Oracle® Ultra Search Administrator's Guide
10g Release 2 (10.1.2) Part No. B14041-01 |
|
Previous |
Next |
The ability to control user access to Web content is critical. This chapter describes the architecture and configuration of security for Oracle Ultra Search.
This chapter contains the following sections:
See Also:
|
This section describes the Oracle Ultra Search security model. It contains the following sections:
Security problems, such as unauthorized access to information, can lead to loss of productivity. Search engines like Oracle Ultra Search provide access to a vast variety of content repositories in a single gateway. Each one of these repositories has its own security model that determines whether a particular user can access a particular document. Because Oracle Ultra Search provides access to data from multiple repositories, existing security information in each repository must be carefully supported to avoid unauthorized access.
This section describes the security architecture of Oracle Ultra Search. Security is implemented at the following levels:
User authentication
This is the identification of a user, through LDAP and Oracle Internet Directory, at Oracle Ultra Search front-end interfaces.
User entitlement
This determines whether a user can access information about a particular item in the results list. It is implemented by access control lists (ACLs). Oracle Ultra Search provides mapped-security to third-party repositories by retrieving the access control list for each document at the time of indexing and storing them in Oracle Ultra Search. Oracle Ultra Search does not need any connection with the repository itself to validate access privileges.
Security of Oracle Ultra Search
Actual Oracle Ultra Search security is handled by the dictionary data in the Oracle Ultra Search database, the administrative user, and password data.
Starting with Oracle Database 10g, Oracle Ultra Search supports secure socket layer (SSL). This means that in addition to HTTP-based URLs, Oracle Ultra Search can also access HTTPS -based URLs (that is, HTTP over SSL).
See Also: "Configuring Oracle Ultra Search for SSL" for detailed information on configuring Oracle Ultra Search with SSL |
To grant an Oracle Ultra Search user administration privileges, you must assign the user to an administration group. Each user can belong to one or more groups. The following groups are created for each Oracle Ultra Search instance:
Instance administrators: Users in this group can only manage instances for which they have privileges.
Super-users: Users in this group can manage all instances, including creating instances, dropping instances, and granting privileges.
Oracle Ultra Search also has two classes of users:
Single Sign-on users: These users are managed by the Oracle Internet Directory and are authenticated by OracleAS Single Sign-On. The Oracle Ultra Search administration tool identifies all Oracle Ultra Search instances to which the single sign-on user has access. This is available only if you have the Oracle Identity Management infrastructure installed.
Database users: These users (not single sign-on users) exist in the database on which Oracle Ultra Search runs.
New Oracle Ultra Search instances contain the following users:
WK_TEST
: This is the instance administrator user that hosts the default instance, called WK_INST
. In other words, WK_TEST
is the instance administrator for WK_INST
. For security purposes, WK_TEST
is locked after the installation. The administrator should login to the database as DBA role, unlock the WK_TEST
user account, and set the password to be WK_TEST
. (The password expires after the installation.) If you change the password to anything other than WK_TEST
, then you must also update the cached schema password using the administration tool Edit Instance page after you change the password in the database.
WKSYS
: This is a database super-user. WKSYS
can grant super-user privileges to other users, such as WK_TEST
. All Oracle Ultra Search database objects are installed in the WKSYS
schema.
Note: TheWKUSER role is required to host instances.
|
All publicly crawled data is publicly accessible.
The following resources are protected by Oracle Ultra Search:
Crawled data that uses an access control list (ACL) is protected; in other words, it is private to users named by the ACL.
All passwords are protected.
User-defined data source parameters are protected.
There are three possible entry points to Oracle Ultra Search:
The database: This contains all data. All data and metadata is protected with row level security. All passwords are encrypted.
The Oracle Ultra Search administration tool: This does not contain crawled data. You must authenticate with OracleAS Single Sign-On or database authentication.
The Oracle Ultra Search query tool: This contains crawled data. Unauthenticated users can see only public data. Authenticated users can see public data and ACL-protected information. Users must authenticate themselves to see private information.
Oracle Ultra Search uses the following to leverage security services:
Oracle Ultra Search uses secure socket layers (SSL), the industry standard protocol for managing the security of message transmission on the Internet. This is used for securing RMI connections, HTTPS crawling, and secure JDBC.
JAZN: Oracle Application Server Containers for J2EE (OC4J) implements a Java authentication and authorization service (JAAS) provider called JAZN. This provides application developers with user authentication, authorization, and delegation services to integrate into their application environments.
Oracle Ultra Search uses OracleAS Single Sign-On and Oracle Internet Directory to leverage the Oracle Identity Management infrastructure.
With OracleAS Single Sign-On, you can log on once for all components, and the Oracle Ultra Search administrative interface allows user management operations on either database users or single sign-on users. Authenticated single sign-on users never see the Oracle Ultra Search logon screen. Instead, they can immediately choose an instance. The Oracle Ultra Search administration tool and the query tool use single sign-on.
Oracle Internet Directory is Oracle's native LDAP v3-compliant directory service, built as an application on top of the Oracle database. Oracle Internet Directory hosts the Oracle common identity. All Oracle Ultra Search instances are registered with Oracle Internet Directory.
Oracle Ultra Search has native identity management; therefore, in the absence of the Oracle Identity Management infrastructure, Oracle Ultra Search uses the native user management available with the Oracle database.
This section describes special security configuration steps within Oracle Ultra Search.
Storing clear text passwords in data-sources
.xml
poses a security risk. Avoid this by using password indirection to specify the password. This lets you enter the password in jazn-data
.xml
, which is automatically encrypted, and point to it from data-sources.xml
.
Oracle Ultra Search supports secure searches, which return only documents satisfying the search criteria that the search user is allowed to view. For secure searches, each indexed document should be protected by an access control list (ACL). During searches, the ACL is evaluated. If the user performing the search has permission to read the protected document, then the document is returned by the query API. Otherwise, it is not returned.
This section describes how to enable secure search.
Step 1: Check the database version requirements and configure Oracle Identity Management.
Before you can set up a secure Oracle Ultra Search installation, you must do the following:
Install or upgrade the Oracle database to 9.2.0.4 or higher. The middle tier and IM (identity management) version should be 9.0.4 or higher. If you have a 9.2.0.4 database, you can use RepCA
to convert a 9.2.0.4 database to an Oracle Application Server 9.0.4 metadata repository.
Install and configure the Oracle Internet Directory
The middle tier and IM (identity management) version should be 9.0.4 or higher.
Register the database to Oracle Internet Directory.
You can use repCA
to register the database to Oracle Internet Directory. After registration, you need to perform these manual steps:
Add the distinguished name of the database to the database server parameter file, as an
RDBMS_SERVER_DN
initialization parameter value.
Restart the database, so that the new initialization parameter takes effect.
Configure the Oracle-Oracle Internet Directory SSL link. To establish a secure connection between database and Oracle Internet Directory, follow the instructions in the following books:
Configuring Oracle Internet Directory for SSL: "Secure Sockets Layer (SSL) and the Directory," chapter in the Oracle release 9.2 of the Oracle Internet Directory Administrator's Guide
Configuring the database for SSL: Chapter 15, "Managing Enterprise User Security" (Part II, Task 1 - Task 3), in the Oracle Database release 9.2 of the Oracle Advanced Security Administrator's Guide
Secure search functionality requires that the Oracle Ultra Search database is Oracle version 9.2.0.4 or higher and that the Oracle Ultra Search database is linked to a compatible instance of Oracle Internet Directory. This is necessary because Oracle Ultra Search utilizes XML DB functionality, which requires a certain version of Oracle. Oracle XML DB, in turn, requires a live link to Oracle Internet Directory, through which it retrieves all LDAP principal information. The connection between Oracle and Oracle Internet Directory must be running at all times for secure search to work. To set up this link, configure the Oracle Database to use Oracle Identity Management.
Step 2: Restart the Oracle listener.
In the previous step, you configured the Oracle Database to use Identity Management. That process involved configuring ORACLE_HOME
for directory usage. You must make sure to restart the Oracle listener to inherit the changes made to ORACLE_HOME
. Restart the listener, if you have not already done so.
Step 3: Install or upgrade Oracle Ultra Search, if necessary.
After you have configured the Oracle Ultra Search database to work with Oracle Internet Directory, you can install or upgrade the Oracle Ultra Search backend into the Oracle Server, if you have not already done so.
Step 4: Create the /sys/apps/ultrasearch folder.
Immediately after installation or upgrade, you must run a SQL script to create the /sys/apps/ultrasearch
folder in the XML DB repository. This folder stores all Oracle Ultra Search ACLs in XML DB.
To create the /sys/apps/ultrasearch
folder, do the following:
cd to $ORACLE_HOME/ultrasearch/admin
Login to the Oracle Ultra Search database using SQL*Plus as user WKSYS
Invoke the SQL script: @wk0prepxdb.sql
See Also: "Changing Oracle Ultra Search Schema Passwords" for information on changing theWKSYS password
|
Upon termination, the wk0prepxdb.sql
script lists all Oracle Ultra Search-related XML DB resources by running the following SQL:
SELECT any_path FROM resource_view WHERE any_path LIKE '%ultrasearch%';
Running that SQL statement must show two rows:
/sys/apps/ultrasearch /sys/apps/ultrasearch_acl.xml
If you do not see this confirmation, then this step has failed, and you cannot proceed. Recheck that all previous steps were performed correctly.
Step 5: Turn on secure search functionality in Oracle Ultra Search.
Because there is currently no way to programatically verify a proper Oracle-Oracle Internet Directory installation, the secure search functionality in Oracle Ultra Search is turned off by default. You must explicitly turn on this feature after completing all previous steps.
Step 6: Turn On Secure Search in the Query Application.
To turn on secure search functionality in Oracle Ultra Search:
Login to the Oracle Ultra Search database using SQL*Plus as user WKSYS
Invoke the following PL/SQL API: exec WK_ADM.SET_SECURE_MODE(1)
The argument (1)
indicates that you are turning on secure search.
After you have turned on secure search functionality, you can create Oracle Ultra Search instances that are secure search-enabled.
Note: At any subsequent point in time, you can turn off security by invokingWK_ADM.SET_SECURE_MODE(0) . Doing so designates that any instances created after that will not support secure searches. However, existing secure search-enabled instances are not modified. Hence, if the Oracle-Oracle Internet Directory link ceases to function, you cannot perform searches on crawled documents that are secured.
|
Oracle Ultra Search supports secure searches, which return only documents satisfying the search criteria that the search user is allowed to view. To turn on secure search in the query application, follow these steps:
Deploy Oracle Ultra Search query (ultrasearch_query.ear
).
Edit the OC4J jazn.xml
file to connect to Oracle Internet Directory. For example:
<jazn provider="LDAP" default-realm="us" location="ldap://localhost:3060"> <property name="ldap.user" value="orcladmin"/> <property name="ldap.password" value="!welcome"/> </jazn>
Restart OC4J.
Edit applications/ultrasearch_query/META-INF/orion-application.xml
to turn on JAZN LDAP.
Edit applications/ultrasearch_query/query/WEB-INF/web.xml
to enable login functionality in usearch.jsp
. For example:
<init-param> <param-name>login enabled</param-name> <param-value>true</param-value> </init-param>
Enable mod_osso
in Apache.
Access http://
hostname
:
port
/ultrasearch/query/usearch.jsp
to see the login function, and test secure search.