Skip Headers
Oracle® Ultra Search Administrator's Guide
10g Release 2 (10.1.2)
Part No. B14041-01
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

6 Security in Oracle Ultra Search

The ability to control user access to Web content is critical. This chapter describes the architecture and configuration of security for Oracle Ultra Search.

This chapter contains the following sections:


See Also:


About Oracle Ultra Search Security

This section describes the Oracle Ultra Search security model. It contains the following sections:

Oracle Ultra Search Security Model

Security problems, such as unauthorized access to information, can lead to loss of productivity. Search engines like Oracle Ultra Search provide access to a vast variety of content repositories in a single gateway. Each one of these repositories has its own security model that determines whether a particular user can access a particular document. Because Oracle Ultra Search provides access to data from multiple repositories, existing security information in each repository must be carefully supported to avoid unauthorized access.

This section describes the security architecture of Oracle Ultra Search. Security is implemented at the following levels:

  • User authentication

    This is the identification of a user, through LDAP and Oracle Internet Directory, at Oracle Ultra Search front-end interfaces.

  • User entitlement

    This determines whether a user can access information about a particular item in the results list. It is implemented by access control lists (ACLs). Oracle Ultra Search provides mapped-security to third-party repositories by retrieving the access control list for each document at the time of indexing and storing them in Oracle Ultra Search. Oracle Ultra Search does not need any connection with the repository itself to validate access privileges.

  • Security of Oracle Ultra Search

    Actual Oracle Ultra Search security is handled by the dictionary data in the Oracle Ultra Search database, the administrative user, and password data.

Oracle Ultra Search with Secure Socket Layer and HTTPS

Starting with Oracle Database 10g, Oracle Ultra Search supports secure socket layer (SSL). This means that in addition to HTTP-based URLs, Oracle Ultra Search can also access HTTPS -based URLs (that is, HTTP over SSL).


See Also:

"Configuring Oracle Ultra Search for SSL" for detailed information on configuring Oracle Ultra Search with SSL

Classes of Users and Their Privileges

To grant an Oracle Ultra Search user administration privileges, you must assign the user to an administration group. Each user can belong to one or more groups. The following groups are created for each Oracle Ultra Search instance:

  1. Instance administrators: Users in this group can only manage instances for which they have privileges.

  2. Super-users: Users in this group can manage all instances, including creating instances, dropping instances, and granting privileges.

Oracle Ultra Search also has two classes of users:

  1. Single Sign-on users: These users are managed by the Oracle Internet Directory and are authenticated by OracleAS Single Sign-On. The Oracle Ultra Search administration tool identifies all Oracle Ultra Search instances to which the single sign-on user has access. This is available only if you have the Oracle Identity Management infrastructure installed.

  2. Database users: These users (not single sign-on users) exist in the database on which Oracle Ultra Search runs.

Oracle Ultra Search Default Users

New Oracle Ultra Search instances contain the following users:

  • WK_TEST: This is the instance administrator user that hosts the default instance, called WK_INST. In other words, WK_TEST is the instance administrator for WK_INST. For security purposes, WK_TEST is locked after the installation. The administrator should login to the database as DBA role, unlock the WK_TEST user account, and set the password to be WK_TEST. (The password expires after the installation.) If you change the password to anything other than WK_TEST, then you must also update the cached schema password using the administration tool Edit Instance page after you change the password in the database.

  • WKSYS: This is a database super-user. WKSYS can grant super-user privileges to other users, such as WK_TEST. All Oracle Ultra Search database objects are installed in the WKSYS schema.


Note:

The WKUSER role is required to host instances.

Resources Protected by Oracle Ultra Search

All publicly crawled data is publicly accessible.

The following resources are protected by Oracle Ultra Search:

  • Crawled data that uses an access control list (ACL) is protected; in other words, it is private to users named by the ACL.

  • All passwords are protected.

  • User-defined data source parameters are protected.

Authorization and Access Enforcement

There are three possible entry points to Oracle Ultra Search:

  1. The database: This contains all data. All data and metadata is protected with row level security. All passwords are encrypted.

  2. The Oracle Ultra Search administration tool: This does not contain crawled data. You must authenticate with OracleAS Single Sign-On or database authentication.

  3. The Oracle Ultra Search query tool: This contains crawled data. Unauthenticated users can see only public data. Authenticated users can see public data and ACL-protected information. Users must authenticate themselves to see private information.

How Oracle Ultra Search Leverages Security Services

Oracle Ultra Search uses the following to leverage security services:

  • Oracle Ultra Search uses secure socket layers (SSL), the industry standard protocol for managing the security of message transmission on the Internet. This is used for securing RMI connections, HTTPS crawling, and secure JDBC.

  • JAZN: Oracle Application Server Containers for J2EE (OC4J) implements a Java authentication and authorization service (JAAS) provider called JAZN. This provides application developers with user authentication, authorization, and delegation services to integrate into their application environments.

How Oracle Ultra Search Leverages the Oracle Identity Management Infrastructure

Oracle Ultra Search uses OracleAS Single Sign-On and Oracle Internet Directory to leverage the Oracle Identity Management infrastructure.

With OracleAS Single Sign-On, you can log on once for all components, and the Oracle Ultra Search administrative interface allows user management operations on either database users or single sign-on users. Authenticated single sign-on users never see the Oracle Ultra Search logon screen. Instead, they can immediately choose an instance. The Oracle Ultra Search administration tool and the query tool use single sign-on.

Oracle Internet Directory is Oracle's native LDAP v3-compliant directory service, built as an application on top of the Oracle database. Oracle Internet Directory hosts the Oracle common identity. All Oracle Ultra Search instances are registered with Oracle Internet Directory.

Oracle Ultra Search has native identity management; therefore, in the absence of the Oracle Identity Management infrastructure, Oracle Ultra Search uses the native user management available with the Oracle database.

Oracle Ultra Search Extensibility and Security

Oracle Ultra Search is extensible (for example, the crawler agent is extensible), but this poses no extra security considerations.

Configuring a Security Framework for Oracle Ultra Search

This section describes special security configuration steps within Oracle Ultra Search.

Configuring Security Framework Options for Oracle Ultra Search

Storing clear text passwords in data-sources.xml poses a security risk. Avoid this by using password indirection to specify the password. This lets you enter the password in jazn-data.xml, which is automatically encrypted, and point to it from data-sources.xml.

Enabling Secure Search

Oracle Ultra Search supports secure searches, which return only documents satisfying the search criteria that the search user is allowed to view. For secure searches, each indexed document should be protected by an access control list (ACL). During searches, the ACL is evaluated. If the user performing the search has permission to read the protected document, then the document is returned by the query API. Otherwise, it is not returned.

This section describes how to enable secure search.

Step 1: Check the database version requirements and configure Oracle Identity Management.

Before you can set up a secure Oracle Ultra Search installation, you must do the following:

Secure search functionality requires that the Oracle Ultra Search database is Oracle version 9.2.0.4 or higher and that the Oracle Ultra Search database is linked to a compatible instance of Oracle Internet Directory. This is necessary because Oracle Ultra Search utilizes XML DB functionality, which requires a certain version of Oracle. Oracle XML DB, in turn, requires a live link to Oracle Internet Directory, through which it retrieves all LDAP principal information. The connection between Oracle and Oracle Internet Directory must be running at all times for secure search to work. To set up this link, configure the Oracle Database to use Oracle Identity Management.

Step 2: Restart the Oracle listener.

In the previous step, you configured the Oracle Database to use Identity Management. That process involved configuring ORACLE_HOME for directory usage. You must make sure to restart the Oracle listener to inherit the changes made to ORACLE_HOME. Restart the listener, if you have not already done so.

Step 3: Install or upgrade Oracle Ultra Search, if necessary.

After you have configured the Oracle Ultra Search database to work with Oracle Internet Directory, you can install or upgrade the Oracle Ultra Search backend into the Oracle Server, if you have not already done so.

Step 4: Create the /sys/apps/ultrasearch folder.

Immediately after installation or upgrade, you must run a SQL script to create the /sys/apps/ultrasearch folder in the XML DB repository. This folder stores all Oracle Ultra Search ACLs in XML DB.

To create the /sys/apps/ultrasearch folder, do the following:

  1. cd to $ORACLE_HOME/ultrasearch/admin

  2. Login to the Oracle Ultra Search database using SQL*Plus as user WKSYS

  3. Invoke the SQL script: @wk0prepxdb.sql


See Also:

"Changing Oracle Ultra Search Schema Passwords" for information on changing the WKSYS password

Upon termination, the wk0prepxdb.sql script lists all Oracle Ultra Search-related XML DB resources by running the following SQL:

SELECT any_path FROM resource_view WHERE any_path LIKE '%ultrasearch%';

Running that SQL statement must show two rows:

/sys/apps/ultrasearch
/sys/apps/ultrasearch_acl.xml

If you do not see this confirmation, then this step has failed, and you cannot proceed. Recheck that all previous steps were performed correctly.

Step 5: Turn on secure search functionality in Oracle Ultra Search.

Because there is currently no way to programatically verify a proper Oracle-Oracle Internet Directory installation, the secure search functionality in Oracle Ultra Search is turned off by default. You must explicitly turn on this feature after completing all previous steps.

Step 6: Turn On Secure Search in the Query Application.

To turn on secure search functionality in Oracle Ultra Search:

  1. Login to the Oracle Ultra Search database using SQL*Plus as user WKSYS

  2. Invoke the following PL/SQL API: exec WK_ADM.SET_SECURE_MODE(1)

The argument (1) indicates that you are turning on secure search.

After you have turned on secure search functionality, you can create Oracle Ultra Search instances that are secure search-enabled.


Note:

At any subsequent point in time, you can turn off security by invoking WK_ADM.SET_SECURE_MODE(0). Doing so designates that any instances created after that will not support secure searches. However, existing secure search-enabled instances are not modified. Hence, if the Oracle-Oracle Internet Directory link ceases to function, you cannot perform searches on crawled documents that are secured.

Oracle Ultra Search supports secure searches, which return only documents satisfying the search criteria that the search user is allowed to view. To turn on secure search in the query application, follow these steps:

  1. Deploy Oracle Ultra Search query (ultrasearch_query.ear).

  2. Edit the OC4J jazn.xml file to connect to Oracle Internet Directory. For example:

    <jazn provider="LDAP" default-realm="us" location="ldap://localhost:3060">
         <property name="ldap.user" value="orcladmin"/> 
         <property name="ldap.password" value="!welcome"/> 
         </jazn>
    
    
  3. Restart OC4J.

  4. Edit applications/ultrasearch_query/META-INF/orion-application.xml to turn on JAZN LDAP.

  5. Edit applications/ultrasearch_query/query/WEB-INF/web.xml to enable login functionality in usearch.jsp. For example:

    <init-param> 
    <param-name>login enabled</param-name> 
    <param-value>true</param-value> 
    </init-param> 
    
    
  6. Enable mod_osso in Apache.

  7. Access http://hostname:port/ultrasearch/query/usearch.jsp to see the login function, and test secure search.


See Also:

"Secure Search"