Download presentation/whitepaper


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Download presentation/whitepaper

  1. 2. Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id: 40112
  2. 3. Security Risks in an Internet Environment <ul><ul><li>Data tampering and fraud </li></ul></ul><ul><ul><li>Eavesdropping and data theft </li></ul></ul><ul><ul><li>Falsifying user identities </li></ul></ul><ul><ul><li>Password-related threats </li></ul></ul><ul><ul><li>Unauthorized access to data </li></ul></ul><ul><ul><li>Lack of accountability </li></ul></ul><ul><ul><li>Hacking </li></ul></ul>
  3. 4. Addressing the Security Challenges <ul><ul><li>Deep data protection </li></ul></ul><ul><ul><ul><li>Multi-Layer protection through encryption, extensive auditing, and access control </li></ul></ul></ul><ul><ul><li>Internet-scale security </li></ul></ul><ul><ul><ul><li>SSL </li></ul></ul></ul><ul><ul><ul><li>Proxy authentication </li></ul></ul></ul><ul><ul><ul><li>Java </li></ul></ul></ul><ul><ul><li>Secure hosting and data exchange </li></ul></ul><ul><ul><ul><li>Public key infrastructure </li></ul></ul></ul><ul><ul><ul><li>Enterprise wide user security </li></ul></ul></ul>
  4. 5. Oracle Application Server Security Architecture
  5. 6. Application Server Security <ul><li>The Oracle Application Server can be used as a client to the database and therefore you can employ the following security features: </li></ul><ul><ul><li>Enterprise user security </li></ul></ul><ul><ul><li>Authentication and digital certificates </li></ul></ul><ul><ul><li>Proxy authentication </li></ul></ul><ul><ul><li>Connecting from the middle tier to the database </li></ul></ul>
  6. 7. Java Authentication and Authorization Service <ul><li>Java Authentication and Authorization Service (JAAS) provides key security services to the Java programmer in the following areas: </li></ul><ul><ul><li>Authentication to identify users </li></ul></ul><ul><ul><li>Authorization to limit what users can do </li></ul></ul><ul><ul><li>Delegation to enable code to be run securely </li></ul></ul>
  7. 8. Securing the Oracle HTTP Server Itself <ul><li>The Oracle HTTP Server supports the following security schemes: </li></ul><ul><ul><li>IP-based or domain name–based restriction </li></ul></ul><ul><ul><li>Basic authentication through the username and password combination </li></ul></ul><ul><ul><li>Certificate distinguished name (DN)-based authorization </li></ul></ul><ul><ul><li>Secure Sockets Layer (SSL) protocol </li></ul></ul>
  8. 9. Oracle HTTP Server Security Modules <ul><ul><li>mod_access is used for restriction. </li></ul></ul><ul><ul><li>mod_auth and mod_auth_anon are used for authentication. </li></ul></ul><ul><ul><li>mod_ossl is used with SSL. </li></ul></ul>Response OHS Access Control Translation Logging MIME Type 1 2 3 4 5
  9. 10. Host-Based Access Control <ul><ul><li>mod_access : IP- or domain-based access control </li></ul></ul><ul><ul><li>You can use the allow and deny directives within the <Directory> ... </Directory> <Location> ... < /Location> context of your httpd.conf or .htaccess file: </li></ul></ul>allow from host host ... deny from host host ...
  10. 11. Host-Based Access Control <ul><ul><li>The order directive specifies the order in which the allow and deny commands are applied: </li></ul></ul><ul><ul><li>The ordering argument can be one of the following: </li></ul></ul>order ordering 1. deny,allow 2. allow,deny
  11. 12. Host-Based Access Control <ul><li>The allow from or deny from directive: </li></ul><Directory /docroot> order deny,allow deny from all allow from </Directory>
  12. 13. User Authentication <ul><li>Basic authentication is performed by the following modules: </li></ul><ul><ul><li>mod_auth </li></ul></ul><ul><ul><li>mod_auth_anon </li></ul></ul><ul><li>A resource can be a protected user or group-based, or both. </li></ul><ul><li>To access the resource, you also need to have the permission as defined by the Require directive. </li></ul>
  13. 14. Combining User- and Host-Based Authentication <Location /> AuthName &quot;Who are you&quot; AuthType Basic A uthUserFile /ias/Apache/Apache/auth/password Require valid-user order deny,allow deny from all allow from oracle .com Satisfy all </Location>
  14. 15. Establishing Secure Web Sessions <ul><li>The SSL protocol is a standard for secure data transmission over the Internet. </li></ul><ul><li>SSL involves three mechanisms: </li></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Data integrity </li></ul></ul><ul><li>SSL is implemented through mod_ossl . </li></ul>
  15. 16. How SSL Works Browser 2 3 Oracle 9 i AS 1 4 https Public certificate Session key Request client certificate (opt)
  16. 17. Oracle Wallet Manager <ul><li>Oracle Wallet Manager is a stand-alone Java application for: </li></ul><ul><ul><li>Generating a public/private key pair and creating a certificate request for submission to a CA. </li></ul></ul><ul><ul><li>Installing a certificate for the entity. </li></ul></ul><ul><ul><li>Configuring trusted certificates for the entity. </li></ul></ul><ul><ul><li>Uploading or downloading a wallet to or from an LDAP directory such as Oracle Internet Directory. </li></ul></ul><ul><ul><li>Importing wallets and exporting wallets. </li></ul></ul>
  17. 18. Creating a Certificate Request
  18. 19. Exporting a Certificate Request
  19. 20. Oracle HTTP Server with SSL Enabled <ul><li>Oracle HTTP Server is already SSL enabled after the installation: </li></ul><ul><ul><li>SSL is enabled in opmn.xml </li></ul></ul><ul><ul><li>There is no specific command to start the Oracle HTTP Server with SSL enabled: </li></ul></ul>< ohs> <start-mode mode=&quot;ssl&quot;/> </ohs> $ > cd $ORACLE_HOME/dcm/bin $> dcmctl start -ct ohs
  20. 21. What is Single Sign-On? <ul><li>Oracle Application Server Single Sign-On (SSO) is a service that enables: </li></ul><ul><ul><li>Authentication to multiple applications in an enterprise by entering a username and password only once </li></ul></ul><ul><ul><li>Centralized administration of username and password combinations for all users in an enterprise </li></ul></ul>
  21. 22. Single Sign-On <ul><li>SSO technology utilizes : </li></ul><ul><ul><li>mod_osso : An HTTP module that provides single sign-on authentication to Oracle9 i AS applications </li></ul></ul><ul><ul><li>Oracle Internet Directory: A Lightweight Directory Access Protocol (LDAP) server using an Oracle9 i database as its information store. </li></ul></ul><ul><ul><li>Oracle Wallet Manger. A container utility that stores and manages X.509 certificates and trusted certificates </li></ul></ul>
  22. 23. Single Sign-On <ul><li>Oracle9 i AS SSO technology provides: </li></ul><ul><ul><li>Public key infrastructure (PKI) support when using Oracle Internet Directory </li></ul></ul><ul><ul><li>Multitier integration </li></ul></ul>
  23. 24. Authenticating Partner Applications Oracle Internet Directory SSO Server Partner Application Oracle HTTP Server 1 6 7 4 5 3 2 7
  24. 25. Administering Users With the Delegated Administration Service (DAS) http://< host name> : < port > /oiddas
  25. 26. Lightweight Directory Access Protocol (LDAP ) <ul><li>LDAP offers the following features: </li></ul><ul><ul><li>Simplified ISO X.500 Directory Access Protocol </li></ul></ul><ul><ul><li>Lightweight, browser-friendly client implementation </li></ul></ul><ul><ul><li>Protocol standard defined and maintained by the Internet Engineering Task Force (IETF) </li></ul></ul><ul><ul><li>Need for interoperability is driving rapid adoption in the IT community </li></ul></ul>
  26. 27. Oracle Internet Directory (OID) <ul><li>OID is: </li></ul><ul><ul><li>Compliant with LDAP, version 3 </li></ul></ul><ul><ul><li>Implemented as an Oracle9 i application </li></ul></ul><ul><li>OID includes: </li></ul><ul><ul><li>Oracle Directory Server </li></ul></ul><ul><ul><li>Oracle Directory Replication Server </li></ul></ul><ul><ul><li>Oracle Directory Manager </li></ul></ul><ul><ul><li>Command-line tools </li></ul></ul><ul><ul><li>Delegated Administration Service (DAS) </li></ul></ul>
  27. 28. OID Architectural Overview Directory administration OID Oracle database Oracle Net connections LDAP over SSL OID clients LDAP
  28. 29. Benefits of OID <ul><li>OID provides: </li></ul><ul><ul><li>Delegated Administration Service (DAS) </li></ul></ul><ul><ul><li>Failover in cluster configurations </li></ul></ul><ul><ul><li>Support for Oracle Real Application Clusters </li></ul></ul><ul><ul><li>Oracle Directory Integration platform, to synchronize with other enterprise repositories including third-party LDAP directories </li></ul></ul><ul><ul><li>Password policy management </li></ul></ul>
  29. 30. Identity Management <ul><li>Centralizes and automates many application user management functions </li></ul><ul><li>Faster deployments </li></ul><ul><li>Brings OID, SSO, DAS, and other security components into one management system </li></ul>
  30. 31. A Q & Q U E S T I O N S A N S W E R S
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.