Oracle® HTTP Server Administering a Standalone Deployment Based on Apache 1.3
10g Release 2 (10.1.2) B14008-02 |
|
Previous |
Next |
Apache is a public domain HTTP server derived from the National Center for Supercomputing Applications (NCSA).
The process of verifying the identity of a user, device, or other entity in a host system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender.
Also called a digital certificate. An ITU x.509 v3 standard data structure that securely binds an identity to a public key.
A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it.
A trusted third party that certifies that other entities—users, databases, administrators, clients, servers—are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department.
Common Gateway Interface (CGI) is the industry-standard technique for transferring information between a Web server and any program designed to accept and return data that conforms to the CGI specifications.
Data that has been encrypted. Cipher text is unreadable until it has been converted to plain text (decrypted) with a key. See decryption.
A set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
The art of protecting information by transforming it (encrypting) into an unreadable format. See encryption.
A database access descriptor (DAD) is a set of values that specify how an application connects to an Oracle database to fulfill an HTTP request. The information in the DAD includes the username (which also specifies the schema and the privileges), password, connect-string, error log file, standard error message, and national language support (NLS) parameters such as NLS language, NLS date format, NLS date language, and NLS currency.
The process of converting the contents of an encrypted message (ciphertext) back into its original readable format (plaintext).
Data Encryption Standard. A commonly used symmetric key encryption method that uses a 56-bit key.
A de-militarized zone (DMZ) is a set of machines that are isolated from the internet by a firewall on one side, and from a company's intranet by a firewall on the other side. This set of machines are viewed as semi-secure. They are protected from the open internet, but are not completely trusted like machines that are inside the second firewall and part of the company's intranet. In a typical application server setup with a DMZ, only the Web listener and the static content for the Web site are placed in the DMZ. All business logic, databases, and other critical data and systems in the intranet are protected.
Diffie-Hellman key negotiation algorithm
Diffie-Hellman key negotiation algorithm is a method that lets two parties communicating over an insecure channel to agree upon a random number known only to them. Though the parties exchange information over the insecure channel during execution of the Diffie-Hellman key negotiation algorithm, it is computationally infeasible for an attacker to deduce the random number they agree upon by analyzing their network communications. Oracle Advanced Security uses the Diffie-Hellman key negotiation algorithm to generate session keys.
<Directory>
It is used to enclose a group of directives that apply only to the named directory and subdirectories of that directory. Any directory that is allowed in a directory context may be used. The directory is either the full path to a directory, or a wildcard string. In a wildcard string, ? matches any single character and * matches any sequences of characters. It is important to note that <Directory /
> operated on the whole file system, where as <Directory
dir
> refers to absolute directories. <Directory
> containers cannot be nested inside each other, but can refer to directories in the document root that are nested.
<DirectoryMatch>
It should be used when specifying regular expressions, instead of using the tilde form of <Directory
> with wildcards in the directory specification. The following two examples have the same result, matching directories starting with web
and ending with a number from 1 to 9:
<Directory ~/web[1-9]/> <DirectoryMatch "/web[1-9]/">
A hierarchical tree-like structure consisting of the DNs of the directory entries. See distinguished name.
The unique name of a directory entry. It comprises all of the individual names of the parent entries back to the root in the directory information tree.
The process of disguising a message thereby rendering it unreadable to any but the intended recipient. Encryption is performed by translating data into secret code. There are two main types of encryption: public-key encryption (or asymmetric-key encryption) and symmetric-key encryption.
In the context of a directory service, entries are the building blocks of a directory. An entry is a collection of information about an object in the directory. Each entry is composed of a set of attributes that describe one particular trait of the object. For example, if a directory entry describes a person, that entry can have attributes such as first name, last name, telephone number, or e-mail address.
The ability to reconfigure a computing system to utilize an alternate active component when a similar component fails.
<Files>
The <Files
file
> and </Files
> directives support access control by filename. It is comparable to the <Directory> and <Location> directives. The directives given within this section can be applied to any object within a base name (the last component of the filename) matching the specified file name. <Files
> sections are processed in the order that they appear in the configuration file, after the <Directory
> sections, and .htaccess
files are read, but before <Location
> sections. Note that the <Files
> directives can be nested inside <Directory
> sections to restrict the portion of the file system to which they apply.
<FilesMatch>
Provides access control by filename, just as the <Files> directive does. However, it accepts regular expression.
Hypertext Transfer Protocol (HTTP) is the underlying format used by the Web to format and transmit messages and determine what actions Web servers and browsers should take in response to various commands. HTTP is the protocol used between Oracle Application Server and clients.
Keystore is a protected database that holds keys and certificates for an enterprise. Access to a keystore is guarded by a password (defined at the time the keystore is created, by the person who creates the keystore, and changeable only when providing the current password).In addition, each private key in a keystore can be guarded by its own password.
Lightweight Directory Access Protocol
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.
<Location>
Limits the application of the directives within a block to those URLs specified, rather than to the physical file location like the <Directory> directive. <Location
> sections are processed in the order that they appear in the configuration file, after the <Directory
> sections and .htaccess
files are read, and after the <Files> sections. <Location
> accepts wildcard directories and regular expressions with the tilde character.
<LocationMatch>
Functions in an identical manner to <Location> and you should use it for specifying regular expressions instead of the tilde form of <Location
> with wildcards in the location specification.
A hashing algorithm intended for use on 32-bit machines to create digital signatures. MD5 is a one-way hash function, meaning that it converts a message into a fixed string of digits that form a message digest.
Representation of text as a string of single digits. It is created using a formula called a one-way hash function.
Modules extend the basic functionality of the Web server and support integration between Oracle HTTP Server and other Oracle Application Server components.
An algorithm that turns a message into a single string of digits. "One way" means that it is almost impossible to derive the original message from the string of digits. The calculated message digest can be compared with the message digest that is decrypted with a public key to verify that the message has not been tampered with.
Oracle Process Manager and Notification Server
Oracle Process Manager and Notification Server (OPMN) manages Oracle HTTP Server and OC4J processes within an application server instance. It channels all events from different components to all components interested in receiving them.
Privacy-Enhanced Electronic Mail. An encryption technique that provides encryption, authentication, message integrity, and key management.
In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures. See public/private key pair.
In public-key cryptography, this key is made public to all. It is primarily used for encryption but can be used for verifying signatures. See public/private key pair.
Encryption method that uses two different random numbers (keys). See public key and public-key encryption.
The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key.
A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data encrypted with a private key cannot be decrypted with the same private key.
A public-key encryption technology developed by RSA Data Security. The RSA algorithm is based on the fact that it is laborious to factor very large numbers. This makes it mathematically unfeasible, because of the computing power and time required to decode an RSA key.
Secure Hash Algorithm assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible.
An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
Secure Shell (SSH) is a well known protocol and has widely available implementation that provide a secure connection tunneling solution, very similar to what port tunneling offers. SSH provides a daemon on both the client and server sides of a connection. Clients connect to the local daemon rather than connecting directly to the server. The local SSH daemon then establishes a secure connection to the daemon on the server side. Communication is then routed from the client, through the client side daemon to the server side daemon and then on to the actual server. This allows a client/server program that uses an insecure protocol to be tunneled through a secure channel. For our purposes, the disadvantage of SSH is that it requires two hops to occur and that the implementations available do not perform and scale well enough. More information on SSH can be obtained from
http:www.ssh.org
Secure Sockets Layer (SSL) is a standard for the secure transmission of documents over the Internet using HTTPS (secure HTTP). SSL uses digital signatures to ensure that transmitted data is not tampered with.
Single sign-on enables a you to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. It lets you access multiple accounts and applications with a single password, entered during a single connection.
<VirtualHost>
Oracle HTTP Server has the capabilities to serve many different Web sites simultaneously. Directives can also be scoped by placing them inside <VirtualHost
> sections, so that they will only apply to requests for a particular Web site.
Virtual host refers to the practice of maintaining more than one server on one machine, as differentiated by their apparent hostname. For example, it is often desirable for companies sharing a Web server to have their own domain, and Web servers accessible as, for example, www.oracle1.com
and www.oracle2.com
, without requiring you to know any extra path information.
Also called a digital wallet. A wallet is a data structure used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A Wallet Resource Locator (WRL) provides all the necessary information to locate the wallet.
A wallet resource locator (WRL) provides all necessary information to locate a wallet. It is a path to an operating system directory that contains a wallet.