Users or groups with these privileges can edit, drop, and grant access to the schemas they create. View Data: Create schemas. Query data in any table or view in any schema. Users or groups with these privileges can edit, drop, and grant access to the schemas they create. Create: Create schemas. Users with these privileges can also edit, drop, and grant access to the schemas they create. Note: If you want a user or group to access the Schemas portlet on the Administer Database tab of the Builder page, either make the user or group a member of the DBA group, or explicitly grant the user or group View privileges on the Administer Database tab. If you do not grant these privileges, the user or group will still be able to use the Navigator to access schemas. |
|
None: No global log privileges are granted. Manage: Edit or purge any log. Grant this privilege to others. Edit: Edit or purge any log. View: View any log. |
|
None: No global transport set privileges are granted. Execute: Export and Import objects that are not shared. Manage: Edit or purge any import or export sets. Grant this privilege to others. |
You can assign access privileges to users or groups for all of the following objects within OracleAS Portal through the Access tab of the object's Edit Page:
Table 6-6 OracleAS Portal Objects with Privilege Control
Type of Object | Available Privileges | Inherited Privileges |
---|---|---|
Calendar |
|
From Database Provider |
Chart (based on SQL query) |
|
From Database Provider |
Chart (based on wizard) |
|
From Database Provider |
Data Component |
|
From Database Provider |
Data Component Cell |
|
From Data Component |
Database Provider |
|
Not applicable |
Document |
|
From page or item |
Dynamic Page Component |
|
From Database Provider |
FormFoot 1 |
|
From Database Provider |
Frame Driver |
|
From Database Provider |
Hierarchy |
|
From Database Provider |
Image Chart |
|
From Database Provider |
Link |
|
From Database Provider |
List of Values |
|
From Database Provider |
Menu |
|
From Database Provider |
OracleAS Reports Services printer |
|
From Database Provider |
OracleAS Reports Services report |
|
From Database Provider |
OracleAS Reports Services Server |
|
From Database Provider |
Page |
|
Not applicable |
Page group |
|
Not applicable |
Page Item |
|
From page |
Portlet |
|
Not applicable |
Provider |
|
Not applicable |
Query by example form |
|
From Database Provider |
ReportFoot 2 |
|
From Database Provider |
Schema |
|
Not applicable |
URL |
|
From Database Provider |
XML |
|
From Database Provider |
When you create or register a new provider, a page is created in the Portlet Repository under Portlet Staging Area to display portlets for that provider. This page is not visible to all logged in users. It is only visible to the user who published the provider and portal administrators. The publisher or portal administrator can change the provider page properties to grant privileges to appropriate users or groups, as required.
To create and manage Web providers and provider groups through the user interface, as opposed to working with files directly, you need to grant appropriate privileges to the administrative users. The access control list is implemented differently than for the OracleAS Portal schema resident objects. Refer to Section 6.1.3.1, "Global Privileges" and Section 6.1.3.2, "Object Privileges" for information about the OracleAS Portal schema resident objects. Rather, the grants for provider privileges are maintained in an XML file.
Note: The privileges described here are for users developing new Web providers and pertain to authorizations that are enforced by the provider user interface. These privileges are not required to register Web providers. |
To grant privileges to create, edit, and delete Web providers or provider groups, you need to manually make changes to the following file:
MID_TIER_ORACLE_HOME/j2ee/OC4J_Portal/applications/portalTools/providerBuilder/WEB-INF/deployment_providerui/provideruiacls.xml
An example of this file follows:
Note: In this example, the user namesany_provider_manage_user , any_provider_edit_user , and so on, are just sample user names used here to illustrate the privilege codes that correspond to the privileges implied by the corresponding user names. An actual user grant would have the OracleAS Single Sign-On user name as the value of the name attribute in the <user> element, and the privilege would be populated with the appropriate privilege code.
|
<providerui xmlns="http://www.oracle.com/portal/providerui/1.0"> <objectType name="ALL_OBJECTS"> <object name="ANY_PROVIDER" owner="providerui"> <user name="any_provider_manager_user" privilege="500"/> <user name="any_provider_edit_user" privilege="400"/> <user name="any_provider_execute_user" privilege="300"/> <user name="any_provider_create_user" privilege="100"/> </object> <object name="ANY_PORTLET" owner="providerui"> <user name="any_portlet_manage_user" privilege="500"/> <user name="any_portlet_edit_user" privilege="400"/> <user name="any_portlet_execute_user" privilege="300"/> </object> </objectType> <objectType name="PROVIDER"> <object name="TEST_PROVIDER" owner="providerui"> <user name="provider_manage_user" privilege="500"/> <user name="provider_edit_user" privilege="400"/> <user name="provider_execute_user" privilege="300"/> </object> </objectType> <objectType name="PORTLET"> <object name="PORTLET_UNDER_TEST_PROVIDER" owner="TESTPROVIDER"> <user name="portlet_manage_user" privilege="500"/> <user name="portlet_edit_user" privilege="400"/> <user name="portlet_execute_user" privilege="300"/> </object> </objectType> </providerui>
This file allows for granting of the following types of privileges, described in the following sections:
Table 6-7 describes the global object types and corresponding privilege codes that can be granted to users in the provideruiacls.xml
file. When granting a privilege to the user, you should specify the numeric privilege code.
Table 6-7 Global Privilege Codes for provideruiacls.xml
Type of Object | Available Privileges |
---|---|
ANY_PROVIDER |
500 (Manage): Can create, edit, delete, and open any provider or provider group and portlets under them. 400 (Edit): Can create and edit any provider or provider group and execute the portlets under them. 300 (Execute): Can open any provider or provider group and execute the portlets under them. 100 (Create): Can create any provider or provider group. |
ANY_PORTLET |
500 (Manage): Can edit, delete, and execute any portlet under any provider. 400 (Edit): Can edit and execute any portlet under any provider. 300 (Execute): Can execute any portlet under any provider. |
To add a privilege to a particular user, add an entry in the proper object type container, for example:
<objectType name="ALL_OBJECTS">
<object name="ANY_PROVIDER" owner="providerui">
<user name="jdoe" privilege="400"/>
…
</object>
</objectType>
For these global privileges, the objectType
name is set to ALL_OBJECTS, the object owner is set to providerui
, and the object name should be ANY_PROVIDER
or ANY_PORTLET
depending on the type of grant you are setting.
You then set the user name and privilege to the values corresponding to the OracleAS Single Sign-On user name of the grantee and the privilege code you wish to assign. This model does not support any grants to groups. It only supports grants directly to users.
Table 6-8 describes the object level privileges that can be granted to users to give them privileges on specific object instances as referenced within the provideruiacl.xml
XML file.
Table 6-8 Object Privilege Codes for provideruiacl.xml
Type of Object | Available Privileges |
---|---|
PROVIDER |
500 (Manage): Can edit, delete, and open the specified provider or provider group and the portlets under it. 400 (Edit): Can edit the specified provider or provider group and execute the portlets under it. 300 (Execute): Can open the specified provider or provider group and execute the portlets under it. |
PORTLET |
500 (Manage): can edit, delete, and execute the specified portlet under the specified provider. 400 (Edit): Can edit and execute the specified portlet under the specified provider. 300 (Execute): Can execute the specified portlet under the specified provider. |
To add a privilege to a particular user, add an entry into the proper object type container, for example:
<objectType name="PORTLET"> <object name="PORTLET_UNDER_TEST_PROVIDER" owner="TESTPROVIDER"> <user name="jdoe" privilege="400"/> … </object> </objectType>
For the object level privileges, the objectType
name is set to PROVIDER
or PORTLET
, depending upon to which object instances you are providing access. The object name is set to the provider name or the portlet name, respectively. The object owner is set to providerui
or the name of the associated provider, again respectively for providers and portlets.
Table 6-9 summarizes these rules:
Table 6-9 Attribute Values for Providers and Portlets
Attribute | Provider Instance Grant | Portlet Instance Grant |
---|---|---|
ObjectType name |
|
|
Object name |
Provider or provider group name |
Portlet name |
Object owner |
|
Provider name |
User name |
OracleAS Single Sign-On user name |
OracleAS Single Sign-On user name |
User privilege |
Privilege code |
Privilege code |
To create and edit URL and XML portlets in the Portlet Repository, privileges need to be granted to the users. The URL and XML portlets are available from the Portlet Builders page in the Portlet Repository. To grant access, or to edit sample providers in the JPDK Web application, you need to manually make changes to following file:
MID_TIER_ORACLE_HOME/j2ee/OC4J_Portal/applications/jpdk/jpdk/WEB-INF/
deployment_providerui/provideruiacls.xml
Refer to Section 6.1.3.4, "Privileges to Create and Edit Web Providers and Provider Groups" for information about the privileges you can grant.
When users attempt to log in to OracleAS Portal, OracleAS Single Sign-On must first verify their credentials against the directory. Once their identity has been verified, OracleAS Portal checks their access privileges in the directory to determine which objects they may see and use within the portal.
From OracleAS Portal, the user requests to log in by clicking the Login link.
The login request is forwarded to OracleAS Single Sign-On for authentication.
OracleAS Single Sign-On verifies the user credentials against the information stored in the directory.
If authentication is successful, then OracleAS Single Sign-On creates an SSO cookie for the user. If authentication is not successful, the user is denied access and returned to the login page to re-enter their user name and password.
Once the user's identity has been verified, control is returned to OracleAS Portal, which creates a portal session cookie. OracleAS Portal then connects to the directory and determines the user's group memberships and privileges.
OracleAS Portal caches the user's membership and privilege information locally for the duration of their session.
When the user attempts to access a page, OracleAS Portal performs the following checks:
Checks whether the page is public. If so, the user can view it.
If the page is not public, OracleAS Portal checks the local privilege table to determine whether the current user has privileges to view the page. If the user has viewing privileges, the user can view it.
If the current user does not have direct viewing privileges on the page, OracleAS Portal checks the cached membership information and privilege table to determine whether any of the groups to which the user belongs has privileges to view the page. If one of the groups to which the user belongs has viewing privileges on the page, the user can view it.
Note: If changes are made to Oracle Internet Directory that affect the user's privileges, a notification is raised and the cached information about the user is invalidated. Thus, OracleAS Portal starts enforcing the user's updated privileges as soon as it receives the notification. If you are using groups that are based on thegroupOfNames objectclass, then you need to update the provisioning profile. See "Update Subscription Profiles for Groups Based on groupOfNames" for more details.
|
In OracleAS Portal 10g Release 2 (10.1.2) it is possible to enable or disable enforcement of Role-Based Access Control. This option is disabled in the default configuration. Role-Based Access Control can prevent the assignment of both object level privileges and global privileges directly to users from the OracleAS Portal User Interface and forces them to be granted only to groups. However, this option does not have any impact on the privileges granted directly to users:
Before Role-based Access Control was enabled
Automatically when an object is created
Through the use of the OracleAS Portal APIs
To enable or disable Role-based Access Control, you must run the script secrlacl.sql
located in the directory ORACLE_HOME
/portal/admin/plsql/wwc
. The syntax for secrlacl.sql
is:
@secrlacl.sql Y|N
For example, if you want to enable Role-based Access Control, run the script as follows:
@secrlacl.sql Y
Once Role-based Access Control is enabled, you will see the following changes in OracleAS Portal:
Access Tab for Objects. Here you will see only the Group LOV; the User LOV does not appear.
The Privilege tab is not rendered on the Edit User Profile page.
OracleAS Portal leverages Oracle Application Server Security Services in the following ways:
SSL encryption. The use of HTTPS and the Secure Sockets Layer (SSL) allows for the creation of a secured connection between a client and a server. Digital certificates on each end of the communication verify the validity of the server and encryption of the communication to ensure that it is not compromised. You can implement SSL encryption for OracleAS Portal through the Oracle Application Server Security Services.
JAZN. JAZN is the internal name for a Java Authentication and Authorization Service (JAAS) provider. JAAS is a Java package that enables applications to authenticate and enforce access controls upon users. The use of JAZN in OracleAS Portal is limited to the authentication of external JSPs.
To provide a more comprehensive security solution, OracleAS Portal takes advantage of a variety of components in the Oracle Identity Management infrastructure:
Relationship Between OracleAS Portal and OracleAS Single Sign-On
Relationship Between OracleAS Portal and Oracle Internet Directory
Relationship Between OracleAS Portal and Oracle Directory Integration Platform
Relationship Between OracleAS Portal and Oracle Delegated Administration Services
OracleAS Portal also takes advantage of Oracle Identity Management when it creates users and groups. The most common way to create users and groups, and set global privileges and preferences for your portal is through the following portlets:
OracleAS Portal uses OracleAS Single Sign-On for user authentication. Refer to Section 6.1.4, "Authorization and Access Enforcement" for more information.
OracleAS Single Sign-On manages the Single Sign-On sessions of users. In order for single sign-on security to function properly with OracleAS Portal, the following tasks must be completed:
Add OracleAS Portal as a partner application for OracleAS Single Sign-On.
Add OracleAS Portal entries to the partner application enabler configuration table.
The Oracle Universal Installer performs these two configuration steps for you upon installation. If you need to make changes to your configuration after installation, you can do so by:
Using the Application Server Control Console. Refer to Section 7.2, "Using the Application Server Control Console" for details. Alternatively, you can use the Portal Dependency Settings tool. Refer to Appendix A, "Using the Portal Dependency Settings Tool and File" for details.
Running the ptlconfig
tool with the -site
option. This procedure adds OracleAS Portal as a partner application to an existing OracleAS Single Sign-On installation. To work correctly, you must already have installed OracleAS Portal and OracleAS Single Sign-On, and created their DADs. See Appendix A, "Using the Portal Dependency Settings Tool and File" for details.
Support for Global Inactivity Timeout in OracleAS Portal
A Global Inactivity Timeout can be configured for the OracleAS Single Sign-On (SSO) Server. This feature is now supported in OracleAS Portal 10g Release 2 (10.1.2). To use this feature, you must configure the OracleAS Single Sign-On (SSO) Server on the infrastructure tier and mod_osso
on the Oracle Application Server middle tier. See the Oracle Application Server Single Sign-On Administrator's Guide for more information on configuring this feature.
Oracle Internet Directory is Oracle's highly scalable, native LDAP version 3 service and hosts the Oracle common user identity. As stated in the previous section, OracleAS Portal queries the directory to determine a user's privileges and what they are entitled to see and do in the portal. In particular, OracleAS Portal retrieves the group memberships of the user from the directory to determine what they may access and change.
Given this model, OracleAS Portal requires the following interactions with Oracle Internet Directory:
OracleAS Portal specific entries stored in the directory
Group attributes stored in the directory
User attributes stored in the directory
Caching of user and group information from the directory
Populating user and group lists of values from the directory through Oracle Delegated Administration Services
OracleAS Portal makes use of the features in Oracle Internet Directory to provide efficient user and group management. For a complete list of features provided by Oracle Internet Directory, refer to the chapter, "What's New in Oracle Internet Directory" in Oracle Internet Directory Administrator's Guide. However, a few of Oracle Internet Directory features are not supported by OracleAS Portal.
Table 6-10 lists and describes the Oracle Internet Directory features not supported in OracleAS Portal.
Table 6-10 Oracle Internet Directory Features Not Supported in OracleAS Portal
Features | Description |
---|---|
Dynamic Groups |
In dynamic groups, membership is computed dynamically based on specific attribute values and assertions that you specify. The Dynamic Group feature is not supported in OracleAS Portal because it relies on the use of cached information for greater performance and scalability. That is, user and group information is cached within the portal environment while assembled pages and content are cached within OracleAS Web Cache. The invalidation and subsequent flushing of the cache occurs when the definition of a user or the user's group membership changes. The change is propagated to OracleAS Portal using a Directory Integration Subscription Event. In the case of dynamic groups, there is no group change event because the membership is evaluated for each LDAP query and therefore there is no method of propagating this to the portal. You can use the Oracle Internet Directory Plug-in functionality to generate a static group populated by the outcome of a Dynamic Group query. This enables the use of groups based on attributes, but the provisioning and maintenance of this group may have a significant impact on the overall performance of the system (based on the size of the group and so on). |
Single Authentication Security Layer (SASL) |
SASL is a method for adding authentication support to connection-based protocols. Oracle Internet Directory server supports SASL-based authentication mechanisms, but currently these mechanisms are not supported in the DBMS_LDAP package, which is used by OracleAS Portal. |
Client-side referral caching |
For performance reasons, an API can be used to cache the cached referral entries on the client side. Currently, there is no support for client-side referral caching in the DBMS_LDAP package, which is used by OracleAS Portal. |
In order for security to function properly, OracleAS Portal requires the following entries in the directory's Directory Information Tree (DIT) structure:
Default user accounts (cn=PUBLIC, cn=PORTAL, cn=PORTAL_ADMIN) are created in the identity management realm's user base (cn=Users,dc=MyCompany,dc=comFoot 1 ). The PORTAL and PORTAL_ADMIN users are added to the DBA and PORTAL_ADMINISTRATORS groups, respectively. The PUBLIC user is created for unauthenticated users. Typically, the PUBLIC user entry is for granting viewing privileges on portal content that is accessible to any user, unrestricted.
Group container is created within the identity management realm's group base (cn=Groups,dc=MyCompany,dc=com1). OracleAS Portal can leverage any group in the directory, but groups are more easily accessed for display in a list of values if they are located within the OracleAS Portal group container.
The name of the group container is derived from the following in OracleAS Portal:
OracleAS Portal schema name
Date and time when OracleAS Portal began to use Infrastructure Services
The format of the name is:
schema_name.yymmdd.hh24miss.ff
Note: The name of the group container may have a different format for releases of OracleAS Portal older than 10g Release 1. |
Groups are created within the OracleAS Portal group container in the directory:
cn=AUTHENTICATED_USERS
cn=DBA
cn=PORTAL_ADMINISTRATORS
cn=PORTAL_DEVELOPERS
cn=PORTLET_PUBLISHERS
cn=RW_ADMINISTRATOR
cn=RW_DEVELOPER
cn=RW_POWER_USER
cn=RW_BASIC_USER
Application entity (orclApplicationCommonName=application_name) is created in the root Oracle Context (cn=Portal,cn=Products,cn=OracleContext). The application password is randomly generated. OracleAS Portal uses this entity to bind to the directory when it needs to query it or perform actions against it (for example, adding a user) on behalf of the user. When OracleAS Portal binds to the directory for a user, it uses a proxy connection to connect as the user. This method ensures that the directory properly enforces the user's authorization restrictions. The OracleAS Portal application entity obtains the privileges to initiate proxy connections by its membership in the user proxy privileges group (cn=UserProxyPrivilege,cn=Groups,cn=OracleContext). The name of the application entity is derived from the schema and the time that OracleAS Portal began to use the Infrastructure Services. For example, the name of the application entity can be portal.040820.123756.096286000, where portal is the schema name and 040820.123756.096286000 is the timestamp in the yymmdd.hh24miss.ff format.
Directory synchronization subscription A provisioning profile entry is created in the provisioning profiles node of the directory (cn=Provisioning Profiles,cn=changelog subscriber,cn=oracle internet directory). This entry indicates that the directory must notify OracleAS Portal when user or group privilege information has changed. It enables OracleAS Portal to keep its authorizations synchronized with the information stored in the directory.
Note: When the provisioning profile is deleted from Oracle Internet Directory, the Enable directory synchronization and Send event notifications every n seconds, disappear from the Directory Synchronization section on the Global Settings page's SSO/OID tab. To navigate to the Global Settings page, in the Portal Builder, go to the Portal subtab on the Administer tab, and click the Global Settings link in the Services Portlet. |
Figure 6-2 shows where the OracleAS Portal information is located in the directory's DIT structure.
OracleAS Portal, like all other components of Oracle Application Server, relies upon the directory to store user information. All users in the directory are defined using the following object classes:
The inetOrgPerson object class contains the entire user attributes defined by the Internet Engineering Task Force (IETF) Request for Comments (RFC) number 2798.
The orclUser and orclUserV2 object classes contain a set of standard, additional attributes for Oracle products.
The subsequent tables show the various user attributes stored in Oracle Internet Directory. A complete list of these attributes is available in IETF RFC 2798.
Table 6-11 inetOrgPerson Attributes
inetOrgPerson (IETF) attributes | Comment |
---|---|
cn |
Common name of the user This attribute is mandatory. |
employeeNumber |
Number used to identify employees |
sn |
Last name. This attribute is mandatory. If nothing is explicitly specified for this attribute, the user's nickname is used. |
givenName |
First name |
middleName |
|
displayName |
Preferred name |
|
e-mail address |
telephoneNumber |
|
homePhone |
|
mobile |
|
pager |
|
facsimileTelephoneNumber |
|
street |
|
l |
City of office |
st |
State of office |
postalCode |
Postal code of office |
c |
Country of office |
homePostalAddress |
Home address |
jpegPhoto |
Person's picture |
o |
Organization |
title |
|
manager |
Employee's supervisor |
uid |
User ID |
userPassword |
|
preferredLanguage |
|
Table 6-12 orclUserV2 Attributes
orclUserv2 attributes | Comments |
---|---|
orclIsVisible |
A flag to indicate whether the user should be hidden from all but administrators. |
orclDisplayPersonalInfo |
A flag to indicate whether a user's personal information should be hidden from all but administrators. |
orclMaidenName |
|
orclDateOfBirth |
|
orclHireDate |
|
orclDefaultProfileGroup |
Default user group for the person |
orclActiveStartDate |
When account was activated |
orclActiveEndDate |
when account was (or will be) terminated |
orclTimeZone |
|
orclIsEnabled |
A flag to indicate whether the user account is active. If not active, the user will not be allowed to log in. |
OracleAS Portal, like all other components of Oracle Application Server, relies upon the directory to store group information. All groups in the directory are defined using the following object classes:
The groupOfUniqueNames
object class contains all of the group attributes defined by IETF (RFC 2256).
The orclGroup object class contains a set of standard, additional attributes for OracleAS Portal.
Note: In OracleAS Portal 9.0.2 and subsequent releases, you cannot scope groups to a specific page group. This option was available only in OracleAS Portal 3.0.9.x and preceding releases. |
Figure 6-3 shows where the OracleAS Portal information for groups is located in the directory's DIT structure.
Figure 6-3 DIT Structure for OracleAS Portal Groups
The subsequent tables show the various group attributes stored in Oracle Internet Directory.
Table 6-13 groupOfUniqueNames/groupOfNames Attributes
groupOfUniqueNames/groupOfNames (IETF) attributes | Comment |
---|---|
cn |
The common name of the group, which can be typed into places like the Edit Group field in the Group portlet to locate the group. |
description |
The text description of the group, which is displayed in lists of values where the group appears. |
uniqueMember/member |
A list of the distinguished names (DNs) of all of the members of the group. The member DNs can represent a user or another group. |
owner |
A list of the DNs of all of the users and groups that have the privilege of administering this group. |
To improve performance, OracleAS Portal caches some directory information locally. In particular, OracleAS Portal caches the following:
Directory connection information for OracleAS Portal
URLs for Oracle Delegated Administration Services
orclGUIDs of certain privilege groups for authorization checks on directory portlets (for example, the User and Group portlets)
some Oracle Context information
the locally selected group search and creation bases
group memberships and default group for each user
The majority of the information cached by OracleAS Portal is fairly static (for example, directory connection information). For those items that are more dynamic, such as group memberships and default group, OracleAS Portal relies upon the Oracle Directory Integration and Provisioning agent for updates. OracleAS Portal maintains a directory synchronization subscription in the directory that flags the agent to notify it of any change events that affect OracleAS Portal security (for example, adding or deleting a user from a group).
The User, Group, Portal User Profile, and Portal Group Profile portlets include lists of values for users or groups. These lists of values must be populated with information stored in the directory. By default, the list of values displays the groups contained under the OracleAS Portal group container in the OracleAS Portal DIT structure. You can browse to any group in the tree, if you have the right access privileges.
The groups that are displayed in the list of values for groups depend on the privileges of the user viewing them. For example, if a user views the list of values from the Group portlet, the list only displays those groups that can be edited or deleted by that user. In OracleAS Portal 10g Release 2 (10.1.2), the implementation of the LOVs supports a callback method. This callback mechanism requires corresponding support in the Oracle Delegated Administration Services environment.
If you have upgraded from a release of OracleAS Portal earlier than 10g Release 2 (10.1.2), and if your Infrastructure and Application Server middle tier were separated onto different hosts or protocols, you may have performed additional user and group Lists of Values (LOVs) configuration to accommodate the JavaScript Origin Server Security policy.
There were two configuration options:
Setting up of a common-domain by running the script secjsdom.sql
.
Deploying Oracle Delegated Administration Services on the middle tier.
If you have installed the appropriate Oracle Delegated Administration Services version in your environment, and have not previously implemented the configuration options mentioned in the preceding text, then no subsequent configuration steps are required in OracleAS Portal to support the LOVs on a separate host. However, if you used the configuration options mentioned previously, it is required to remove these steps. This can be done as follows:
If a common domain was defined, reset it by executing the secjsdom.sql
script. Refer to Example C-2, "Resetting a Previously Defined Common Domain Using secjsdom.sql" for more information.
If OracleAS Portal has been configured to use a locally deployed Oracle Delegated Administration Services servlet, reconfigure it to point to the Infrastructure tier by running the secdaslc.sql
script as follows:
From the operating system prompt, go to the following directory:
DESTINATION_MID_TIER_ORACLE_HOME/portal/admin/plsql/wwc
Using SQL*Plus, connect to the OracleAS Portal schema as the owner and run the following commands:
@secdaslc N commit;
If OracleAS Portal is used with an older release of Oracle Delegated Administration Services that does not support the callback method and the directory and OracleAS Portal servers reside on different domains, you have to install the required patch to the Oracle Delegated Administration Services environment to support the use of LOVs across domains.
If it is not possible, for operational purposes, to apply the patch, you can define a Common JavaScript Domain for Oracle Delegated Administration Services Lists of Values by using the secjsdom
script. Refer to Section C.4, "Using the secjsdom.sql Script" for information about using this script.
As shown in Figure 6-4, the Oracle Directory Integration Platform provides important services to notify components of user and group change events and synchronize directories.
Figure 6-4 Oracle Directory Integration Platform Synchronization
In the figure, the flow to and from the Oracle Internet Directory has two paths. The first path, labeled Oracle Directory Synchronization Service, shows the concept of synchronization. In this case, the Oracle Internet Directory acts as a gateway to some external directory or repository. The synchronization service ensures that changes are coordinated between the Oracle Internet Directory and its connected directories. Whenever a change occurs in one of the directories, a notification must be raised with the Oracle Internet Directory to appropriately reflect the change across all of the affected directories.
The second path, labeled Oracle Directory Provisioning Integration Service, shows the concept of provisioning. In provisioning, an application, such as OracleAS Portal, subscribes to changes to certain user or group information. For example, suppose that an administrator removes a user from a group through the Oracle Delegated Administration Services. As a result of this change, the user should no longer be allowed to access certain pages in OracleAS Portal. The Oracle Directory Integration Platform must notify OracleAS Portal to update its local cache and immediately prevent the user from accessing the pages to which she no longer should have access.
For provisioning services, components like OracleAS Portal subscribe to provisioning events (for example, deletion of a group) to keep their local caches of user and group information synchronized with the central user and group repository in the Oracle Internet Directory. When a change event occurs, all of the components that are subscribed to that change event are notified by the Directory Synchronized Provisioning agent of the Oracle Directory Integration Platform. OracleAS Portal sets the portal directory synchronization subscription flag in the directory to indicate that it should be notified whenever a subscribed change event takes place. Table 6-15 shows the events to which OracleAS Portal subscribes and the actions it takes when those events occur.
Table 6-15 Directory Synchronized Events Handled By OracleAS Portal
Note: OracleAS Portal does not need to subscribe to user and group creation events. The local user profile is created automatically when a new user first logs on or is assigned some privilege that causes the user to be referenced in an access control list (ACL) of OracleAS Portal. Similarly, a local group profile is created automatically when a new group is first referenced in an ACL. |
To function properly, OracleAS Portal requires the following for its integration with Oracle Directory Integration Platform:
The Oracle Directory Integration Platform must be running. With OracleAS Portal Release 9.0.4 and later, the Oracle Directory Integration and Provisioning agent is started by default if the user had started the infrastructure tier using opmnctl start all
. To start the Oracle Directory Integration Platform, you use the oidctl
command, for example:
oidctl instance=1 server=odisrv flags="host=iasqa-ultra1.abc.com port=4032" start
The subscription profile must be created in the Oracle Internet Directory. A default subscription profile is automatically created during the installation of OracleAS Portal.
By default, groups created in the Oracle Internet Directory by Oracle Delegated Administration Services are based on the IETF object class groupOfUniqueNames
. However, there is now support for handling groups created with the object class groupOfNames
as well. If your portal has an existing Oracle Directory Integration Platform subscription profile in the Oracle Internet Directory (from 9.0.2), then it would be subscribing to group modifications and deletions based on groups using groupOfUniqueNames
. If any existing groups in Oracle Internet Directory are based on the groupOfNames
object class you must update the Oracle Directory Integration Platform subscription profile to subscribe to the events for groups based on groupOfNames
in addition to groupOfUniqueNames
.
To create or update the subscription profile, run ptlconfig
as follows:
ptlconfig -dad <dad> -dipreg
This will create or update the provisioning profile and subscribe to changes for the uniqueMember
and member
attributes.By default, this provisioning profile is enabled.
In addition to querying the directory for user and group information, OracleAS Portal must provide users with the means to add and modify user and group information. To change information in the directory, use the Oracle Delegated Administration Services. OracleAS Portal provides links to the delegated administration server for users with the privileges to add and change users and groups.
The Oracle Delegated Administration Services provides a comprehensive interface for making updates to the directory. Authenticated users who have the appropriate privileges can access the delegated administration server through the User and Group portlets on the Administration tab in OracleAS Portal. To access these portlets, a user must be a member of the OracleDASCreateUser and OracleDASCreateGroup groups, respectively. The PORTAL and PORTAL_ADMIN users are members of both of these groups by default. AUTHENTICATED_USERS may also create groups by default.
mod_osso protects URLs behind the OracleAS Single Sign-On environment by making the HTTP server effectively into a partner application. Oracle Delegated Administration Services functionality is single sign-on enabled by using mod_osso to get the user's identify from the OracleAS Single Sign-On session.
Figure 6-5 Relationship between Oracle Delegated Administration Services, mod_osso, and OracleAS Single Sign-On
mod_osso is a module of the Oracle HTTP Server that is written as a partner application. You can use mod_osso to enable applications, including OC4J applications, for single sign-on. You achieve this by configuring mod_osso with Oracle HTTP Server directives to restrict access to the OC4J application URLs.
Oracle Delegated Administration Services is implemented as an OC4J application, which relies on mod_osso to authenticate users attempting access. When a user attempts to access an Oracle Delegated Administration Services dialog (for example, a list of users or groups, or the Create User form), mod_osso checks whether the user has been authenticated. mod_osso performs no authorization checks other than checking for authentication. If the user has not been authenticated, mod_osso, which is an OracleAS Single Sign-On partner application, redirects the user's request to OracleAS Single Sign-On. OracleAS Single Sign-On either:
Finds a cookie that indicates the user has been properly authenticated and sends back an authenticated token to mod_osso.
Or, if no cookie has been created yet, it brings up the login page to authenticate the user.
Once the user has been properly authenticated, they are redirected by mod_osso to the requested Oracle Delegated Administration Services URL. Oracle Delegated Administration Services then becomes accessible to the user and enforces the user's privileges, typically relying on access control items in the Oracle Internet Directory.
Oracle Delegated Administration Services URLs
The first request to Oracle Delegated Administration Services from a user session in OracleAS Portal is redirected to the OracleAS Single Sign-On so that mod_osso, which acts as a partner application on behalf of Oracle Delegated Administration Services, can establish the identity of the user. OracleAS Single Sign-On constructs a URLC token that includes the requested Oracle Delegated Administration Services URL. There is about a 2K limit on the length of the URLC token imposed by Internet Explorer. As such, the length of the Oracle Delegated Administration Services URL is also limited. To provide a seamless integration with Oracle Delegated Administration Services, OracleAS Portal includes the URLs of the current portal page and the portal home page within this Oracle Delegated Administration Services URL. A typical Oracle Delegated Administration Services URL appears as follows:
http://myportal.us.abc.com:7777/oiddas/ui/oracle/ldap/das/group/AppCreateGroupInfo Admin?doneURL=https%3A%2F%2Fwebsvr.us.abc.com%3A5001%2Fportal%2Fpage%3F_ pageid%3D6%2C1%2C6_12%3A6_18%26_dad%3Dportal_9_0_2_6_7%26_schema%3DPORTAL_9_0_2_ 6_7&homeURL=https%3A%2F%2Fwebserver.us.abc.com%3A5001%2Fportal%2Fpage%3F_ pageid%3D6%2C1%2C6_12%3A6_18%26_dad%3Dportal_9_0_2_6_7%26_schema%3DPORTAL_9_0_2 _6_7&parentDN=cn%3Dportal_9_0_2_6_ 7.s901dev0.portalserver.us.abc.com%2Ccn%3Dgroups%2Cdc%3Dus%2Cdc%3Doracle%2Cdc%3Dco m&enablePA=true
When this URL is included in the URLC token, which is then encrypted for security reasons, the length of the resulting token easily approaches the 2K threshold. If it exceeds this limit, the browser may show an error.
There is no fixed size for the URL. However, if you see browser errors when performing Oracle Delegated Administration Services operations, you should consider reducing the size of various parts that comprise the portal URL as this will help ensure that the URL does not exceed the 2k limit. For example, limit hostnames to 8 characters or less and DAD names to 6 characters or less.
In the event that you encounter this problem, the workaround is to log in to Oracle Delegated Administration Services first through a shorter URL, such as the Directory Administration link in the Services portlet. Any subsequent access to Oracle Delegated Administration Services will then not require SSO redirection, and will succeed.
The User portlet on the Portal tab under Administration enables you to create and update users through Oracle Delegated Administration Services. To create a new user, click the Create New Users link in the User portlet. To update information for an existing user, enter their user name in the Name field or choose it from the list of values and click Edit. To delete a user, enter their user name in the Name field or choose it from the list of values and click Delete.
Note: Only a user who is a member of the OracleDASCreateUser, OracleDASEditUser, or OracleDASDeleteUser privilege groups can see the User portlet. The link to create new users is displayed only to users who are members of the OracleDASCreateUser group. |
Note: The Portal User Profile portlet is only visible to users with Manage or Edit privileges for All User Profiles. |
To set global user privileges and preferences that pertain specifically to the portal, use the Portal User Profile portlet. To update a user's portal preferences and privileges, enter their user name in the Name field or choose it from the list of values. You can set all of the following for the user's profile:
Preferences
whether the user can access the portal
database schema name for the user
whether the user has a personal page
default user group for the user
default home page for the user
default style for the user
whether to clear the OracleAS Web Cache for the user
Global Privileges
page group privileges
Portal DB Provider privileges
administration privileges
Note: Every user can see the Group portlet, but the link to create new groups is displayed only to users who are members of the OracleDASCreateGroup privilege group. Users can only edit or delete a group if they are the group's owner or a member of a group with appropriate access control information (ACI) to edit or delete the group. The following privilege groups are seeded in the Oracle Internet Directory:
The preceding privilege groups imply global privileges, and should be allocated carefully. |
The Group portlet on the Portal tab under Administration enables you to create and update user groups through Oracle Delegated Administration Services. To create a new group, click the Create New Groups link in the Group portlet. To update information for an existing group, enter its name in the Name field or choose it from the list of values and click Edit. To delete a group, enter the group name in the Name field or choose it from the list of values and click Delete.
Note: The Portal Group Profile portlet is displayed to all users, but only users with the Manage or Edit privilege for All Group Profiles, or the owner of a group can edit its profile. |
To set global group preferences and privileges that pertain specifically to the portal, you need to use the Portal Group Profile portlet. To update a group's portal preferences and privileges, enter the group name in the Name field or choose it from the list of values. You can set all of the following for the group's profile:
Preferences
default home page for the group
default style for the group
Global Privileges
page group privileges
Portal DB privileges
administration privileges
In many cases, it is more efficient to use roles exposed by Oracle Delegated Administration Services to assign privileges for each individual user. When creating users, you might notice a section called Roles Assignment on the Create User page, shown in Figure 6-10.
Note: In releases before 9.0.4, roles were called public groups. |
Figure 6-10 OracleAS Portal Create User Page
Roles provide a very convenient mechanism by which users can be created and granted a set of privileges simultaneously. When a check box for a role is checked for a given user, they are granted the designated role upon creation. As an administrator, you can create your own roles and pre-assign any combination of Oracle Internet Directory and OracleAS Portal privileges to them.
Suppose that you want to create a role with the appropriate privileges for a user administrator. You could create such a role by following these steps:
You begin by creating a group in the usual manner:
From Portal Builder (the Design-Time pages), click Administer, if you are not already on the Administer tab.
Click Create New Group in the Group portlet and the Create Group page appears, as shown in Figure 6-11.
Enter the required fields (indicated by asterisks).
On the Create Group page, click Privilege Assignment to go to that section and choose the following privileges, as shown in Figure 6-12:
Allow user creation
Allow user editing
Allow user deletion
Figure 6-12 Privilege Assignment Section of the Create Group Page
Click Submit.
Step 2: Assign the Manage privilege for all user profiles.
After you create the user administrator group, you need to assign it the Manage privilege for all user profiles. This privilege is the only global privilege that you need to assign to this group for user administration.
From Portal Builder (the Design-Time pages), click Administer, if you are not already on the Administer tab.
From the Portal Group Profile portlet, enter the name of your newly created group and click Edit.
Click Privileges to go to that tab.
Scroll down to the Administration Privileges section, shown in Figure 6-13. From the list next to All User Profiles, choose Manage.
Figure 6-13 Administration Privileges Section of the Edit Group Profile Page
Click OK.
Step 3: Make the group a role.
Now that you have created a group representing the user administrator role, you need to enable it as a role so it appears in the list of roles on the Create User page.
From Portal Builder (the Design-Time pages), click Administer, if you are not already on the Administer tab.
In the Services portlet, click Directory Administration.
Click Configuration to display that tab.
Click User Entry.
Click Next until you reach Step 5 of 5, Configure Roles, of the wizard, as shown in Figure 6-14.
Click Add Role to choose the new group and add it to the list of roles.
Click Finish. Your group will now appear in the list of public groups on the Create User page.
Step 4: Hide detailed privilege assignment section.
To encourage the usage of roles rather than direct privilege assignment, you can turn off the detailed privilege assignment section of the Create Users page. To implement this change, you need to update a configuration entry in the OracleAS Portal schema. This setting stops Oracle Delegated Administration Services from displaying the Privilege Assignment section in the Create/Edit User page when it is called from an OracleAS Portal administration page.
Log in to the PORTAL schema through SQL*Plus.
Invoke the following commands to set the das_enable_pa
variable in OracleAS Portal's Oracle Internet Directory configuration preference store:
$ sqlplus ... Enter user-name: portal Enter password: ... SQL> set serverout on SQL> exec wwsec_oid.set_preference_value('das_enable_pa', 'N'); PL/SQL procedure successfully completed. SQL> commit; Commit complete. SQL> exit ...
Because the User Portlet is cached in OracleAS Web Cache and the OracleAS Portal middle-tier file system cache, you must invalidate the cached version of the portlet before you are done. Updating the configuration parameter changes the behavior of the portlet, but updating the parameter does not invalidate the cache. Follow these steps to invalidate the cached version of the User Portlet:
Log in to OracleAS Portal as a user with administrator privileges.
Go to the Builder.
Click the Administration tab.
From the Portal tab, open Global Settings and navigate to the SSO/OID tab.
Scroll to the bottom of the page.
Check Refresh Cache for the Oracle Internet Directory parameters.
Click Apply.
Step 5: Validate your changes.
Once you have performed steps 1 through 4, go to the Create User page to verify that your user administrator group appears there. Note how the other OracleAS Portal administrative roles, or groups, are already pre-seeded into the Roles Assignment list on this page.
Portlets act as windows on your application, displaying summary information and providing a way to access the full functionality of the application. Portlets expose application functionality directly in your portal or provide deep links that take you to the application itself to perform a task. as portlets format information for display on a Web page, the underlying application need not be Web enabled to be integrated with OracleAS Portal.
In OracleAS Portal, portlets are managed by providers. A provider is an application that you register with OracleAS Portal. OracleAS Portal supports two types of providers:
Web providers
Database providers
Portlet security consists of three major areas of functionality:
Authentication: When a user first accesses a secure URL, they must be challenged for information that verifies their identity, such as a user name and password, or a digital certificate.
Authorization: Authorization is the process that allows certain users to access parts of an application. Some parts of an application may have public access while others may be accessible only to a limited number of authenticated users.
Communication security: Communication security is the means by which OracleAS Portal establishes the authenticity of communications (for example, messages) to and from providers. In a heavily networked environment, it is critical to verify that communications are authenticate.
To make your Web providers truly secure, you need to make sure that they are secured in each of these areas. If you only implement security features for one or two out of three areas, then your providers cannot be considered secure. The effort you expend to secure a Web provider should be proportional to the confidentiality of the data the provider exposes.
When a user first logs in to OracleAS Portal, they must enter their password to verify their identity before being permitted access. OracleAS Single Sign-On manages the login process. Refer to Section 6.1.8.4, "Single Sign-On" for more information.
Authorization determines whether a particular user should view or interact with a portlet. There are two types of authorization checks:
Portal Access Control Lists: When you log in to OracleAS Portal, OracleAS Single Sign-On authenticates you. Once authenticated, OracleAS Portal uses access control lists (ACLs) to grant you privileges on portal objects such as pages and portlets. The actions may range from simply viewing an object to performing administrative functions. If you do not belong to a group that has been granted a specific privilege, OracleAS Portal prevents you from performing the actions associated with that privilege.
Programmatic Portlet Security: The Portal Developer's Kit-Java includes APIs that are called to determine if a particular user is authorized to view a portlet. You can use these APIs to implement authorization logic that augments the Portal ACL security.
Authentication and authorization are important components of securing your Web providers. They do not, however, check the authenticity of messages being received by a provider and are therefore not suitable on their own for securing access to a provider. If the communication is unsecured, someone could imitate OracleAS Portal and fool the Web provider into returning sensitive information.
Communication security focuses on securing communications between OracleAS Portal and a Web provider. These methods do not apply to database providers, which execute within the portal database. There are three types of communication security:
Portal Server Authentication ensures that incoming messages emanated from a trusted host.
Message Authentication ensures that the incoming messages were sent from a host with a shared key.
Message Encryption protects the contents of a message by encrypting them.
Portal Server Authentication restricts access to a provider to a small number of recognized computers. This method compares the IP address or the hostname of an incoming HTTP message with a list of trusted hosts. If the IP address or hostname is in the list, the message is passed to the provider. If not, it is rejected before reaching the provider.
Message authentication works by appending a checksum based on a shared key to provider messages. When a message is received by the provider, the authenticity of the message is confirmed by calculating the expected value of the checksum and comparing it with the actual value received. If the values are the same, the message is accepted. If they are different the message is rejected without further processing. The checksum includes a time stamp to reduce the chance of a message being illegally recorded in transit and resent later.
Message encryption relies on the use of the HTTPS protocol for communication between the provider and OracleAS Portal. Messages are strongly encrypted to protect the data therein. While encryption provides a high level of security, it also of necessity impacts performance.
Portlets act as windows into an application by displaying a summary of content and a method for accessing the full functionality of the application. Portlets can expose application functionality directly in the portal or provide deep links into the application itself to perform a task.
If the application is not confidential (that is, public), then users need not be authenticated to see and use it or its associated portlets. For more restricted applications, you need to authenticate the user who is accessing the application:
Partner applications share the same authenticated user as the OracleAS Portal user. The application user and the OracleAS Portal user are the same in this case.
External applications use a different authentication mechanism than OracleAS Portal and usually a different repository for user credentials. The application user name can be the same as in OracleAS Portal, but the external application verifies the user through its own mechanism.
A partner application shares the same OracleAS Single Sign-On as OracleAS Portal for authentication. Sharing OracleAS Single Sign-On instances means that when a user is already logged into OracleAS Portal, their identity can be asserted to the partner application without logging in again.
Partner applications tightly integrate with OracleAS Single Sign-On. When a user attempts to access a partner application, the partner application delegates the authentication of the user to OracleAS Single Sign-On. Once authenticated with a valid user name and password, a user need not provide a user name or password when accessing other partner applications that share the same OracleAS Single Sign-On instance. OracleAS Single Sign-On determines that the user was successfully authenticated and indicates successful authentication to the other partner applications.
The partner application provider trusts OracleAS Portal to authenticate the user on the provider's behalf. This relationship is possible because OracleAS Portal is, itself, a partner application. Partner application providers must trust OracleAS Portal to authenticate the user in this way because the provider cannot perform the authentication itself. Authenticating the user directly requires the provider to redirect the browser to OracleAS Single Sign-On and provide success and failure URLs. This method is not possible due to the provider architecture. The primary reason for it is that the authentication occurs in response to an API call from OracleAS Portal to the provider. OracleAS Single Sign-On cannot imitate that call upon successful authentication to the initSession()/dologin()
method to complete its normal processing.
Authentication of users in partner applications differ from conventional applications. Partner applications delegate user authentication to OracleAS Single Sign-On. If the user has not been authenticated, OracleAS Single Sign-On displays a login page prompting the user to enter a user name and password. The login page submits the user name and password back to OracleAS Single Sign-On.
If successfully authenticated, OracleAS Single Sign-On creates a special cookie containing information about the user. For security, OracleAS Single Sign-On encrypts the contents of the cookie. The cookie is sent back to the user's browser but is scoped such that only OracleAS Single Sign-On can access it. It is not passed to any other listeners. After creating the cookie, OracleAS Single Sign-On redirects the Web browser to the success URL specified by the partner application. At this point, the partner application creates an application session cookie which contains information the application needs to reestablish the session later. Upon making subsequent requests to the partner application, it detects the presence of the partner application session cookie and from it knows that the user is already authenticated.
If the user later accesses another partner application, that application looks for its application specific session cookie. If the cookie is not found, the application redirects the request to OracleAS Single Sign-On as described previously. This time OracleAS Single Sign-On detects the presence of the user's OracleAS Single Sign-On cookie. This cookie indicates that the user is already authenticated and OracleAS Single Sign-On redirects the browser to the success URL of the second partner application without prompting the user for credentials again. At this point, the partner application creates its own application specific session cookie.
Advantages
Provides the tightest integration with OracleAS Portal and OracleAS Single Sign-On.
Provides the best OracleAS Single Sign-On experience to users.
Provides the most secure form of integration because user names and passwords are not transmitted between the portal and the provider.
The application and the portal share the same user repository, which reduces user maintenance.
Disadvantages
The application must share the same user repository as OracleAS Portal even though the application's user community may be a subset of the portal's user community. This minor issue can be addressed because you can restrict access to the portal pages that expose the application to the application's user community.
The application can only be tightly integrated with one or more OracleAS Single Sign-On if they share the same user repository.
Implementation Techniques
You make an application a partner application by protecting its URLs using mod_osso. Once configured, mod_osso restricts access to URLs and handles such things as the redirection to OracleAS Single Sign-On and the creation of cookies.
mod_osso is a general purpose Oracle HTTP Server module and a partner application of OracleAS Single Sign-On. It uses OracleAS Single Sign-On to do the authentication. The module does all the communication and handling of cookies between the Oracle HTTP Server and OracleAS Single Sign-On. If mod_osso is configured to protect the URLs of a Web application, then the application effectively becomes a partner application.
OracleAS Portal is also a partner application and uses OracleAS Single Sign-On to authenticate users. Provided OracleAS Portal and mod_osso use the same OracleAS Single Sign-On instance, the user can access either the Web application or OracleAS Portal by logging in to either one, that is, they need only login once to be able to access both the Web application and OracleAS Portal.
Advantages
mod_osso is simple to set up.
You need no additional code in the application.
New features to the OracleAS Single Sign-On environment are exposed through simple dynamic directives.
mod_osso generates a partner application cookie and does all the cookie handling.
mod_osso secures the partner application and deep links from the partner application provider.
Disadvantages
Although not neccessarily a drawback, mod_osso can only be used with Web applications.
An External Application is an application that uses a different authentication mechanism than OracleAS Portal. The application may use a different instance of OracleAS Single Sign-On than the used by OracleAS Portal or some other authentication method. In either case, OracleAS Single Sign-On stores user name mappings, passwords, and any other required credentials to authenticate the user in each external application. When a user is already logged into OracleAS Portal, they will be logged into the external application without having to enter their user name or password.
Applications that manage their own authentication of users can be loosely integrated with OracleAS Single Sign-On by registering as external applications. An external application can be exposed as a provider using the Oracle Application Server Portal Developer Kit so that it may be accessed from a portlet on a page. External application providers are only available to Web providers.
See Also: For more information about the External Applications portlet, see Oracle Application Server Portal User's Guide. |
When a previously authenticated user accesses an external application for the first time, OracleAS Single Sign-On attempts to authenticate the user with the external application. The authentication is performed by submitting an HTTP request that combines the registration information and the user's user name and password for the application. If the user has not yet registered their user name and password for the external application, OracleAS Single Sign-On prompts the user for the required information before making the authentication request. When a user supplies a user name and password for an external application, OracleAS Single Sign-On maps the new user name and password to the user's OracleAS Portal user name and stores them. The next time the user needs to access the external application the stored credentials are used.
Note: If there is a change in the URL of an external application, then the external application must be updated in the OracleAS Single Sign-On Server. For information about updating the external application, refer to the "Editing an External Application" section in the Oracle Application Server Single Sign-On Administrator's Guide. |
Advantages
Allows integration with many portals. If there is a preferred portal, the application could be integrated as a partner application of that portal and an external application of other portals.
Provides a single sign-on experience for users. However, users still need to maintain different user names and passwords. In addition, the external application user name mapping must be maintained.
Allows integration with multiple portals independent of their user repositories and single sign-on mechanisms.
Disadvantages
External applications do not share the same user repository as the portal, which requires additional maintenance of user information.
The user name and password is transmitted to the provider in plain text. This approach is not as secure as a partner application.
The application must be written using a technology that can be easily integrated with Java or PL/SQL.
In this case, the provider trusts the portal sending the requests. The provider can determine if the user is logged in and the portal user name, but the application has not authenticated the user.
Advantages
You can implement this form of integration most easily and very fast.
Disadvantages
Provides the weakest integration with OracleAS Portal.
When you log in to OracleAS Portal, OracleAS Single Sign-On authenticates you. OracleAS Portal then uses access control lists (ACLs) to determine if you are authorized to view each piece of content, including providers and portlets. If you do not belong to a group that has been granted a specific privilege, OracleAS Portal prevents you from performing the actions associated with that privilege.
ACLs are managed by the following:
Privileges define the actions that can be performed on the object to which they are granted. Several privileges can be granted, such as Manage, Execute, Access, and Publish. If you set any of these privileges, then the user can access the portlet.
Users and their privileges are managed from the Portal tab under the Administer tab of the builder.
Group membership in a group and the privileges granted to the group are managed from the Portal tab under the Administer tab of the builder. A privilege granted to a user group is inherited by all members of that group.
Privileges can be granted to a provider. By default, those privileges apply to the provider and all the portlets in the provider. Provider ACLs are managed on the Provider tab of the navigator.
Privileges for portlets can override the privilege set for the portlet's provider. Portlet ACLs are managed on the Provider tab of the navigator. Using Open for the Provider takes you to a page to manage the portlets of the provider.
You can implement portlet security methods within a provider to verify that given users may access portlet instances. These security methods work at the portlet level, that is, each portlet may have its own user access control. By implementing access control methods in the provider, content may only be retrieved from a portlet if the user's credentials pass the authorization logic. If you do not implement portlet security methods in the provider, any user name may be passed in, even a fictitious, unauthenticated one.
A provider can implement two portlet security methods:
Get a list of portlets
Determine portlet accessibility
These methods have access to the following information about authorization level:
Strong indicates that OracleAS Single Sign-On has authenticated a user in the current OracleAS Portal session, that is, the user logged in to OracleAS Portal with a valid user name and password, and called the portlet in that session.
Weak indicates a user who previously had strong authentication and returns to view a page without an active OracleAS Portal session. A persistent cookie from the user's browser indicates that in some previous session the user logged in with a valid user name and password.
Public indicates a user has not logged in within the context of the current OracleAS Portal session and does not have a persistent cookie to indicate that such a state previously existed.
Portlets can also access the OracleAS Portal user privileges and group memberships:
User's default group
User or group privileges
User's highest available privilege across all groups
Objects a user can access
One way you can prevent unauthorized access to providers is to restrict access to the provider to known client computers at the server level. This method goes some way toward defending against denial of service attacks.
In the Oracle HTTP Server, you can permit or deny directives in the httpd.conf
file based on hostnames or IP addresses. If hostnames are used as discriminators, the server needs to look them up on its Domain Name Server, which incurs overhead to the processing of each request. Using the IP address prevents this added overhead, but the IP address may change without warning.
This approach only allows trusted hosts to access the provider.
You can set the restrictions up easily.
OracleAS Web Cache does not have IP address checking capability. If you have OracleAS Web Cache in front of a provider, a client on any host can send show requests to OracleAS Web Cache.
You can circumvent this approach by sending messages to a provider containing fake IP addresses and hostnames. This method is tricky to carry out effectively because return messages will go to the computer with the copied IP address, but it can still cause problems.
The Oracle Application Server Portal Developer Kit supports message authentication to limit access to a specified provider instance or group of provider instances. A provider is registered with a secret shared key known only to the portal and provider administrators.
An OracleAS Portal instance sends a digital signature, calculated using a Hashed Message Authentication Code (HMAC) algorithm, with each message to a provider. A provider may authenticate the message by checking the signature with its own copy of the shared key. This technique may be used in SSL communication with a provider instead of client certificates.
An OracleAS Portal instance calculates a signature based on user information, a shared key, and a time stamp. The signature and time stamp are sent as part of the SOAP message. The time stamp is based on UTC (coordinated universal time, the scientific name for Greenwich Mean Time) so that time stamps can be used in messages between computers in different time zones.
When the provider receives this message it will generate its own copy of the signature. If the signatures agree, it will then compare the message time stamp with the current time. If the difference between the two is within an acceptable value the message is considered authentic and processed accordingly.
A single provider instance cannot support more than one shared key. Multiple keys could cause security and administration problems if several clients sharing a provider use the same key. For instance, if one copy of the shared key is compromised in some way, the provider administrator has to create a new key, distribute it to all of the clients, and the clients must then update their provider definition. The way around this issue is to deploy different provider services, specifying a unique shared key for each service. Each provider service has its own deployment properties file so that each service is configured independently of the others. The overhead of deploying multiple provider services within the same provider adapter is relatively small.
If a provider does not have an OracleAS Web Cache in front of it, the use of the same signature cookie over the lifetime of a provider session means you must trade off between performance and the security provided by authenticating the requests. The signature cookie value is calculated only once after the initial SOAP request establishes the session with the provider. The shorter the provider session timeout, the more often a signature will be calculated to provide greater security against an illegal show request. However, the SOAP request required to establish a session takes more time.
In a provider that uses OracleAS Web Cache to cache show request responses, you make a similar trade-off. Cached content is secured in the sense that incoming requests must include the signature cookie to retrieve the cached content, but caching content for an extended period of time leaves the provider open to illegal show requests.
The signature element provides protection against interception and the resending of messages, but it does nothing to prevent the interception and reading of message contents. Messages are still transmitted in plain text. If you are concerned about the content of messages being read by unauthorized people, you should use message authentication in conjunction with SSL.
Normal communication between OracleAS Portal and a provider uses HTTP, a network protocol that transmits data as plain text using TCP as the transport layer. An unauthorized agent can read an intercepted message. HTTPS uses an extra security layer (SSL) on top of TCP to secure communication between a client and a server.
Each entity (for example, an OracleAS Web Cache instance) that receives a communication using SSL has a freely available public key and a private key known only to the entity itself. Any messages sent to an entity are encrypted with its public key. A message encrypted by the public key may only be decrypted by the private key so that even if a message is intercepted it cannot be decrypted.
Certificates are used to sign communications, thereby ensuring that the public key does in fact belong to the correct entity. These certificates are issued by trusted third parties known as Certification Authorities (CA), for example, OracleAS Certificate Authority or Verisign. They contain an entity's name, public key, and other security credentials. They are installed on the server end of an SSL communication to verify the identity of the server. Client certificates may also be installed on the client to verify the identity of a client, but this feature is not yet supported OracleAS Portal. Message authentication may be used instead.
Oracle Wallet Manager is the application used to manage public key security credentials. It is used to generate public/private key pairs, create a certificate request to a CA, and then install the certificate on a server.
When a provider is registered from an OracleAS Portal instance, only one URL is entered. HTTP or HTTPS may be used, but not a combination of both.
A server side certificate that is installed on a computer identifies that computer, or the domain, and may be used by any number of port definitions on that computer. A certificate trust list ensures that communication is limited to specifically identified servers. Message authentication should be used as well to fully secure communication between a trusted OracleAS Portal instance and a provider.
SSL encrypts the contents of a portlet during the transmission of the data from the provider to the Parallel Page Engine. To further secure the portlet contents, the surrounding page should be invoked by a SSL based request.
Encryption has a performance impact on OracleAS Portal.
If used, encryption requires all portlets from a provider to use HTTPS even if some of the content is public.
You will find additional information on security for your Web providers in the papers:
Overview of Provider Security
Overview of Password Authenticated Applications
on OTN, http://www.oracle.com/technology/
.
Out of the box, the Portal Tools (OmniPortlet and Web Clipping) provider configuration pages are protected with certain privileges. Refer to Section 6.1.3.4, "Privileges to Create and Edit Web Providers and Provider Groups" for more information about these privileges. In the event that the pages are no longer protected, check in the web.xml
file under the ORACLE_HOME
/
j2ee/OC4J_Portal/applications/portalTools/providerBuilder/WEB-INF
directory, that the following param-value is set to
true
and not false
:
<init-param> <param-name>oracle.webdb.providerui.securedAccessParam</param-name> <param-value>true</param-value> </init-param>
The OmniPortlet and simple parameter form are located under Portlet Builders in the Portlet Repository. By default, any user who has the privilege to create pages can add these portlets to a page and define them. Furthermore, a user who has at the minimum Manage Content privileges on the page can define these portlets by clicking the Define OmniPortlet or Define Simple Parameter Form.
To control this kind of access, you can activate a privilege check. Once you perform the procedure that follows, the display of these portlets depends upon the privileges granted to the user or user group from the Access tab. To perform any operations on the portlet, the user or user group needs at least the Execute privilege.
Log in to OracleAS Portal.
Click the Navigator link.
Click the Portlet Repository page group.
Click Pages.
Next to the Portlet Builders page, click Edit.
Click Page: Access in the upper left of the page.
Select Enable Item Level Security.
Click OK.
Click the Edit Item icon next to OmniPortlet.
Click the Access tab.
Check Define Portlet Access Privileges.
Click Apply and note the appearance of the Grant Access and Change Access sections of the page.
Use the Grant Access section to assign privileges to users and groups as desired.
Click OK.
Appendix I, "Configuring the Portal Tools Providers" describes the administrative tasks that must be performed before you are able to use the Web Clipping provider. The following sections describe some security configuration options that you should implement to enable the Web Clipping provider to access trusted sites and encrypt the channel between itself and the database:
When a user navigates to a secure site, the Web site typically returns a certificate, identifying itself to the user when asking for secure information. If the user accepts the certificate, the certificate is placed into the list of trusted certificates of the browser so that a secure channel can be opened between the browser and that server. Like a Web browser, the Web Clipping provider behaves as an HTTP client to external Web sites. In order for the Web Clipping provider to keep track of trusted sites, it makes use of a file that stores the certificates of those sites, namely the ca-bundle.crt
file, located in the MID_TIER_ORACLE_HOME
/portal/conf
directory.
The shipped ca-bundle.crt
is an exported version of the trusted server certificate file from Oracle Wallet Manager. The default trusted server certificate in Oracle Wallet Manager does not cover all possible server certificates that exist on the Web. For this reason, when a user navigates to a secure server using HTTPS, the user may get an SSL Hand-shake failed exception in the Web Clipping Studio. To solve this problem, the ca-bundle.crt
file needs to be augmented with new trusted sites that are visited. As a portal administrator, you must do the following to extend the shipped ca-bundle.crt
file:
Use a browser (preferably Internet Explorer) to download the root server certificate from each external HTTPS Web site in BASE64 format that is visited, and is missing from the trusted certificate file.
Use Oracle Wallet Manager to import each certificate.
Export the trusted server certificates into a file and replace the ca-bundle.crt
file with that file.
For more information about Oracle Wallet Manager, see Chapter 17 "Using Oracle Wallet Manager" in Oracle Advanced Security Administrator's Guide in the Oracle9i Release 2 (9.2) documentation section on the Oracle Technology Network, http://www.oracle.com/technology/
.
The Web Clipping provider can use Oracle Advanced Security Option (ASO) to secure and encrypt the channel between itself (on the middle tier) and the database that hosts the Web Clipping Repository. As ASO is a feature available only on Oracle Application Server Enterprise Edition, or as an add-on option to the Standard Edition, this feature is disabled by default. To enable it, perform the following steps:
Go to the Web Clipping provider test page at:
http://<host>:<port>/portalTools/webClipping/providers/webClipping
Under the Provider Configuration section, in the Setting column, there is a Web Clipping Repository field. Click its corresponding Edit link in the Actions column.
In the Repository Settings section of the Edit Provider: webClipping page, select the enable (secure database connections) option in the Advanced Security Option field.
Select OK to save the settings and return to Web Clipping provider test page.
In addition, you must set the following ASO configuration parameters in the sqlnet.ora
file to ensure that the database connections created between the Web Clipping provider and the database hosting the Web Clipping Repository are using ASO. See the Oracle Advanced Security Administrator's Guide for the list of values to use as all possible combinations of parameters are described in detail.
SQLNET.AUTHENTICATION_SERVICES
-- This parameter is used to select a supported authentication method in making database connections with ASO. See Oracle Advanced Security Administrator's Guide for more information about setting this parameter.
SQLNET.CRYPTO_SEED
-- This parameter denotes the cryptographic seed value (FIPS 140-1 setting), used in making database connections with ASO.
See the Oracle Advanced Security Administrator's Guide for more information about setting this parameter.
Note: When setting these parameters after the initial configuration (where the database parameters are already set up), the database connections are assumed to be open already. Because enabling ASO affects all connections made to the database, it is advisable to restart the OC4J instance containing the Web Clipping provider to reset all the current connections to now use ASO. You would also need to do this when disabling ASO. |
The Federated Portal Adapter is a component of OracleAS Portal that allows portal instances to share their portlets through the Web portlet interface. For example, suppose that a user displays a page in one portal instance that contains a portlet whose source resides on another portal instance. When the Federated Portal Adapter on the remote portal receives the request for the portlet, it starts a session for the user on the remote portal. The portlet can then be run from the remote portal instance by the user. This scenario has a couple of security implications:
Because the Federated Portal Adapter must create a session for the user on the remote portal, it would be best for the two portal instances to share the same single sign-on server. Otherwise, name collisions could occur when the Federated Portal Adapter attempts to log the user onto the remote portal instance.
Because the Federated Portal Adapter creates private portal sessions based on SOAP messages it receives, it is a potential security risk. A message authentication code must be used to ensure that any messages received by the Federated Portal Adapter emanate from a trusted source.
You will find additional information in the article "How to Add Remote Portlets Using the Federated Portal Adapter," on Oracle Technology Network, http://www.oracle.com/technology/
.
WebDAV (World Wide Web Distributed Authoring and Versioning) is the IETF's standard for collaborative authoring on the Web. It defines a set of extensions to HTTP that facilitates collaborative editing and file management between users located remotely from each other on the Internet.
OraDAV, Oracle's implementation of WebDAV, is the mechanism used by the Oracle HTTP Server to communicate with WebDAV clients. OraDAV enables your users to connect to OracleAS Portal using their WebDAV clients. In terms of security, accessing OracleAS Portal through WebDAV presents two security issues for you to consider:
Expiration of OracleAS Portal session cookies for OraDAV
SSL and OraDAV
The OraDAV configuration parameter, ORACookieMaxAge
, specifies, in seconds, the length of time for which the DAV client should retain the cookie. The default value is 28800 (that is, 8 hours).
ORACookieMaxAge
can be changed in Oracle Enterprise Manager or by directly editing it in the oradav.conf
file located in MID_TIER_ORACLE_HOME
/Apache/oradav/conf
. If you choose to manually change the file, you must synchronize the changes with Dynamic Configuration Management. Once the change has been made in the configuration file, you need to restart the Oracle HTTP Server to have the changes take effect in the runtime system:
cd MID_TIER_ORACLE_HOME/dcm/bin
./dcmctl shell
- dcmctl> updateConfig -ct ohs
After you exit the dcmctl
shell, execute the following command from MID_TIER_ORACLE_HOME
\opmn\bin
to restart the Oracle HTTP Server:
opmnctl restartproc type=ohs
Note: Not all WebDAV clients use cookies. Some perform their authentication on each request using HTTP basic authentication. A client may choose to record the user name and password for the duration of that WebDAV client session and thus only need to prompt the user once for their credentials. In either case, though, this behavior results in a slower response time from OracleAS Portal because every request from such clients must be authenticated, requiring added communication with the Oracle Internet Directory. |
This section describes considerations for:
Configuring OracleAS Security Framework Options for OracleAS Portal
Configuring Oracle Identity Management Options for OracleAS Portal
For OracleAS Portal, the main consideration when configuring the OracleAS Security Framework is how to properly configure SSL. Refer to Section 6.3.2.1, "Configuring SSL for OracleAS Portal" for a full description of SSL configuration for OracleAS Portal.
As you configure OracleAS Portal for security, you should consider the following topics related Oracle Identity Management:
When deciding on the Directory Information Tree structure and the setting of the Oracle Context parameters for your Oracle Identity Management Infrastructure, you should consider making the naming attribute different from the nickname attribute. The naming attribute is used for the first attribute in the entry's Distinguished Name. By contrast, the nickname attribute holds the OracleAS Single Sign-On user name.
For OracleAS Portal to properly support renaming users by changing the value of the nickname attribute in the Oracle Internet Directory, the nickname attribute must be different than the naming attribute. By keeping the two separate, the Distinguished Name of the user's entry in the Oracle Internet Directory remains unchanged even when the value of the nickname attribute changes.
In previous releases of OracleAS Portal, the super user, PORTAL, was able to perform OracleAS Single Sign-On administration. With OracleAS Portal Release 9.0.4, the ability to perform OracleAS Single Sign-On administration out of the box is removed. The rationale for this change is that in enterprise settings it is not necessarily appropriate for an OracleAS Portal administrator to have permissions to perform Oracle Internet Directory and OracleAS Single Sign-On administration. Much like the discussion in the previous section, regarding the roles of the centralized Oracle Identity Management Infrastructure administrator and the departmental OracleAS Portal administrator, it may be inappropriate for the OracleAS Portal administrator to have the permissions to perform OracleAS Single Sign-On administration.
If you need to allow the OracleAS Portal account to perform OracleAS Single Sign-On administration, you need to explicitly give the user the privilege.
This section describes configuration considerations for OracleAS Portal.
When you install OracleAS Portal, the installation process installs some default schemas of which you need to be aware.
OracleAS Portal Default Schemas
Table 6-16 describes the schemas created by default when OracleAS Portal is installed.
Table 6-16 Default OracleAS Portal Schemas
Schema | Description |
---|---|
Contains the OracleAS Portal database objects and code. To execute Web requested procedures, Portal Services uses N-Tier authentication to connect to the schema to which the lightweight user accounts are assigned (by default, PORTAL_PUBLIC). As shown in Figure 6-15, access to the database of the portal user is proxied through the single schema user. The default name for this schema in a standard OracleAS Portal installation is PORTAL. If you want to give it another name, you must perform a custom installation. |
|
Is the schema that all lightweight users are mapped to by default. All procedures publicly accessible through the Web are granted execute to PUBLIC, which makes them accessible through this schema. In a standard OracleAS Portal installation, this schema is named PORTAL_PUBLIC. If you want to give it another name, you must perform a custom installation. |
|
Is created to hold some demonstration code. The installation of this schema is optional. |
|
Is used for external JSP application authentication. |
Figure 6-15 N-Tier Authentication By User Proxy
When configuring OracleAS Portal, you should consider the following options that leverage the OracleAS Security Framework:
The sections that follow provide an overview of the most common SSL configurations for OracleAS Portal and describe the procedures necessary to implement them.
OracleAS Portal uses a number of different components (such as the Parallel Page Engine, Oracle HTTP Server, and OracleAS Web Cache) each of which may act as a client or server in the HTTP communication. As a result, each component in the Oracle Application Server middle tier may be configured individually for the protocols of HTTPS rather than HTTP.
Interacting with OracleAS Portal involves a number of distinct network hops. These hops are as follows:
Between the client browser and the entry point of the portal environment. That is either:
OracleAS Web Cache
Network edge hardware device such as a Reverse Proxy or SSL accelerator
Between OracleAS Web Cache and Oracle HTTP Server of the Oracle Application Server middle tier
Between the client browser and the Oracle HTTP Server of the OracleAS Single Sign-On or Oracle Internet Directory (or infrastructure) tier
A loopback between the Parallel Page Engine (PPE) on the middle tier and OracleAS Web Cache or front-end Reverse proxy
Between the Parallel Page Engine (PPE) and the Remote Web Provider producing Portlet content
Between OracleAS Portal infrastructure and the Oracle Internet Directory
SSL Usage Restriction
External JavaServer Pages do not work with the Parallel Page Engine in a partial SSL configuration mode. They will work when SSL is used throughout OracleAS Portal. If SSL is implemented externally with a load balancing router, only internal JavaServer Pages will work. As a result, with the SSL configurations described in Section 6.3.2.1.2, "SSL to OracleAS Single Sign-On", Section 6.3.2.1.4, "SSL Throughout OracleAS Portal", and Section 6.3.2.1.5, "External SSL with Non-SSL Within Oracle Application Server", you should only use external JSPs.
Configuring Enterprise Manager Security
In all the SSL configurations discussed here, you need to perform an additional task whenever you use Enterprise Manager to monitor SSL URLs.
Follow the instructions provided in Oracle Application Server Administrator's Guide.
SSL Configuration Tool and Its Limitations
This release introduces the SSL Configuration Tool (SSLConfigTool
), which helps automate many of the manual steps currently required for configuring SSL. The SSLConfigTool
executable is located in the ORACLE_HOME
/bin
directory and its usage syntax is as follows:
SSLConfigTool ( -config_w_prompt | -config_w_file <input_file_name> | -config_w_default | -rollback ) [-dry_run] [-wc_for_infra] [-secure_admin] [-opwd <orcladmin_pwd>] [-ptl_dad <dad_name>] [-ptl_inv_pwd <ptl_inv_pwd>]
See Oracle Application Server Administrator's Guide for more details.
Notes:
|
Table 6-17 describes the command-line options for the SSLConfigTool
command.
Table 6-17 SSL Configuration Tool Command Line Options
Parameter | Description |
---|---|
|
Run in interactive mode. |
|
Run in silent mode using the values specified in the |
|
Run in silent mode using the values specified in the |
|
Revert to the previous state before the command was last run. SSO registration will be done using virtual host and port. |
|
Print the steps without implementing them. |
|
Forces an OracleAS Web Cache to be used as a load balancer for an infrastructure environment. |
|
Secure the OracleAS Web Cache and Enterprise Manager administration ports (the ports used to display Application Server Control Console). |
|
Set the Oracle administrator password. This parameter is required. |
|
Set the OracleAS Portal DAD name. If no name is specified, the default "portal" will be used. |
|
Set the Portal invalidation password used to send invalidation to OracleAS Web Cache. If you are running |
Rolling Back Changes Made by SSLConfigTool
If you have run SSLConfigTool
in an OracleAS Infrastructure or middle-tier home earlier, you need to first roll back the changes that were made when you last ran the tool, before you can run SSLConfigTool
again in that Oracle home. To roll back the changes, run SSLConfigTool
as shown here in an example for Windows:
SSLConfigTool.bat -rollback -opwd <orcladmin_pwd>
Where:
rollback
is used to roll back the changes made by running SSLConfigTool
in the same Oracle home earlier.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
The sections that follow describe the usage of the SSL Configuration Tool for all the SSL configurations. You can also perform manual steps to configure SSL, which are also described in detail.
Checks to Perform Before Configuring SSL
Before using the methods recommended to configure SSL, you must confirm that OracleAS Portal is working correctly in the default non-SSL configuration. To test this, you must ensure that the following portal tasks work without errors:
The OracleAS Portal home page is accessible
Users can log in to OracleAS Portal
Edits to content are shown immediately
If any connection should be secured with SSL, it is the connection between the browser and OracleAS Single Sign-On. The password should be protected by SSL in transit between the browser and OracleAS Single Sign-On. For at least a minimal level of security, you should configure your installation with this option. All of the subsequent SSL configurations assume that you have configured SSL for OracleAS Single Sign-On.
Figure 6-16 shows a configuration where OracleAS Single Sign-On is configured to use SSL.
Figure 6-16 Secured Connection to OracleAS Single Sign-On
After you have successfully performed the checks described in "Checks to Perform Before Configuring SSL", you can use either of the following two methods to configure SSL to OracleAS Single Sign-On:
Configuring SSL to OracleAS Single Sign-On Using SSLConfigTool
Refer to the section "SSL Configuration Tool and Its Limitations" before using SSLConfigTool
.
To configure this option using the SSL configuration tool, perform the following tasks:
Enable SSL on the OracleAS Infrastructure that has Identity Management installed. Run SSLConfigTool
in the infrastructure Oracle home, as shown in the following example for Windows:
SSLConfigTool.bat -config_w_default -opwd <orcladmin_pwd>
Where:
config_w_default
is used to run the tool in silent mode using the values specified in the portlist.ini
and ias.properties
files.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
Enter n
when prompted by the script to configure your site to accept browser requests using the SSL protocol.
See Also:
|
Note: In the previously described configuration of SSL, you must re-register the OracleAS Single Sign-On middle-tier partner application. Because the OracleAS Single Sign-On middle-tier partner application is still non-SSL, you must re-register it as non-SSL. Therefore, the re-registration of mod_osso needs to specify the non-SSL URL of the OracleAS Single Sign-On middle tier for themod_osso_url parameter to ssoreg .
Refer to the information on registering mod_osso in the Oracle Application Server Single Sign-On Administrator's Guide. |
After enabling SSL on the OracleAS Infrastructure that has Identity Management installed, you must protect OracleAS Single Sign-On URLs. To do this, refer to the section "Protect Single Sign-On URLs" in Oracle Application Server Single Sign-On Administrator's Guide.
Run SSLConfigTool
in the middle-tier Oracle home, or multiple middle-tier Oracle homes, as shown in the following example, for Windows:
SSLConfigTool.bat -config_w_prompt -ptl_inv_pwd <ptl_inv_pwd> -opwd <orcladmin_pwd>
Where:
config_w_prompt
is passed to run SSLConfigTool
in interactive mode.
ptl_inv_pwd
is the portal invalidation password.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
Choose No when prompted to configure HTTPS.
Set the OracleAS Single Sign-On query path URL. See "Setting the OracleAS Single Sign-On Query Path URL" for the steps to be performed.
At this point, configuration is complete for SSL communication to OracleAS Single Sign-On.
Configuring SSL to OracleAS Single Sign-On Manually
To manually configure this option, refer to the information on enabling SSL in the Oracle Application Server Single Sign-On Administrator's Guide. If you are going to configure OracleAS Single Sign-On behind a reverse proxy server, you should refer to the information on deploying OracleAS Single Sign-On with a proxy server, in the Oracle Application Server Single Sign-On Administrator's Guide.
Note: In the previously described configuration of SSL, you must re-register the OracleAS Single Sign-On middle-tier partner application. as the OracleAS Single Sign-On middle-tier partner application is still non-SSL, you must re-register it as non-SSL. Therefore, the re-registration of mod_osso needs to specify the non-SSL URL of the OracleAS Single Sign-On middle tier for themod_osso_url parameter to ssoreg .
Refer to the information on registering mod_osso in the Oracle Application Server Single Sign-On Administrator's Guide. |
After enabling SSL on OracleAS Single Sign-On following the steps listed in the Oracle Application Server Single Sign-On Administrator's Guide, you must complete the following configuration tasks on OracleAS Portal:
Re-Registering the OracleAS Portal Partner Application
After OracleAS Single Sign-On is SSL-enabled, all OracleAS Single Sign-On partner applications need to be re-registered so that the updated SSL login URL is obtained by each partner application for subsequent authentication requests.
To re-register the OracleAS Portal partner applications, invoke ptlconfig
(on the OracleAS Portal middle tier).
For example:
ptlconfig -dad portal -site
Note: If you have multiple virtual hosts configured in OracleAS Portal, you will need to re-register each of the virtual hostnames individually using the commandptlconfig -dad portal -sso -host <portal_host> -port <port> [-ssl] , specifying the host and port, for each virtual hostname. Refer to Section A.1, "Portal Dependency Settings Tool" for more information on using ptlconfig .
|
Setting the OracleAS Single Sign-On Query Path URL
OracleAS Portal maintains the URL prefix of OracleAS Single Sign-On, which accesses certain information through HTTP calls from the database using the UTL_HTTP package. These calls must be done through HTTP rather than HTTPS. As a result, even if OracleAS Portal and OracleAS Single Sign-On are configured to use HTTPS, you must still have access to an HTTP port on OracleAS Single Sign-On to support these interfaces. The calls made across this interface are required for the following reasons:
Obtain the list of external applications to allow customization of the External Applications portlet.
Perform the mapping of OracleAS Single Sign-On user names to external application user names.
To set this URL prefix, and the OracleAS Single Sign-On Query Path URL, perform the following steps:
Log on to OracleAS Portal as the portal administrator.
Click the Administer tab.
Click the Portal tab.
Click Global Settings in the Services portlet.
Click the SSO/OID tab.
Edit the Query Path URL Prefix under the SSO Server Settings. Enter a URL for OracleAS Single Sign-On, for example:
http://infra.domain.com:7777/pls/orasso
Conditionally Updating the Oracle Delegated Administration Services URL Base Entry in Oracle Internet Directory
After enabling the infrastructure tier's Oracle HTTP Server for SSL, you were asked to re-register all partner applications, which includes mod_osso on the infrastructure tier. You have the option of accessing Oracle Delegated Administration Services over non-SSL or SSL. The base URL for Oracle Delegated Administration Services is stored in Oracle Internet Directory, and this determines the URL that other applications render when providing links to Oracle Delegated Administration Services functionality.
If you want Oracle Delegated Administration Services accessed over SSL, then the re-registration of mod_osso needs to specify an SSL URL for the mod_osso_url
parameter to ssoreg
. Refer to the information on registering mod_osso in the Oracle Application Server Single Sign-On Administrator's Guide.
If you decide that you want to access Oracle Delegated Administration Services over SSL, then the orcldasurlbase
attribute in the cn=OperationURLs, cn=DAS, cn=Products, cn=OracleContext entry needs to be updated in Oracle Internet Directory to reflect this fact. This attribute value is then used by OracleAS Portal for generating subsequent Oracle Delegated Administration Services URLs. This procedure assumes that the Oracle HTTP Server on the infrastructure tier is also listening on an HTTPS port.
For this step, you need Oracle Directory Manager (Integrated Management Tools : Oracle Directory Manager on Windows, or INFRA_ORACLE_HOME
/bin/oidadmin
on UNIX). Run the Oracle Directory Manager and log in as cn=orcladmin
.
Navigate to Entry Management, cn=OracleContext > cn=Products > cn=DAS > cn=OperationURLs.
Update the orcldasurlbase
entry to reflect the HTTPS port being used on the infrastructure tier, that is, https://
<infrahost>
:
<port>
/
.
Once the entry is updated in Oracle Internet Directory, you must force a refresh of the portal cache, which holds the relevant Oracle Internet Directory information.
Logon to OracleAS Portal as a user with administrator privileges.
Go to the Builder.
Click the Administration tab.
From the Portal tab, open Global Settings and navigate to the SSO/OID tab.
Scroll to the bottom of the page.
Check Refresh Cache for the Oracle Internet Directory parameters.
Click Apply.
The page should refresh with the appropriate value in the DAS Host Name field.
Re-Registering the Oracle HTTP Server Partner Application
Run ssoreg
to register the virtual host for which mod_osso facilitates single sign-on. The specific application URLs to be defined as partner applications within this site are defined in the file osso.conf
. ssoreg
is located in the directory MID_TIER_ORACLE_HOME
/sso/bin
.
The following example shows the usage of ssoreg
on UNIX:
MID_TIER_ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path MID_TIER_ORACLE_HOME -site_name www.abc.com -config_mod_osso TRUE -mod_osso_url http://www.abc.com:7777 -config_fileMID_TIER_ORACLE_HOME
/Apache/Apache/conf/osso/osso.conf
-admin_info cn=orcladmin
On Windows you must run the ssoreg.bat
batch file instead. Refer to the information on creating partner applications in the Oracle Application Server Single Sign-On Administrator's Guide.
At this point, configuration is complete for SSL communication to OracleAS Single Sign-On.
Once you secure the OracleAS Single Sign-On communication, the next option is to secure the communication to the front door of OracleAS Portal, which is OracleAS Web Cache. In this configuration, OracleAS Web Cache can forward the request to the Oracle HTTP Server, which is acting as the OracleAS Portal middle tier, using HTTP for better performance. Similarly, the Parallel Page Engine requests for portlet content that loopback to OracleAS Web Cache can request the content using HTTP.
Figure 6-17 shows a configuration where OracleAS Web Cache is configured to use SSL.
Figure 6-17 Secured Connection to OracleAS Web Cache
After you have successfully performed the checks described in "Checks to Perform Before Configuring SSL", you can use either of the following two methods to configure SSL to OracleAS Single Sign-On:
Configuring SSL to OracleAS Web Cache Using SSLConfigTool
Before using SSLConfigTool
, refer to the section "SSL Configuration Tool and Its Limitations".
To configure SSL for OracleAS Web Cache, perform the following tasks:
Create a Wallet. Refer to "Creating a Wallet" for details.
Run SSLConfigTool
in the middle-tier Oracle home to setup SSL for OracleAS Web Cache, as shown in the following example for Windows:
SSLConfigTool.bat -config_w_default -opwd <orcladmin_pwd>
Where:
config_w_default
is used to run the tool in silent mode using the values specified in the portlist.ini
and ias.properties
files.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
Enter the following values when prompted by the script:
y
, when prompted to configure your site to accept browser requests using the SSL protocol.
n
, when asked if your Oracle HTTP Server accepts requests in SSL protocol.
Register Web providers or Provider groups. See "Registering Web Providers or Provider Groups Exposed over SSL" for details.
Add the Web provider server certificate to the trusted certificate file. See "Augmenting the Portal Tools Trusted Certificate File" for details.
Enable access for Oracle Ultra Search. See "Enabling Access for Oracle Ultra Search" for details.
Re-register OracleAS Portal as an Oracle Ultra Search content source. See "Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source" for details.
See Oracle Application Server Administrator's Guide for details.
Configuring SSL to OracleAS Web Cache Manually
To configure SSL to OracleAS Web Cache manually, perform the following steps:
Specifying the OracleAS Portal Published Address and Protocol
Registering Web Providers or Provider Groups Exposed over SSL
Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source
The various components of OracleAS Portal use the Oracle Wallet Manager to store the certificates for the secure communication. The first step in this process is to obtain a certificate from a Certificate Authority (for example, OracleAS Certificate Authority, Verisign, GTE CyberTrust, and so on).
Obtaining a Certificate To obtain a digital certificate from the relevant signing authority, you submit a Certificate Request (CR) uniquely identifying your server to the signing authority.
Open the Oracle Wallet Manager in the middle-tier MID_TIER_ORACLE_HOME
. On UNIX, enter owm
from the command prompt. On Windows, invoke Oracle Wallet Manager from the Start menu.
Choose Wallet > New.
On UNIX, the wallet is stored in the following location by default:
/etc/ORACLE/WALLETS/<Account Name creating the Wallet>
On Windows, the wallet is stored in the following location by default:
\Documents And Settings\<Account Name creating the Wallet>\ORACLE\WALLETS
Create a password for the wallet.
Click Yes to accept the option to create a CR.
Fill out the Certificate Request dialog with details that uniquely identify your server. Table 6-18 shows some sample values for the various fields in the Certificate Request dialog.
Click OK. A dialog will inform you that the certificate request was created successfully. The Certificate node in the Wallet Navigator will change to Requested
.
Save the wallet in a convenient directory, for example:
MID_TIER_ORACLE_HOME\webcache\wallets\portalssl
Send the CR to the chosen Certificate Authority (CA).
Cutting and Pasting
Depending on the CA, you may need to cut and paste the certificate request in their Web page or export the CR to a file for subsequent uploading to the site.
Select the Certificate node in the Wallet Navigator.
Highlight the Certificate text in the Certificate Request field. Make sure to include the BEGIN/END NEW CERTIFICATE REQUEST
lines.
Copy and paste into the Certificate Request field on the CA's Web site.
To export the certificate request:
Choose Operations > Export Certificate Request.
Choose the Name and Location of the CR file. A Status Line Message will confirm the successful export of the CR.
Once exported, the CR can be uploaded to the CA's Web site.
Managing Trusted Certificates Once the CA has processed the request, the User Certificate is forwarded to you either as text within an e-mail or as a simple file that is downloaded from a given Web page.
Note: If you are using a trial Root Certificate or have chosen a CA which is not currently installed in the Oracle Wallet Manager, you must first import the CA's Trusted Certificate before importing your server-specific User Certificate. |
Importing Trusted Certificate (if necessary)
To import the trusted certificate:
Choose Operations > Import Trusted Certificate.
Based on the CA, choose Paste the Certificate or Select a file that contains the certificate.
Select the appropriate certificate file or paste in the text from the e-mail. Oracle Wallet Manager expects base-64 encoded root certificates. If you do not have a base-64 encoded root certificate, then you must perform the steps described in the "Changing Trusted Certificate Format (if necessary)" section.
Click OK.
A status line message should appear indicating that the certificate was successfully imported. When you import the server specific User Certificate, the certificate node in the tree structure should also display as Ready.
Changing Trusted Certificate Format (if necessary)
If the certificate import fails, then it is possible that the Certificate is in a format that the Oracle Wallet Manager does not support. In this case, you need to convert it to a supported format before importing. The easiest way to do this is through the certificate Import and Export Wizards within a browser. The following steps are for the Internet Explorer browser:
In Internet Explorer, select Tools > Internet Options....
Click the Content tab.
Click Certificates....
Click the Trusted Root Certification Authorities tab.
Select Import... and follow the wizard to import the certificate.
Highlight the newly imported certificate from the list.
Click Export... and follow the wizard to the Export File Format page.
Choose Base-64 encoded X.509.
Click Next and give the certificate a file name.
Click Next.
Click Finish.
In Oracle Wallet Manager, choose Operations > Import Trusted Certificate.
Once the Trusted Root Certificate has been successfully imported into the Oracle Wallet Manager you may then import the server specific User Certificate.
Importing Server's User Certificate
To import the server's user certificate:
Choose Operations > Import User Certificate.
Based on the CA, choose Paste the Certificate or Select a file that contains the certificate.
Select the appropriate certificate file or paste in the text from the e-mail.
Click OK.
A status line message should appear indicating that the User Certificate has been successfully imported.
Having imported the certificate, it is important to save the wallet with the Autologin functionality enabled. This step is required because OracleAS Web Cache accesses the wallet as the process starts and the wallet password is not held by OracleAS Web Cache. If this property is not set, OracleAS Web Cache immediately shuts down if running in SSL mode. To set this property, perform the following steps:
Choose the Trusted Certificate you just imported from the list in the Oracle Wallet Manager.
Check Wallet > AutoLogin, if it is not already checked.
Choose Wallet > Save.
Securing OracleAS Web Cache
The sections that follow describe how to configure OracleAS Web Cache to accept SSL connections.
Note: Changing OracleAS Web Cache settings (for example, Listening Port) can change the OracleAS Portal URL. If you do this, mobile settings need to be updated manually. See Section C.8, "Using the cfgiasw Script to Configure Mobile Settings" for more information. |
Configuring OracleAS Web Cache SSL Port To Configure the OracleAS Web Cache SSL port, perform the following steps:
From the OracleAS Web Cache administration page, click the Listen Ports link in the Ports section.
To add the SSL port, click Add... and enter the following information:
IP Address: ANY
Port Number: SSL port that Web Cache will listen on
Protocol: HTTPS
Require Client-Side Certificate: No (unchecked)
Wallet: Path to the Oracle Wallet directory containing the SSL server certificate
Click Submit.
For more information on the procedure in the preceding text, refer to "Task 3: Configure HTTPS Operations Ports for the Cache" in Chapter 8, "Specialized Configurations" of the Oracle Application Server Web Cache Administrator's Guide.
Defining a Site for the Published SSL Hostname and Port As there is no out-of-box default SSL configuration, you need to add a Site definition for the SSL-based Site that OracleAS Web Cache will be caching. To add a site definition, perform the following steps:
From the OracleAS Web Cache administration page, click Site Definitions under Origin Servers, Sites, and Load Balancing.
Define a Site where Host Name is the hostname seen by the browser.
This is the load balancing router or reverse proxy server name for configurations that use a load balancing router or other reverse proxy, or it is the OracleAS Web Cache hostname in a configuration where OracleAS Web Cache receives browser requests.
Set Port to the HTTPS port addressed by the browser requests.
Enter Site information as follows:
URL Path Prefix: Leave blank
HTTPS Only Prefix: Leave blank
Client-Side Certificate: Not required
URL Parameters to Ignore: Leave blank
Default Site: Yes
Create Alias from Site Name with/without www: No
Click Submit.
Remove any sites that are no longer applicable to your modified configuration, including the default, out-of-the-box non-SSL site.
For more information on the procedure in the preceding text, refer to:
The section on creating a site for HTTPS requests for the cache, in the Oracle Application Server Web Cache Administrator's Guide.
The section on creating site definitions in the Oracle Application Server Web Cache Administrator's Guide.
Adding Site Aliases Site aliases are necessary if content is cached across a number of different hostnames, or ports, or both, but which actually refer to the same logical content. For example, when the PPE makes a request for a portlet, and this portlet is requested on a non-SSL port, but the main Site is accessed over SSL, then an alias entry is needed. This equates the content accessed through the Site with SSL, to the content accessed over non-SSL. This way, invalidation requests that are sent to invalidate the content, will invalidate the content that is cached over either form of URL.
You need to create an alias for the non-SSL OracleAS Web Cache listening port for the OracleAS Web Cache SSL site. To create a site alias:
From the OracleAS Web Cache administration page, return to the Site Definitions page, select the newly added site, and click Add Alias.
Enter the same hostname as used by the site entry, and provide the non-SSL port that the PPE will use to request portlets from OracleAS Web Cache. Click Apply Changes.
Restart the server after making the necessary additions.
For example, if the logical site name is accessed using the URL https://portal.mycompany.com:4443
, and the non-SSL Listen Port for OracleAS Web Cache is 7777
, then you should select the Site with SSL Port 4443
, and add an alias for it using the non-SSL port of OracleAS Web Cache (7777
).
For more information on the procedure in the preceding text, refer to the section on creating site definitions in the Oracle Application Server Web Cache Administrator's Guide.
Adding Site to Server Mappings of the New Site to the Origin Server After adding a new site definition, you must add the site to server mapping for the newly defined site to the origin server. To do this:
From the OracleAS Web Cache Administration page, click Site-to-Server Mapping under Origin Servers, Sites, and Load Balancing.
Select the first option of the Site-to-Server Mapping table.
Click Insert Above.. to bring up the Edit/Add Site-to-Server Mapping dialog window.
Select the Site you are mapping from the drop-down list, which should be the OracleAS Web Cache site with the SSL port. For example, if your logical site name is https://portal.mycompany.com:4443
, then select the site with Host Name portal.mycompany.com
and Port 4443
.
In the Select Application Web Servers field, select the non-SSL Origin Server to which requests should be routed for content. For example, if the origin server is running on port 7778
on host portal.mycompany.com
, then select portal.mycompany.com:7778 HTTP.
Click Submit to close the dialog box and see the new mapping appear in Table 6-20, "Site-to-Server Mapping" of the original page.
Click Apply Changes.
Restart the server.
For more information on the procedure in the preceding text, refer to the section on mapping sites to origin servers in the Oracle Application Server Web Cache Administrator's Guide.
Securing the Parallel Page Engine
In this configuration, you need to configure the PPE to make portlet requests using HTTP requests. The sections that follow describe how to implement a partial SSL PPE configuration for this purpose. To configure the PPE, perform the following steps:
Open the web.xml
file associated with the OC4J_PORTAL instance on the middle tier. The file is located in the following directory:
MID_TIER_ORACLE_HOME\j2ee\OC4J_Portal\applications\portal\portal\WEB-INF\
Add useScheme
, usePort
, and httpsports
in additional <init-param>
blocks in web.xml
. The useScheme http
indicates that the HTTP protocol should be used for PPE loopbacks and usePort
indicates which port these non-SSL loopbacks should use. The HTTP port you specify for usePort
should be the OracleAS Web Cache non-SSL HTTP port. The httpsports
parameter must point to the OracleAS Web Cache HTTPS listening port. For example:
<servlet> <servlet-name>page</servlet-name> <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class> <init-param> <param-name>useScheme</param-name> <param-value>http</param-value> </init-param> <init-param> <param-name>usePort</param-name> <param-value>7777</param-value> </init-param> <init-param> <param-name>httpsports</param-name> <param-value>4443</param-value> </init-param> </servlet>
(Optional) If you want the PPE to trust only specific certificates, add x509certfile
in an additional <init-param>
block in web.xml
. The value of x509certfile
is the absolute path to the text file containing the list of certificates which defines the group of "trusted" servers. For example:
<servlet> <servlet-name>page</servlet-name> <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class> <init-param> <param-name>x509certfile</param-name> <param-value>C:\mySSLconfig\trustedCerts.txt</param-value> </init-param> </servlet>
Note: If you choose not to implement x509certfile, the PPE trusts any SSL certificate. |
Save the web.xml
file.
Re-Registering the Oracle HTTP Server Partner Application
Run ssoreg
to register the virtual host for which mod_osso facilitates single sign-on. The specific application URLs to be defined as partner applications within this site are defined in the file osso.conf
. ssoreg
is located on the middle tier in MID_TIER_ORACLE_HOME
/sso/bin
.
The following example shows the usage of ssoreg
on UNIX:
MID_TIER_ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path MID_TIER_ORACLE_HOME -site_name www.abc.com -config_mod_osso TRUE -mod_osso_url https://www.abc.com:4443 -config_fileMID_TIER_ORACLE_HOME
/Apache/Apache/conf/osso/osso.conf
-admin_info cn=orcladmin
On Windows you must run the ssoreg.bat
batch file instead. Refer to the information on creating partner applications in the Oracle Application Server Single Sign-On Administrator's Guide.
At this point, configuration is complete for SSL communication to OracleAS Web Cache.
Specifying the OracleAS Portal Published Address and Protocol
To specify the published address for OracleAS Portal with the modified port for SSL, you need to use Oracle Enterprise Manager as follows:
Navigate to the Oracle Enterprise Manager 10g Application Server Control Console.
Click the Standalone Instance with the Oracle Application Server that is running the OracleAS Portal middle tier.
Click the OracleAS Portal system component.
Under Administration, click Portal Web Cache Settings.
For Listen Port, enter the OracleAS Web Cache SSL port number.
For Listening Port SSL Enabled, choose Yes.
Click OK. The OracleAS Portal schema is updated with the setting and the Oracle Enterprise Manager 10g target instance is updated to use HTTPS for its URL tests.
If at a later time you choose to switch to HTTP, you would perform this same procedure and return Listening Port SSL Enabled to No.
Notes:
|
Edit httpd.conf
as follows:
Access the Application Server Control Console.
Click the link for the application server where OracleAS Portal is installed.
Click the HTTP Server link.
Click the Administration link.
Click Advanced Server Properties.
Select httpd.conf.
Scroll to the bottom of the file and enter the following LoadModule
directive:
On UNIX:
LoadModule certheaders_module libexec/mod_certheaders.so
On Windows:
LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
For more information on mod_certheaders, refer to the Oracle HTTP Server Administrator's Guide.
Add a Virtual Host definition. This must be inserted after the LoadModule
directive, as follows:
NameVirtualHost <OHS_computer_IP_address>:<OHS_listening_port> <VirtualHost <OHS_computer_IP_address>:<OHS_listening_port>> ServerName <portal_site_server_name> Port <ssl_listening_port_for_portal_site> SimulateHttps On RewriteEngine On RewriteOptions inherit </VirtualHost>
For example:
NameVirtualHost 123.45.67.8:7778 <VirtualHost 123.45.67.8:7778> ServerName w1.abc.com Port 4443 SimulateHttps On RewriteEngine On RewriteOptions inherit </VirtualHost>
Click Apply.
When asked to restart Oracle HTTP Server, click Yes.
Run the following command to synchronize the manual configuration changes:
MID_TIER_ORACLE_HOME/dcm/bin/dcmctl updateconfig
Restart your Oracle Application Server instance:
MID_TIER_ORACLE_HOME/opmn/bin/opmnctl stopall MID_TIER_ORACLE_HOME/opmn/bin/opmnctl startall
Registering Web Providers or Provider Groups Exposed over SSL
Refer to "Registering Web Providers or Provider Groups Exposed over SSL" for details.
Augmenting the Portal Tools Trusted Certificate File
Refer to "Augmenting the Portal Tools Trusted Certificate File" for details.
Enabling Access for Oracle Ultra Search
Refer to "Enabling Access for Oracle Ultra Search" for details.
Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source
If you use Oracle Ultra Search to crawl your portal and you reconfigure OracleAS Web Cache to use SSL, you must re-register OracleAS Portal as a content source with Oracle Ultra Search. See Section 8.2.3.2, "Registering OracleAS Portal as a Content Source" for details.
For installations that require the utmost security, it is possible to configure SSL throughout the system. In this configuration, the loopback from the PPE to OracleAS Web Cache uses a wallet and the hop between the PPE and the Web providers uses a certificate directly rather than through a wallet.
Figure 6-18 shows a configuration where SSL is configured throughout OracleAS Portal.
Figure 6-18 Secured Connections Throughout the System
Note: If you have already followed the steps described in Section 6.3.2.1.3, "SSL to OracleAS Web Cache", you must revert all the changes you have made before configuring SSL throughout OracleAS Portal. |
After you have successfully performed the checks described in "Checks to Perform Before Configuring SSL", you can use either of the following two methods to configure SSL to OracleAS Single Sign-On:
Configuring SSL Throughout OracleAS Portal Using SSLConfigTool
Refer to the section "SSL Configuration Tool and Its Limitations" before using SSLConfigTool
.
To configure SSL throughout OracleAS Portal using the SSL configuration tool, perform the following tasks:
Create a wallet. See "Creating a Wallet" for details.
Enable SSL on the OracleAS Infrastructure that has Identity Management installed. Run SSLConfigTool
in the infrastructure Oracle home, as shown in the following example, for Windows:
SSLConfigTool.bat -config_w_default -opwd <orcladmin_pwd>
Where:
config_w_default
is used to run the tool in silent mode using the values specified in the portlist.ini
and ias.properties
files.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
Enter the following values when prompted by the script:
y
, when prompted to configure your site to accept browser requests using the SSL protocol.
y
, when asked if your Oracle HTTP Server accepts requests in SSL protocol.
See Also:
|
Note: In the previously described configuration of SSL, you must re-register the OracleAS Single Sign-On middle-tier partner application. Because the OracleAS Single Sign-On middle-tier partner application is still non-SSL, you must re-register it as non-SSL. Therefore, the re-registration of mod_osso needs to specify the non-SSL URL of the OracleAS Single Sign-On middle tier for themod_osso_url parameter to ssoreg .
Refer to the information on registering mod_osso in the Oracle Application Server Single Sign-On Administrator's Guide. |
Run SSLConfigTool
in the middle-tier Oracle home, or multiple middle-tier Oracle homes, as shown in the following example for Windows:
SSLConfigTool.bat -config_w_prompt -ptl_inv_pwd <ptl_inv_pwd> -opwd <orcladmin_pwd>
Where:
config_w_prompt
is passed to run SSLConfigTool
in interactive mode.
ptl_inv_pwd
is the portal invalidation password.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
Register Web providers or Provider groups. See "Registering Web Providers or Provider Groups Exposed over SSL" for details.
Add the Web provider server certificate to the trusted certificate file. See "Augmenting the Portal Tools Trusted Certificate File" for details.
Enable access for Oracle Ultra Search. See "Enabling Access for Oracle Ultra Search" for details.
Re-register OracleAS Portal as an Oracle Ultra Search content source. See "Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source" for details.
Configuring SSL Throughout OracleAS Portal Manually
To manually configure SSL throughout OracleAS Portal, perform the following tasks:
Registering Web Providers or Provider Groups Exposed over SSL
Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source
Creating a Wallet
It is possible to share a single wallet across both the listener and origin server (and all other available ports in OracleAS Web Cache) if OracleAS Web Cache and the Oracle HTTP Server are on the same computer. Conversely, specific wallets may be created for each port. In this case the two servers and ports will be sharing the same wallet specified earlier.
In some cases, such as when the Oracle HTTP Server is on a different computer than OracleAS Web Cache, you need to create a separate wallet for the Oracle HTTP Server. For this situation, refer to the steps in "Creating a Wallet" to create the wallet for the Oracle HTTP Server.
In the default case, where the Oracle HTTP Server is on the same computer as OracleAS Web Cache, you can share the wallet between the two.
Enabling OracleAS Single Sign-On for SSL
For the complete steps for enabling the single sign-on server for SSL, see Oracle Application Server Single Sign-On Administrator's Guide.
Securing the Oracle HTTP Server
You need to configure the Oracle HTTP Server as the OracleAS Web Cache's origin server to accept HTTPS-based communication. The Oracle HTTP Server implements SSL by the use of mod_ssl. As such, the configuration to use HTTPS is fairly straightforward.
The SSL configuration of the Oracle HTTP Server is defined within ssl.conf
. This file may be edited directly or by using the Advanced Server Properties page under the Oracle HTTP Server node of the appropriate Oracle Application Server instance within the Oracle Enterprise Manager Administration pages. If you edit the files manually, it is recommended that you run the dcmctl
utility with the following options to make sure that the file is synchronized with the Distributed Configuration Management (DCM) repository:
MID_TIER_ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs
Open ssl.conf
in MID_TIER_ORACLE_HOME
/Apache/Apache/conf
.
Search for the following directives and change the values accordingly:
In ssl.conf
in MID_TIER_ORACLE_HOME
/Apache/Apache/conf
, verify that the default virtual host for SSL communication specifies the correct, preallocated port number for SSL. When creating the corresponding Web Cache site to server mappings, you should take note of the following properties in the ssl.conf
file, for example:
Listen 4445
Port 4444
Note: When setting up OracleAS Portal to communicate through HTTPS, it is common to configure both the middle and infrastructure tiers to operate in this mode. You must leave an HTTP port open on the infrastructure tier for OracleAS Portal to communicate with OracleAS Single Sign-On for External Application information. This call is made directly from the repository using the UTL_HTTP package. |
Ensure that the start mode of the Oracle HTTP Server is set to ssl-enabled
in MID_TIER_ORACLE_HOME
/opmn/conf/opmn.xml
. For example:
<ias-component id="HTTP_Server"> <process-type id="HTTP_Server" module-id="OHS"> <module-data> <category id="start-parameters"> <data id="start-mode" value="ssl-enabled"/> </category> </module-data> <process-set id="HTTP_Server" numprocs="1"/> </process-type> </ias-component>
Securing OracleAS Web Cache
The sections that follow describe how to configure OracleAS Web Cache to accept SSL connections and forward SSL requests to the SSL-enabled origin server.
Note: Changing OracleAS Web Cache settings (for example, Listening Port) can change the OracleAS Portal URL. If you do this, mobile settings need to be updated manually. See Section C.8, "Using the cfgiasw Script to Configure Mobile Settings" for more information. |
Configuring the OracleAS Web Cache SSL Port To configure the OracleAS Web Cache SSL port, perform the following steps:
From the OracleAS Web Cache Administration page, click the Listen Ports link in the Ports section.
To add the SSL port, click Add... and enter the following information:
IP Address: ANY
Port Number: SSL port that Web Cache is listening on. This property maps to the port setting (Port number 4444
, as in the earlier example) in the HTTP server's ssl.conf
file.
Protocol: HTTPS
Require Client-Side Certificate: No (unchecked)
Wallet: Path to the directory where the SSL server certificate is stored
Click Submit.
For more information on the procedure in the preceding text, refer to the section on configuring HTTPS operations ports for the cache, in the Oracle Application Server Web Cache Administrator's Guide.
Adding the SSL Origin Server To add the SSL origin server:
From the OracleAS Web Cache administration page, click Origin Servers under Origin Servers, Sites, and Load Balancing.
Click Add... to add the SSL Origin Server.
Enter the information as follows:
Host Name: Physical hostname of the computer in which Oracle HTTP Server is running
Port: Oracle HTTP Server's SSL listen port. This maps to the Listen Parameter (Port number 4445
, as in the earlier example) in the ssl.conf
file.
Routing: Enable
Capacity: 100
Failover Threshold: 5
Ping URL: /
Ping Interval: 10
Protocol: HTTPS
Click Submit.
For more information on the procedure in the preceding text, refer to the section on configuring Origin Server, Load Balancing, and Failover Settings, in the Oracle Application Server Web Cache Administrator's Guide.
Defining a Site for the Published SSL Host Name and Port As there is no out-of-box default SSL configuration, you need to add a site definition for the SSL-based Site that OracleAS Web Cache will be caching. To define a site, perform the following steps:
From the OracleAS Web Cache Administration page, click Site Definitions under Origin Servers, Sites, and Load Balancing.
Define a site where Host Name is the hostname seen by the browser, which would be the OracleAS Web Cache hostname.
Set Port to the HTTPS port addressed by the browser requests, which would be the OracleAS Web Cache SSL listen port (Port number 4444
, as in the earlier example).
Enter site information as follows:
HTTPS Only Prefix: Leave blank
Client-Side Certificate: Not required
Default Site: Yes
Create Alias from Site Name with/without www: No
URL Path Prefix: Leave blank
URL Parameters to Ignore: Leave blank
Click Submit.
Remove any sites that are no longer applicable to your modified configuration.
For more information on the procedure in the preceding text, refer to:
The section on creating a site for HTTPS requests for the cache, in the Oracle Application Server Web Cache Administrator's Guide.
The section on creating site definitions, in the Oracle Application Server Web Cache Administrator's Guide.
Adding Site to Server Mappings of the New Site to the Origin Server After adding a new site definition, you must add the site to server mapping for the newly defined site to the origin server. To do this:
From the OracleAS Web Cache Administration page, click Site-to-Server Mapping under Origin Servers, Sites, and Load Balancing.
Select the first option of the Site-to-Server Mapping table.
Click Insert Above.. to bring up the Edit/Add Site-to-Server Mapping dialog window.
Select the Site you are mapping from the drop-down list, which should be the OracleAS Web Cache site with the SSL port.
Check the Origin Server that you added in the previous step, entitled "Adding the SSL Origin Server", to which requests should be routed for content.
Click Submit to close the dialog box and see the new mapping, as shown in Table 6-20 of the original page.
For more information on the procedure in the preceding text, refer to the section on mapping sites to origin servers, in the Oracle Application Server Web Cache Administrator's Guide
Adding Wallet Path for the Origin Server Wallet You must enter the wallet path in the Origin Server Wallet page, by performing the following steps:
From the OracleAS Web Cache Administration page, click Origin Server Wallet under Origin Servers, Sites, and Load Balancing.
Select the option for the Cache Name to change its wallet path.
Click Edit Selected to display the Edit Origin Server Wallet dialog window.
Enter a valid Wallet Directory. For example, use the wallet directory path specified on the Listen Ports page.
Click Submit to close the dialog window. The new wallet directory path is displayed in the table on the Origin Server Wallet page.
Note: After you have performed all the steps to secure OracleAS Web Cache, you must restart the OracleAS Web Cache server using the OracleAS Web Cache Manager for the changes to take effect. |
Securing the Parallel Page Engine
In this configuration, SSL is used throughout as the request comes to OracleAS Web Cache through HTTPS and the PPE loops back over HTTPS as well. The server specifies the chain that goes with its certificate. As long as the chain is valid and leads to a self-signed root certificate, it is validated without determining whether it is trusted, assuming that you have not loaded any trust points into it.
To implement this configuration, perform the following steps on the OracleAS Portal middle tier:
Open the ssl.conf
file, located in the following directory:
MID_TIER_ORACLE_HOME/Apache/Apache/conf/
Add SSLWallet
. For example:
SSLWallet file:/usr/local/adeviews/webdb/webdb_3000_ias902PW/Apache/Apache/conf/ssl.wlt/default
See Also: For more information aboutSSLWallet , and httpd.conf , see the Oracle HTTP Server Administrator's Guide.
|
Open the web.xml
file associated with the OC4J_Portal instance on the middle tier.
MID_TIER_ORACLE_HOME\j2ee\OC4J_Portal\applications\portal\portal\
WEB-INF\web.xml
Add httpsports
in an additional <init-param>
block in web.xml
. This should point to the OracleAS Web Cache HTTPS listening port. For example:
<servlet> <servlet-name>page</servlet-name> <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class> <init-param> <param-name>httpsports</param-name> <param-value>4443</param-value> </init-param> </servlet>
Note: If your currentweb.xml file contains the useScheme and usePort directives, you need to remove them. The configuration with SSL throughout should only use the httpsports directive.
|
(Optional) If you want the PPE to trust only specific certificates, add x509certfile
in an additional <init-param>
block in web.xml
. The value of x509certfile
is the absolute path to the text file containing the list of certificates which defines the group of "trusted" servers. For example:
<servlet> <servlet-name>page</servlet-name> <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class> <init-param> <param-name>x509certfile</param-name> <param-value>C:\mySSLconfig\trustedCerts.txt</param-value> </init-param> </servlet>
Note: If you choose not to implementx509certfile , the PPE trusts any SSL certificate.
|
Specifying OracleAS Portal Published Address and Protocol
To specify the published address for OracleAS Portal with the modified port for SSL, you need to use Oracle Enterprise Manager as follows:
Navigate to the Oracle Enterprise Manager 10g Application Server Control Console.
Click the Standalone Instance with the Oracle Application Server that is running the OracleAS Portal middle tier.
Click the OracleAS Portal system component.
Under Administration, click Portal Web Cache Settings.
For Listen Port, enter the OracleAS Web Cache SSL port number.
For Listening Port SSL Enabled, choose Yes.
Click OK. The OracleAS Portal schema is updated with the setting and the Oracle Enterprise Manager 10g target instance is updated to use HTTPS for its URL tests.
If at a later time you choose to switch to HTTP, you would perform this same procedure and return Listening Port SSL Enabled to No.
Note: This procedure updates the settings in theiasconfig.xml file.
|
See Also: See Appendix A, "Using the Portal Dependency Settings Tool and File" for more information aboutiasconfig.xml .
|
Re-Registering the Oracle HTTP Server Partner Application
Run ssoreg
to register the virtual host for which mod_osso facilitates single sign-on. The specific application URLs to be defined as partner applications within this site are defined in the file osso.conf
. ssoreg
is located on the middle tier in MID_TIER_ORACLE_HOME
/sso/bin
.
The following example shows the usage of ssoreg
on UNIX:
MID_TIER_ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path MID_TIER_ORACLE_HOME -site_name www.abc.com -config_mod_osso TRUE -mod_osso_url https://www.abc.com:4443 -config_fileMID_TIER_ORACLE_HOME
/Apache/Apache/conf/osso/osso.conf
-admin_info cn=orcladmin
On Windows you must run the ssoreg.bat
batch file instead. Refer to the information on creating partner applications in the Oracle Application Server Single Sign-On Administrator's Guide.
Setting the OracleAS Single Sign-On Query Path URL
OracleAS Portal maintains the URL prefix of OracleAS Single Sign-On, which accesses certain information through HTTP calls from the database using the UTL_HTTP package. These calls must be done through HTTP rather than HTTPS. As a result, even if OracleAS Portal and OracleAS Single Sign-On are configured to use HTTPS, you must still have access to an HTTP port on OracleAS Single Sign-On to support these interfaces.
To set this URL prefix, and the OracleAS Single Sign-On Query Path URL, refer to Step 4 in Section 6.3.2.1.2, "SSL to OracleAS Single Sign-On", for the steps to be performed.
Associating the Federated Portal Adapter with SSL
The Federated Portal Adapter uses the Oracle HTTP Server rewrite rules to simplify URLs for registering providers. By default, these rewrite rules are only specified for HTTP communication. To set up the Federated Portal Adapter with SSL, perform the following steps:
Edit the virtual hosts section of your ssl.conf
file, located in the MID_TIER_ORACLE_HOME
/Apache/Apache/conf
directory, as follows:
## SSL Virtual Host Context ## # # NOTE: this value should match the SSL Listen directive set previously in this # file otherwise your virtual host will not respond to SSL requests. # <VirtualHost _default_:3011> # General setup for the virtual host DocumentRoot /u01/app/oracle/product/as10g/Apache/Apache/htdocs ServerName host1.abc.com ServerAdmin you@your.address ErrorLog /u01/app/oracle/product/as10g/Apache/Apache/logs/error_log TransferLog "/u01/app/oracle/product/as10g/Apache/Apache/logs/access_log" Port 3001 SSLEngine on SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:S SL_RSA_EXPORT_WITH_DES40_CBC_SHA SSLWallet file:/u01/app/oracle/product/as10g/Apache/Apache/conf/ssl.wlt/default <Files ~ "\.(cgi|shtml)$"> SSLOptions +StdEnvVars </Files> <Directory /u01/app/oracle/product/as10g/Apache/Apache/cgi-bin> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /u01/app/oracle/product/as10g/Apache/Apache/logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" RewriteEngine on RewriteOptions inherit </VirtualHost>
Run the following command to synchronize the manual configuration changes:
MID_TIER_ORACLE_HOME/dcm/bin/dcmctl updateconfig
Restart your Oracle Application Server instance:
MID_TIER_ORACLE_HOME/opmn/bin/opmnctl stopall MID_TIER_ORACLE_HOME/opmn/bin/opmnctl startall
Registering Web Providers or Provider Groups Exposed over SSL
To register a Web provider, which is exposed over SSL, you must have a copy of the root certificate of the certificate authority used by the Web provider. If the Web provider is using an unknown or uncommon certificate authority, you need to add the appropriate root certificate (using Base-64 encoded X.509 format) to the set of trusted certificates recognized by the Oracle Database hosting the OracleAS Metadata Repository containing the OracleAS Portal schema. To register Web providers or provider groups, perform the following steps:
Change directory to ORACLE_HOME
/javavm/lib/security/
on the Oracle home containing the Oracle Database hosting the OracleAS Metadata Repository containing the OracleAS Portal schema.
Create a backup of the truststore file cacerts
, for example, cacerts.bak
.
Execute the following command to add the required certificate to the trust store:
$ORACLE_HOME/jdk/bin/keytool -import -alias <aliasName> -file <root_certificate_file_name> -trustcacerts -v -keystore $ORACLE_HOME/javavm/lib/security/cacerts
Provide the trust store password, and type Yes, when prompted for confirmation.
Note: If your portal schema is located in an OracleAS Metadata Repository Creation Assistant database and if the release of that Oracle Database is earlier than 10g (10.1.0.x), these steps do not need to be performed. |
Augmenting the Portal Tools Trusted Certificate File
If you use the Web Page data source of OmniPortlet provider, you are doing a loopback to the Web Clipping provider, and so need to add the web provider server certificate to the trusted certificate file pointed to by the <trustedCertificateLocation>
tag in OmniPortlet provider.xml
file. The default certificate file is the ca-bundle.crt
file, located in the MID_TIER_ORACLE_HOME
/portal/conf
directory.
To do this, perform the steps shown subsequently, which are based on the Internet Explorer browser. The steps may differ slightly if you are using another browser for capturing and exporting the necessary certificate.
Capture the necessary certificate: Point your browser to the Web Clipping provider test page: http://<host>:<port>/portalTools/webClipping/providers/webClipping
.
You should see a Security Alert dialog box that shows "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority." or something similar. Click View Certificate, and then go through the following steps to export the certificate into a temporary file:
Select the Details tab.
Select Show: <All> in the drop-down list, and click Copy to File....Run the Export wizard to export the certificate in Base-64 encoded X.509 format into a temporary file MID_TIER_ORACLE_HOME
/portal/conf/providertemp.cer
.
Append the certificate in the temporary file to the certificate file used by OmniPortlet provider (default is MID_TIER_ORACLE_HOME
/portal/conf/ca-bundle.crt
).
Enabling Access for Oracle Ultra Search
For Oracle Ultra Search to access secure Web sites, you need to import certificates into the crawler's trust store and the Oracle Application Server Containers for J2EE (OC4J) JVM's trust store.
By default, the OC4J JVM recognizes certificates of well-known certificate authorities. However, if the secure portal instance uses a self-signed certificate or a certificate signed by an unknown certificate authority, then you must import the portal's certificate into the OC4J JVM's truststore. The OC4J JVM default truststore is located at ORACLE_HOME
/jdk/jre/lib/security/cacerts
.
To add the required certificate to the trust store, perform the following steps:
Change directory to ORACLE_HOME
/jdk/jre/lib/security/
on the middle tier.
Create a backup of the truststore file cacerts
, for example, cacerts.bak
.
Execute the following command to add the required certificate to the trust store:
$ORACLE_HOME/jdk/bin/keytool -import -alias <aliasName> -file <root_certificate_file_name> -trustcacerts -v -keystore $ORACLE_HOME/jdk/jre/lib/security/cacerts
Provide the trust store password, and type "Yes", when prompted for confirmation.
Note: The preceding steps also need to be performed on the OracleAS Infrastructure containing the Oracle Ultra Search crawler. |
Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source
If you use Oracle Ultra Search to crawl your portal and you reconfigure SSL throughout OracleAS Portal, you must re-register OracleAS Portal as a content source with Oracle Ultra Search. See Section 8.2.3.2, "Registering OracleAS Portal as a Content Source" for details.
The previous configurations discuss how to configure OracleAS Portal in such a way that communications within Oracle Application Server are secured through SSL. In some cases, you may want to have OracleAS Portal set up such that the site is externally accessible through SSL URLs but the Oracle Application Server is internally running in non-SSL mode. Note that in this latter scenario, you need to have the SSL to non-SSL translation done either by a load balancing router (LBR) or an SSL accelerator. The section that follows outlines the steps you would use with an accelerator on an LBR or a reverse proxy server performing the SSL translation.
With this option, the SSL features of the OracleAS Security Framework are not used, but, instead, an external component is used for providing the SSL connection point. These external accelerators may be coupled with LBRs or reverse proxy servers. Oracle Application Server enables you to configure these external devices to provide SSL, thus allowing Oracle Application Server to use HTTP internally for the best performance.
Figure 6-19 shows a configuration where OracleAS Portal is externally accessible through SSL.
Note: In a typical configuration,w1.abc.com and m1.abc.com would reside on the same computer, but for illustration purposes, they are separated here.
|
For the purposes of this procedure, assume the following:
In this example, SSL acceleration is performed by the LBR, which also proxies page requests between the HTTP and HTTPS protocols and their ports. The location of the SSL end point will determine the target for the loopback requests. For example, if an SSL-enabled reverse proxy server front-ends a single protocol LBR, loopback requests will be sent to the LBR, while the published site is exposed by the reverse proxy server.
Your load balancing router is running on lbr.abc.com
and the LBR port used for accessing the site is 443
.
OracleAS Web Cache is on computer w1.abc.com
and the listening port is 7777
, the administration port is 4000
, and the invalidation port is 4001
.
The Oracle HTTP Server is running on computer m1.abc.com
and the port is 7778
.
The port numbers used are example values only.
See Also: For more information, refer to: |
After you have successfully performed the checks described in "Checks to Perform Before Configuring SSL", you can use either of the following two methods to configure SSL to OracleAS Single Sign-On:
Configuring External SSL Using SSLConfigTool
Refer to the section "SSL Configuration Tool and Its Limitations" before using SSLConfigTool
.
To configure external SSL with non-SSL within Oracle Application Server using the SSL configuration tool, you must perform the following tasks:
Run SSLConfigTool
Run SSLConfigTool
in the middle-tier home, or multiple middle-tier Oracle homes, as shown here for Windows:
SSLConfigTool.bat -config_w_file <input_file_name> -ptl_inv_pwd <ptl_inv_pwd> -opwd <orcladmin_pwd>
Where:
config_w_file
is used to run the tool in silent mode using the values specified in the <input_file_name>
file. See Oracle Application Server Administrator's Guide for details.
ptl_inv_pwd
is the portal invalidation password.
opwd
is the Oracle administrator password. If no password is specified, you will be prompted to enter the password.
For example:
SSLConfigTool.bat -config_w_file portal.config -ptl_inv_pwd invalidator -opwd administrator
The contents of the portal.config
file for this example would include something similar to Example 6-1:
Example 6-1 Example Configuration File
<SSLConfig> <mid_tier> <virtual_address ssl="on" host="lbr.abc.com" port="443" inv_port="4001" ssl_terminate="lbr"/> <lbr loopback_port="80"/> <wc/> <ohs> <servers> <server host="machine_6.us.oracle.com" port="7778" /> </servers> </ohs> </mid_tier> </SSLConfig>
Configure Seeded Providers and Provider Groups
To enable communication between OmniPortlet and Web Page Data Source using HTTP, configure OmniPortlet as follows:
Open the web.xml
file located in the directory, MID_TIER_ORACLE_HOME
/j2ee/OC4J_Portal/applications/portalTools/omniPortlet/WEB-INF
.
Add the following context parameters to ensure that HTTP is used and not HTTPS that is used by the site:
<context-param> <param-name>useScheme<param-name> <param-value>HTTP</param-value> </context-param> <context-param> <param-name>usePort</param-name> <param-value>7777</param-value> </context-param>
Save the web.xml
file.
Run the following command to synchronize the manual configuration changes:
MID_TIER_ORACLE_HOME
/dcm/bin/dcmctl updateconfig
Restart OC4J_Portal.
Update the default JPDK instance URL port and protocol, by performing the following steps:
Log in to OracleAS Portal as the administrator (for example, PORTAL
).
Click the Administer tab.
Click the Portal tab.
Click Global Settings in the Services portlet.
Click the Configuration tab.
For the Default JPDK Instance setting, change the protocol and port in the URL from https://lbr.abc.com:443/
to http://lbr.abc.com:7777/
.
Update the seeded providers registration to use HTTP instead of HTTPS, by performing the following steps:
Log in to OracleAS Portal as the administrator (for example, PORTAL
).
Click the Administer tab.
Click the Portlets subtab.
In the Remote Providers portlet, enter WEBCLIPPING
in the Name field.
Click Edit.
Click the Connection tab.
In the URL field, change the URL from:
https://lbr.abc.com:443/portalTools/webClipping/providers/webClipping
to:
http://lbr.abc.com:7777/portalTools/webClipping/providers/webClipping
Click OK to commit the change.
Update the seeded provider group registration to use HTTP instead of HTTPS, by performing the following steps:
Log in to OracleAS Portal as the administrator (for example, PORTAL
).
Click the Administer tab.
Click the Portlets subtab.
In the Remote Provider Group portlet, enter oracle.ias.providers
in the Name field.
Click Edit.
Click the Connection tab.
In the URL field, change the protocol and port in the URL from https://lbr.abc.com:443/
to http://lbr.abc.com:7777/
.
Click OK to commit the change.
Repeat steps d through g but with the following exception:
In Step d, enter oracle.sample.providers
instead of oracle.ias.providers
.
When you register locally hosted Web providers or provider groups (such as the JPDK Sample provider), you need to register them using HTTP as the protocol, lbr.abc.com
as the hostname, and 7777
as the port number. This restriction only applies to locally hosted Web providers or provider groups (that is, Web providers or provider groups running on the same middle tier as OracleAS Portal).
For example, to register the JPDK Sample provider, the URL is:
http://lbr.abc.com:7777/jpdk/providers/sample
Note: If your infrastructure is located on a separate computer than your OracleAS Portal middle tier, you need to add the following to your/etc/host file:
where |
Configuring External SSL Manually
To manually configure external SSL with non-SSL within Oracle Application Server, you must perform the following tasks:
Configuring Seeded Providers (Web Clipping and OmniPortlet) and Locally Hosted Web Providers
Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source
Configuring the Oracle Application Server Middle Tier
You need to configure the Oracle Application Server middle tier to allow the underlying components to construct URLs based on the load balancing router's hostname, lbr.abc.com
, and port (443
). To do this:
Edit httpd.conf
as follows:
Access the Application Server Control Console.
Click the link for the application server where OracleAS Portal is installed.
Click the HTTP Server link.
Click the Administration link.
Click Advanced Server Properties.
Select httpd.conf.
Scroll to the bottom of the file and enter the following LoadModule
directive:
On UNIX:
LoadModule certheaders_module libexec/mod_certheaders.so
On Windows:
LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
For more information on mod_certheaders, refer to the Oracle HTTP Server Administrator's Guide.
Add a Virtual Host definition. This must be inserted after the LoadModule
directive, as follows:
NameVirtualHost <OHS_computer_IP_address>:<OHS_listening_port> <VirtualHost <OHS_computer_IP_address>:<OHS_listening_port>> ServerName <portal_site_server_name> Port <ssl_listening_port_for_portal_site> SimulateHttps On RewriteEngine On RewriteOptions inherit </VirtualHost>
For example:
NameVirtualHost 123.45.67.8:7778 <VirtualHost 123.45.67.8:7778> ServerName lbr.abc.com Port 443 SimulateHttps On RewriteEngine On RewriteOptions inherit </VirtualHost>
Define a second virtual host for internal use by Application Server Control Console. For example:
<VirtualHost 123.45.67.8:7778> ServerName m1.abc.com Port 7777 RewriteEngine On RewriteOptions inherit </VirtualHost>
Click Apply.
When asked to restart Oracle HTTP Server, click Yes.
Configure the Parallel Page Engine. To do this, perform the following steps:
Open the web.xml
file, located in the directory MID_TIER_ORACLE_HOME
/j2ee/OC4J_Portal/applications/portal/portal/WEB-INF
.
Make the following changes to the Page servlet section to attempt loopbacks using a different protocol and port than what is used by the site:
<servlet> <servlet-name>page</servlet-name> <servlet-class>oracle.webdb.page.ParallelServlet</servlet-class> <init-param> <param-name>useScheme</param-name> <param-value>http</param-value> </init-param> <init-param> <param-name>usePort</param-name> <param-value>7777</param-value> </init-param> <init-param> <param-name>httpsports</param-name> <param-value>443</param-value> </init-param> </servlet>
Save the web.xml
file.
Run the following command to synchronize the manual configuration changes:
MID_TIER_ORACLE_HOME/dcm/bin/dcmctl updateconfig
Run the following commands to restart your Oracle Application Server instance:
MID_TIER_ORACLE_HOME/opmn/bin/opmnctl stopall MID_TIER_ORACLE_HOME/opmn/bin/opmnctl startall
Ensure that DNS resolves lbr.abc.com
to the LBR's IP address.
Register new URLs with OracleAS Portal using the LBR's hostname and port. To do this, edit iasconfig.xml
(located by default in ORACLE_HOME
/portal/conf
) and specify a new Farm element that points to the LBR. A typical Farm element in iasconfig.xml
looks like the bold text in Example 6-2:
Example 6-2 WebCacheDependency Entry in iasconfig.xml
<IASConfig XSDVersion="1.0"> <IASFarm Name="Farm-1.lbr.abc.com" Host="lbr.abc.com"> <WebCacheComponent ListenPort="443" InvalidationPort="4001" InvalidationUsername="invalidator" InvalidationPassword="welcome1" SSLEnabled="true"/> </IASFarm> <IASInstance Name="iAS.infra.abc.com" Host="infra.abc.com"> <OIDComponent AdminPassword="@BVs2KPJEWC5a0l4n8lbTxUY=" PortSSLEnabled="true" LDAPPort="3060" AdminDN="cn=orcladmin"/> </IASInstance> <IASInstance Name="iAS.w1.abc.com" Host="infra.abc.com"> <EMComponent ConsoleHTTPPort="1814" SSLEnabled="false"/> </IASInstance> <PortalInstance DADLocation="/pls/portal" SchemaUsername="portal" SchemaPassword="@Beyh8p2bOWELQCsA5zRtuYc=" ConnectString="cn=iasdb,cn=oraclecontext"> <WebCacheDependency ContainerType="IASFarm" Name="Farm-1.lbr.abc.com"/> <OIDDependency ContainerType="IASInstance" Name="iAS.infra.abc.com"/> <EMDependency ContainerType="IASInstance" Name="iAS.w1.abc.com"/> </PortalInstance> </IASConfig>
Run ptlconfig
(typically located in the directory MID_TIER_ORACLE_HOME
/portal/conf
) as shown in the following example:
ptlconfig -dad <portal name> -site -wc
To prevent access to Oracle Enterprise Manager from the outside, the Oracle Enterprise Manager link provided by OracleAS Portal needs to be changed back to point to the internal server. To do this, run ptlconfig
(typically located in the directory MID_TIER_ORACLE_HOME/portal/conf
) as shown in the following example:
ptlconfig -dad portal -em
From the OracleAS Web Cache administration page, click Site Definitions under Origin Servers, Sites, and Load Balancing.
Click Add Site.
Enter site information as follows:
Host Name: The published hostname and fully qualified domain of the external SSL accelerator device or reverse proxy server.
Port Number: The SSL port number, for example, 443
for the default SSL port.
HTTPS Only Prefix: Leave blank.
Client-Side Certificate: Not required.
Default Site: Yes.
Create Alias from Site Name with/without www: No.
Refer to the Oracle Application Server Web Cache Administrator's Guide for detailed instructions on the configuration mentioned earlier.
Set up an alias for OracleAS Web Cache. In the configuration where the Parallel Page Engine loops back to OracleAS Web Cache and OracleAS Web Cache is listening on a different port than the load balancing router, loopback content gets cached with a URL key of lbr.abc.com:7777
, whereas OracleAS Portal sends invalidation requests to invalidate URLs with the format lbr.abc.com:443
. To get around this inconsistency, you need to set up an alias in OracleAS Web Cache to let it know that lbr.abc.com:7777
and lbr.abc.com:443
are the same, invalidation requests for one should invalidate requests for the other as well, and the cached content should also be leveraged based on this alias.
Go to the Oracle Application Server Web Cache administration page and log in as the administrator.
Click Site Definitions.
Select the radio button in the Select column that corresponds to the site for which the alias will be added, in this case lbr.abc.com
.
Click Add Alias.
On the window that comes up, enter lbr.abc.com
as the Host Name and 7777
as the port where 7777
is the value for usePort
in the web.xml
configuration file for the Parallel Page Engine.
Click Submit.
If the default HTTPS port 443
is chosen for a site configured with external SSL configuration, as in the preceding example, an additional alias needs to be defined in OracleAS Web Cache for the site lbr.abc.com:443
, which should be lbr.abc.com:80
. Follow the instructions for creating the alias as mentioned in Step 10 and replace port 7777
with 80
.
An alias for port 80
is needed because the "Host" header sent by the browser will be lbr.abc.com
(without a port number appended to it). Because OracleAS Web Cache is listening on the HTTP port, it will assume that the port number is 80
and use this to determine the site-to-server mapping. It also uses this for cache key creation.
After adding a new site definition, you must add the site to server mapping for the newly defined site to the origin server. To do this:
In the navigation frame, select Site-to-Server Mapping under Origin Servers, Sites, and Load Balancing.
In the Site-to-Server Mapping page, select the first mapping in the table and click Insert Above.
In the Edit/Add Site-to-Server Mapping page, select the Select from Site definitions option and then select a site definition created in the previous step (lbr.abc.com
).
In the Select Application Web Servers section, select the application server (m1.abc.com
) specified in the Origin Servers page.
Click Submit.
Click Apply Changes on the top of the page.
In the Cache Operations page, click Restart to restart Web Cache.
To verify that the site has been mapped correctly, navigate to the Site-to-Server Mapping page, and ensure that m1.abc.com
is mapped to the site lbr.abc.com
.
For more information on the procedure in the preceding text, refer to the section on mapping sites to origin servers, in the Oracle Application Server Web Cache Administrator's Guide.
Configure your load balancing router, lbr.abc.com
, to:
Accept requests on HTTPS port 443
and forward them to the OracleAS Web Cache port 7777
running on computer w1.abc.com
, while converting HTTPS requests to HTTP.
Accept requests on HTTP port 7777
and forward them to the OracleAS Web Cache port 7777
running on computer w1.abc.com
. This enables the loopback requests. The LBR's port 7777
should only be accessible from the middle tier. Your firewall may need to be configured separately to make this work. To test this, run the following command on the middle-tier server:
telnet lbr.abc.com 7777
You should not see any connection failure message when you run the telnet
command.
Accept requests on HTTP port 4001
for the invalidation requests and forward them to the OracleAS Web Cache invalidation port 4001
. You must be able to connect to the LBR's port for invalidation requests from the OracleAS Metadata Repository. Your firewall may need to be configured separately to make this work. To test this, run the following command on the OracleAS Metadata Repository server:
telnet lbr.abc.com 4001
You should not see any connection failure message when you run the telnet
command.
Facilitate communication from the middle tier to OracleAS Web Cache through the LBR. NAT-related configuration may be required for this. Refer to Section 5.3, "Configuring Multiple Middle Tiers with a Load Balancing Router" for more information on configuring NAT.
Note: Refer to Section 5.3.6, "Step 6: Configure Portal Tools and Web Providers (Optional)" for information on how this configuration might affect your Web providers. |
Facilitate communication from the OracleAS Metadata Repository to OracleAS Web Cache for the invalidation requests through the LBR. NAT-related configuration may be required for this.
Optionally, re-register the Wireless gateway URL with the load-balancer's address. See Section 5.10, "Configuring OracleAS Wireless" for more information.
To enable monitoring of the load balancing router's front-end host and port settings for OracleAS Portal, you must edit targets.xml
(located in MID_TIER_ORACLE_HOME
/sysman/emd
/) on M1, as follows:
Open targets.xml
on M1, using a text editor.
Search for OracleAS Portal targets, that is, TYPE="oracle_portal"
.
Edit the PortalListeningHostPort
property, to point to the LBR. For example:
<Property NAME="PortalListeningHostPort" VALUE=https://lbr.abc.com:443/>
Save the changes to targets.xml
.
Reload the targets in the Application Server Control Console:
On Solaris/Linux:
MID_TIER_ORACLE_HOME
/bin/emctl reload
On Windows:
MID_TIER_ORACLE_HOME
\bin\emctl reload
Configuring Seeded Providers (Web Clipping and OmniPortlet) and Locally Hosted Web Providers
Refer to the "Configure Seeded Providers and Provider Groups" subsection, in Section 6.3.2.1.5, "External SSL with Non-SSL Within Oracle Application Server" for the manual steps to be performed.
Re-Registering the Oracle HTTP Server Partner Application
Run ssoreg
to register the virtual host for which mod_osso facilitates single sign-on. The specific application URLs to be defined as partner applications within this site are defined in the file osso.conf
. ssoreg
is located on the middle tier in MID_TIER_ORACLE_HOME
/sso/bin
.
The following example shows the usage of ssoreg
on UNIX:
MID_TIER_ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path MID_TIER_ORACLE_HOME -site_name lbr.abc.com -config_mod_osso TRUE -mod_osso_url https://lbr.abc.com -config_fileMID_TIER_ORACLE_HOME
/Apache/Apache/conf/osso/osso.conf
-admin_info cn=orcladmin -virtualhost
On Windows you must run the ssoreg.bat
batch file instead. Refer to the information on creating partner applications in the Oracle Application Server Single Sign-On Administrator's Guide.
Re-Registering OracleAS Portal as an Oracle Ultra Search Content Source
If you use Oracle Ultra Search to crawl your portal and you reconfigure external SSL with non-SSL within Oracle Application Server, you must re-register OracleAS Portal as a content source with Oracle Ultra Search. See Section 8.2.3.2, "Registering OracleAS Portal as a Content Source" for details.
In Section 6.3.2.1, "Configuring SSL for OracleAS Portal", we were mainly concerned with the HTTP-based network hops. However, you can also secure the network connection to the Oracle Internet Directory itself, which is LDAP-based communication. In this case the Oracle Internet Directory should be configured to use LDAP over SSL (LDAPS). You can find further information about configuring the Oracle Internet Directory for LDAPS in the Oracle Internet Directory Administrator's Guide.
Once Oracle Internet Directory is configured to use SSL, you must update the OracleAS Portal schema to use the new port on the LDAP server. To perform this step, you run the SQL script, secupoid.sql
, located in MID_TIER_ORACLE_HOME
/portal/admin/plsql/wwc
. This script allows for the setting of the following Oracle Internet Directory related parameters:
Directory Host Name
Directory Port
Application Directory Password
SSL Settings
When you run the script, it displays the current settings and gives you the ability to change them accordingly. In this case, you want to set the following:
use_ssl_to_connect_to_ldap=Y
The script will then give you the option of automatically refreshing OracleAS Portal's Oracle Internet Directory cache. Refer to Section C.3, "Using the secupoid.sql Script" for more information.
Note: In 10g Release 2 (10.1.2), you can optionally install OracleAS Portal using LDAPS rather than having to implement it after installation. |
Once you have installed OracleAS Portal and performed the appropriate tasks from Section 6.3.2.4, "Post-Installation Security Checklist", you can change all of the following settings that pertain to security from the Global Settings page of OracleAS Portal:
As pointed out in Section 6.1.7, "Leveraging Oracle Identity Management Infrastructure", OracleAS Portal maintains a cache of information from the directory. From the Global Settings page, you can refresh this cache with the updated information from the directory. Refresh Cache for the Oracle Internet Directory parameters immediately updates the cache with the latest parameters values from the directory. The cached information is relatively static information, hence you do not need to refresh the cache frequently.
Because OracleAS Portal caches group membership information, it requires a mechanism for updating the cache when the information is changed in the directory. The directory integration server notifies OracleAS Portal whenever a change is made in the directory that must be reflected in OracleAS Portal. In Global Settings, you can set:
Enable directory synchronization defines whether the directory integration server notifies OracleAS Portal when a relevant change is made in the directory. If this setting is not checked, then OracleAS Portal will not be notified of any directory integration server subscribed events.
Send event notifications every n seconds defines the interval of time between event notifications sent by the directory integration server to notify OracleAS Portal of relevant changes. This setting is available only when Enable directory synchronization is checked.
When the Oracle Directory Integration and Provisioning server is running and configured to work with OracleAS Portal, group membership changes in Oracle Internet Directory will result in soft cache invalidations in OracleAS Portal.
Some examples of group membership cache invalidations are:
If you add a user to a group, the Oracle Directory Integration and Provisioning server notifies OracleAS Portal of the change. OracleAS Portal will then issue a single soft invalidation message that will be processed by the soft invalidation job. This is because of the possibility that the user may have new privileges that can affect what data can be viewed.
If you add group _A to group _B, the Oracle Directory Integration and Provisioning server notifies OracleAS Portal of the change. OracleAS Portal will then issue a soft invalidation message for each user in group _A. This is because of the possibility that the users in group _A may have new privileges that affect what data they can view.
OracleAS Portal maintains its user group information in the directory. When groups are created through the Group portlet, they are created under a node of the LDAP Directory Information Tree (DIT). A node is identified by its distinguished name (DN). Therefore, in OracleAS Portal, you need to specify in which node you wish to create groups:
Group Creation Base DN is the DN of the node in which you want OracleAS Portal to maintain its user groups. For example:
cn=portal.040820.123756.096286000,cn=Groups,dc=MyCompany,dc=com
This setting is particularly useful if you adapt OracleAS Portal to interact with an existing DIT.
Just as you need to define the node in which you want to create groups, you must also define the node in which you want OracleAS Portal to search for existing groups. For example, you need to specify where OracleAS Portal searches when it displays the group's list of values in the Group portlet.
Local Group Search Base DN is the DN of the node in which you want OracleAS Portal to maintain its user groups. For example:
cn=portal.040820.123756.096286000,cn=Groups,dc=MyCompany,dc=com
This setting is particularly useful if you adapt OracleAS Portal to interact with an existing DIT.
After OracleAS Portal is installed, you should consider performing the following steps to complete the security configuration:
Consider LDAP over SSL for Oracle Internet Directory Connections
Configure Oracle Enterprise Manager 10g to Monitor OracleAS Portal Running in SSL Mode
Unscrupulous users might try to learn the passwords of your default users, which could result in an account lock. This lock can be released from the server, but it is far better that you not depend on the default user accounts for administrative purposes. To safeguard the passwords for these accounts do the following:
Immediately change the default passwords for all of the following default users:
PORTAL
PORTAL_ADMIN
PUBLIC
Create new lightweight administrator accounts with the same access rights as the default users, and set the account termination date in OracleAS Single Sign-On for the default users. Alternatively, you can also deselect the Allow User To Log In setting in the Edit User page for the default users.
Once you have disabled login or changed the passwords for the default users, try logging in to the portal as the default users with the default passwords to ensure that your changes have been successful.
To prevent users from entering your portal through obsolete or unnecessary pages, you should remove any unused objects from your OracleAS Portal and database environment. For example:
Delete page groups that are no longer in use.
Delete OracleAS Portal providers that are no longer in use.
When OracleAS Portal is installed, the seeded groups listed in Table 6-2 are provisioned with a set of privileges that are typically required by users in those roles. You should review these initial set of privileges to ensure that they are consistent with your security policy.
Users or groups can obtain privileges from one of the following sources:
OracleAS Portal access control entries
Oracle Internet Directory privilege groups
To edit the privileges granted through OracleAS Portal access control entries, you edit the user or group profile from the Administer tab with the User Profile Portlet or Group Profile Portlet. Click the User or Group Profile dialog's Privilege tab. You can revoke or assign privileges from this list.
To edit the privileges granted through Oracle Internet Directory privilege groups, use the User Portlet or Group Portlet to edit the User or Group in Oracle Internet Directory. Select or deselect the check marks by the Privilege Assignment list to grant or revoke the appropriate privileges in Oracle Internet Directory.
Privileges granted to the AUTHENTICATED_USERS group are given to any user that logs on to OracleAS Portal through OracleAS Single Sign-On upon successful authentication. This is the group that you will want to establish with the default privileges for all your logged in users.
For example, if you do not want authenticated users to be able to create groups, then edit the AUTHENTICATED_USERS group through the Group Portlet and remove the check mark beside Allow group creation under Privilege Assignment.
In some cases, OracleAS Portal provider components may give users the option to view or modify records in application tables. To tighten security, you should revoke public access from such components if it is unnecessary. You can also use a menu component with specific access rights on the menu options to more tightly control application access.
To prevent users who should not have access to administration interfaces from entering administration pages, you should ensure that you control access rights for the following page groups and the pages they contain:
Portal Design-Time Pages is the page group that contains the OracleAS Portal Home Page, and the Builder and Navigator pages.
Portlet Repository
To control access to the page groups mentioned earlier, perform the following steps:
In the Navigator, click Page Groups.
Click Edit Properties next to the page group for which you want to change the access settings.
Click the Access tab.
Grant MANAGE ALL
to specific users or to certain groups. For example, DBA
, PORTAL_ADMINISTRATORS
, PORTAL_DEVELOPERS
, and your own groups.
When you are done, click OK.
To control access to individual administration pages in these page groups, perform the following steps:
In the Navigator, click Page Groups.
Click Contents next to the page group that contains the pages on which you want to change the access settings.
Click Pages.
Click Properties next to the page for which you to change the access settings.
Click the Access tab.
Grant MANAGE ALL
to specific users or to certain groups. For example, DBA
, PORTAL_ADMINISTRATORS
, PORTAL_DEVELOPERS
, and your own groups.
When you are done, click OK.
Note: The Builder page is the root page of the Portal Design-Time Pages page group. To alter its access settings, you must click Edit Root Page next to the Portal Design-Time page group. |
The default installation protects standard database procedures that are granted to PUBLIC
, for example dbms_*
, utl_*
, and so on. If you write your own PL/SQL packages, which are granted to PUBLIC
, and do not want to provide access to these packages through a Web browser, then refer to the chapter "Securing Application Database Access Through mod_plsql" in Oracle Application Server mod_plsql User's Guide.
To secure passwords going across the Internet you can use Secure Sockets Layer (SSL) communications by configuring OracleAS Portal to run in HTTPS. However, to enable or disable SSL, you must have portal administrator privileges.
Login Portlet Versus Login Page
OracleAS Portal has the option to place a Login portlet on a page (typically the home page). This portlet shows user name and password fields and a login button when the user is not logged in. If the user is logged in, it shows a logout link. This portlet provides a way to log in without having to navigate to a dedicated login page. It also displays in the OracleAS Portal page layout style.
However, if you use this portlet, you must ensure that the pages on which it appears are SSL-encrypted. Bear in mind, that SSL encryption for your complete site could adversely affect performance because it requires more resources. Furthermore, the Login portlet presents a security risk because you cannot prevent showing the login screen, as it is shown when the user is not logged in. Hence, in situations where you want SSL encryption on passwords, you should not use the Login portlet when you want SSL encryption. To enforce this restriction, you must remove access rights for the Login portlet in the Portlet Repository.
By default, OracleAS Portal connects to the directory using LDAP without SSL. If the directory server is configured for an SSL port, though, OracleAS Portal can be configured to use LDAP over SSL, also known as LDAPS.
To configure OracleAS Portal to use SSL to connect to the directory, you must run the secupoid.sql
script, located in ORACLE_HOME
/portal/admin/plsql/wwc
. This script enables you to change the following OracleAS Portal configuration parameters related to the directory:
Directory hostname
Directory port
Application directory password
SSL setting
When you install OracleAS Portal, it is automatically configured with a directory server. However, you may want to change some settings, such as whether to use SSL, after installation. To change to an SSL connection for the directory, simply run the secupoid.sql
script in the PORTAL schema to specify the LDAPS port instead of the LDAP port, and indicate that you want to use SSL.
Running the secupoid.sql script
The section that follows shows a sample execution of secupoid.sql
from SQL*Plus.
In the example, the directory was initially configured to run LDAP on port 389
. Later, an LDAPS port was activated on 636
. Because the server name does not change, we retain the old value, update the port, and indicate that we want to use SSL by setting the Use SSL? value to Y. When you run the script, it displays the current configuration and lets you replace any of the configurable settings. The script also enables you to update OracleAS Portal's directory cache after running it. Because activating SSL does not change any of the directory information cached by OracleAS Portal, it is not usually necessary to refresh the cache in this case.
SQL> @secupoid Current Configuration -------------------- OID Host: oid.domain.com OID Port: 389 Application DN: orclApplicationCommonName=PORTAL.040820.123756.096286000,cn=Portal,cn=Products,cn=OracleContext Application Password: 3E8C2D1B87CB61011757239C5AA9B390 Use SSL? N PL/SQL procedure successfully completed. Updating OID Configuration Entries Press [Enter] to retain the current value for each parameter For SSL Connection to LDAP, specify "Y"es or "N"o ------------------------------------------------ Enter value for oid_host: Enter value for oid_port: 636 Enter value for app_password: Enter value for use_ssl_to_connect_to_ldap: Y Enter value for refresh_with_new_settings: N PL/SQL procedure successfully completed. No errors.
After executing the script, OracleAS Portal is configured for LDAPS access of the directory. Refer to Section C.3, "Using the secupoid.sql Script" for more information.
OracleAS Portal never passes a user's password to the directory. Only OracleAS Single Sign-On performs that task. However, OracleAS Portal authenticates itself to the directory through its application entity and password.
If you want to change the application entity's password, you need to first change its entry in the directory, using command line utilities or the Oracle Directory Manager. To locate the application entry in the directory, you need its DN, which is reported by the secupoid.sql
script. By default, OracleAS Portal's application entry is:
orclApplicationCommonName=PORTAL.040820.123756.096286000,cn=Portal,cn=Products,cn=OracleContext
To change the password, you set the userPassword attribute for the application entry to the new password.
After you have changed the password in the directory, you run secupoid.sql
script in the PORTAL schema and specify the new password there, too. Running the script enables OracleAS Portal to encrypt the password and store it for retrieval when it needs to connect to the directory.
Refer to Section C.3, "Using the secupoid.sql Script" for more information about the secupoid.sql
script.
See Also: Section 6.1.7.2.1, "Directory Entries in Oracle Internet Directory for OracleAS Portal", for more information about the application entity. |
To enable Enterprise Manager to monitor OracleAS Portal running in either the mixed SSL mode or fully SSL-enabled mode, you must perform additional configuration.
To do this, follow the instructions for configuring Oracle Enterprise Manager 10g to monitor SSL-Enabled Targets, provided in Oracle Application Server Administrator's Guide.
Fine-grained access controls and secure application contexts add a new dimension to your ability to secure your data in the database.
Fine-grained access control is sometimes referred to as virtual private database or row level security. Fine-grained access control in the Oracle Database 10g is the ability to dynamically attach, at run time, a predicate (WHERE clause) to any and all queries issued against a database table or view. This feature gives you the ability to procedurally modify the query at run time. You may evaluate who is running the query, where they are running the query from, when they are running the query and develop a predicate given those circumstances. With the use of application contexts, you may securely add additional information to the environment (such as an application role the user may have) and access it in your procedure or predicate as well.
As an example of fine-grained access control, you might have a security policy that determines what rows different groups of people may see. Your security policy will develop a predicate based on who is logged in and what group they are in.
You will find additional information about fine-grained access and application contexts in the technical note "How to Implement Fine Grained Access Controls and Secure Application Contexts," on Oracle Technology Network, http://www.oracle.com/technology/
.
Footnote Legend
Footnote 1: The default identity management realm name is determined by the domain name of the server on which the system is installed. For example, if the domain name server was oracle, the default identity management realm name would be dc=oracle,dc=com. If the domain name server cannot be determined, the default name assigned by the directory is dc=Default Company,dc=com