• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Download presentation/whitepaper

Download presentation/whitepaper






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Download presentation/whitepaper Download presentation/whitepaper Presentation Transcript

    • Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id: 40112
    • Security Risks in an Internet Environment
        • Data tampering and fraud
        • Eavesdropping and data theft
        • Falsifying user identities
        • Password-related threats
        • Unauthorized access to data
        • Lack of accountability
        • Hacking
    • Addressing the Security Challenges
        • Deep data protection
          • Multi-Layer protection through encryption, extensive auditing, and access control
        • Internet-scale security
          • SSL
          • Proxy authentication
          • Java
        • Secure hosting and data exchange
          • Public key infrastructure
          • Enterprise wide user security
    • Oracle Application Server Security Architecture
    • Application Server Security
      • The Oracle Application Server can be used as a client to the database and therefore you can employ the following security features:
        • Enterprise user security
        • Authentication and digital certificates
        • Proxy authentication
        • Connecting from the middle tier to the database
    • Java Authentication and Authorization Service
      • Java Authentication and Authorization Service (JAAS) provides key security services to the Java programmer in the following areas:
        • Authentication to identify users
        • Authorization to limit what users can do
        • Delegation to enable code to be run securely
    • Securing the Oracle HTTP Server Itself
      • The Oracle HTTP Server supports the following security schemes:
        • IP-based or domain name–based restriction
        • Basic authentication through the username and password combination
        • Certificate distinguished name (DN)-based authorization
        • Secure Sockets Layer (SSL) protocol
    • Oracle HTTP Server Security Modules
        • mod_access is used for restriction.
        • mod_auth and mod_auth_anon are used for authentication.
        • mod_ossl is used with SSL.
      Response OHS Access Control Translation Logging MIME Type 1 2 3 4 5
    • Host-Based Access Control
        • mod_access : IP- or domain-based access control
        • You can use the allow and deny directives within the <Directory> ... </Directory> <Location> ... < /Location> context of your httpd.conf or .htaccess file:
      allow from host host ... deny from host host ...
    • Host-Based Access Control
        • The order directive specifies the order in which the allow and deny commands are applied:
        • The ordering argument can be one of the following:
      order ordering 1. deny,allow 2. allow,deny
    • Host-Based Access Control
      • The allow from or deny from directive:
      <Directory /docroot> order deny,allow deny from all allow from </Directory>
    • User Authentication
      • Basic authentication is performed by the following modules:
        • mod_auth
        • mod_auth_anon
      • A resource can be a protected user or group-based, or both.
      • To access the resource, you also need to have the permission as defined by the Require directive.
    • Combining User- and Host-Based Authentication <Location /> AuthName &quot;Who are you&quot; AuthType Basic A uthUserFile /ias/Apache/Apache/auth/password Require valid-user order deny,allow deny from all allow from hq1.us. oracle .com Satisfy all </Location>
    • Establishing Secure Web Sessions
      • The SSL protocol is a standard for secure data transmission over the Internet.
      • SSL involves three mechanisms:
        • Encryption
        • Authentication
        • Data integrity
      • SSL is implemented through mod_ossl .
    • How SSL Works Browser 2 3 Oracle 9 i AS 1 4 https Public certificate Session key Request client certificate (opt)
    • Oracle Wallet Manager
      • Oracle Wallet Manager is a stand-alone Java application for:
        • Generating a public/private key pair and creating a certificate request for submission to a CA.
        • Installing a certificate for the entity.
        • Configuring trusted certificates for the entity.
        • Uploading or downloading a wallet to or from an LDAP directory such as Oracle Internet Directory.
        • Importing wallets and exporting wallets.
    • Creating a Certificate Request
    • Exporting a Certificate Request
    • Oracle HTTP Server with SSL Enabled
      • Oracle HTTP Server is already SSL enabled after the installation:
        • SSL is enabled in opmn.xml
        • There is no specific command to start the Oracle HTTP Server with SSL enabled:
      < ohs> <start-mode mode=&quot;ssl&quot;/> </ohs> $ > cd $ORACLE_HOME/dcm/bin $> dcmctl start -ct ohs
    • What is Single Sign-On?
      • Oracle Application Server Single Sign-On (SSO) is a service that enables:
        • Authentication to multiple applications in an enterprise by entering a username and password only once
        • Centralized administration of username and password combinations for all users in an enterprise
    • Single Sign-On
      • SSO technology utilizes :
        • mod_osso : An HTTP module that provides single sign-on authentication to Oracle9 i AS applications
        • Oracle Internet Directory: A Lightweight Directory Access Protocol (LDAP) server using an Oracle9 i database as its information store.
        • Oracle Wallet Manger. A container utility that stores and manages X.509 certificates and trusted certificates
    • Single Sign-On
      • Oracle9 i AS SSO technology provides:
        • Public key infrastructure (PKI) support when using Oracle Internet Directory
        • Multitier integration
    • Authenticating Partner Applications Oracle Internet Directory SSO Server Partner Application Oracle HTTP Server 1 6 7 4 5 3 2 7
    • Administering Users With the Delegated Administration Service (DAS) http://< host name> : < port > /oiddas
    • Lightweight Directory Access Protocol (LDAP )
      • LDAP offers the following features:
        • Simplified ISO X.500 Directory Access Protocol
        • Lightweight, browser-friendly client implementation
        • Protocol standard defined and maintained by the Internet Engineering Task Force (IETF)
        • Need for interoperability is driving rapid adoption in the IT community
    • Oracle Internet Directory (OID)
      • OID is:
        • Compliant with LDAP, version 3
        • Implemented as an Oracle9 i application
      • OID includes:
        • Oracle Directory Server
        • Oracle Directory Replication Server
        • Oracle Directory Manager
        • Command-line tools
        • Delegated Administration Service (DAS)
    • OID Architectural Overview Directory administration OID Oracle database Oracle Net connections LDAP over SSL OID clients LDAP
    • Benefits of OID
      • OID provides:
        • Delegated Administration Service (DAS)
        • Failover in cluster configurations
        • Support for Oracle Real Application Clusters
        • Oracle Directory Integration platform, to synchronize with other enterprise repositories including third-party LDAP directories
        • Password policy management
    • Identity Management
      • Centralizes and automates many application user management functions
      • Faster deployments
      • Brings OID, SSO, DAS, and other security components into one management system
    • A Q & Q U E S T I O N S A N S W E R S