iSQL*Plus Security

Each iSQL*Plus log in is uniquely identified, so you can:

• Connect multiple times from the same machine

• Connect multiple times from different machines

iSQL*Plus supports this stateful behavior by storing session context information in the Oracle HTTP Server. You must ensure that your listener always routes HTTP requests to the same server, otherwise the session context will not be found.

However, you may find it useful to start more than one Oracle HTTP Server to distribute user load across the multiple servers.

There are two main areas to consider for security and user authentication when using iSQL*Plus:

• The HTTP protocol connection between the web browser and the Oracle HTTP Server.

• The Oracle Net connection between the iSQL*Plus module (in the Oracle HTTP Server) and Oracle9i.

In this release of iSQL*Plus, security for the connection between the web browser and the Oracle HTTP Server is provided by standard HTTPS, which is fully supported by Oracle. It enables secure listener connections with an Oracle-provided encryption mechanism via the Secure Sockets Layer (SSL). It can be implemented when installing the Oracle HTTP Server by installing the mod_ssl module. For detailed information about implementing HTTPS security in Oracle, see the Oracle Advanced Security Administrator's Guide.

The Oracle Net connection between the iSQL*Plus module and Oracle9i provides the same security as in previous client server architectures. For more information about Oracle Net connection security, see the Oracle Net Services Administrator's Guide and the Oracle Advanced Security Administrator's Guide.

Using Administration Privileges

There are two modes of access to iSQL*Plus:

• Connect as a normal User, the default mode.

• Connect with AS SYSDBA or AS SYSOPER privileges.

When you log in with User privileges, you cannot use the SQL*Plus CONNECT command to reconnect with AS SYSDBA or AS SYSOPER privileges, and therefore cannot perform privileged operations such as shutting down the server. Any attempt to connect with AS SYSDBA or AS SYSOPER privileges from a user session will fail with the error message "SP2-0563: Insufficient privileges".

Enabling User Security

You may want to limit the users who can access iSQL*Plus. Oracle HTTP Server authentication is required for AS SYSDBA and AS SYSOPER connections, but not for User connections. You can edit the isqlplus.conf file to enable Oracle HTTP Server authentication for User connections by changing the following lines:

<Location /isqlplus>
  SetHandler iplus-handler
  Order deny,allow
  Allow from all
</Location>

to:

<Location /isqlplus>
  SetHandler iplus-handler
  Order deny,allow
  AuthType Basic
  AuthName 'iSQL*Plus'
  AuthUserFile %ORACLE_HOME%\sqlplus\admin\iplus.pw
  Require valid-user
</Location>

In this case, iplus.pw is suggested as the file to contain the Oracle HTTP Server authentication usernames and passwords for User connections. Now, whenever a User connection is requested, users are not only required to enter their Oracle9i username and password, but they are also prompted to enter an Oracle HTTP Server authentication username and password.

Adding Entries to an Oracle HTTP Server Authentication File

To connect with SYSDBA or SYSOPER privileges, your username and password must be added to the iSQL*Plus authentication file for the Oracle HTTP Server. On installation, the authentication file is created with no user entries at %ORACLE_HOME%\sqlplus\admin\iplusdba.pw. The username and password used in the authentication file is independent of the Oracle9i username and password.

If you have enabled Oracle HTTP Server authentication for User connections, you need to create a separate authentication file to contain username/password entries for User level connections. See "Enabling User Security" for information about enabling User level Oracle HTTP Server authentication.

To create a new user entry in an Oracle HTTP Server authentication file.

1. Log in to the Oracle HTTP Server as the Oracle HTTP Server administrator.

2. Run the htpasswd utility to add users to the authentication file. For AS SYSDBA or AS SYSOPER users, use the form:

   htpasswd %ORACLE_HOME%\sqlplus\admin\iplusdba.pw username

   For User connections, where iplus.pw has been created as the authentication file, use the form:

   htpasswd %ORACLE_HOME%\sqlplus\admin\iplus.pw username

   In both cases you are prompted for the associated password. For further information about htpasswd, see the Oracle HTTP Server documentation.

Logging In Using Oracle HTTP Server Authentication

To connect to a database instance with SYSDBA or SYSOPER privileges, or as a User with Oracle HTTP Server authentication enabled:

1. Open a browser window and start a new iSQL*Plus session.

2. Enter your Oracle9i username and password.

3. Enter a Connection Identifier for the database connection you want, or leave the Connection Identifier blank to connect to the default database.

4. Select the AS SYSDBA, AS SYSOPER, or User privileges you want for this database connection from the Privileges: dropdown list on the Log In screen.

5. Click Log In. You are prompted to enter your Oracle HTTP Server authentication username and password. The username and password must be a valid entry in the Oracle HTTP Server authentication file. A login screen similar to the following is displayed:

   
   
   Text description of the illustration logindba.gif

6. Click OK. You are connected to the selected database with the SYSDBA, SYSOPER, or User privileges you requested.

Security Usage Notes

The following notes may assist you in understanding and configuring iSQL*Plus:

• If the user who starts the Oracle HTTP Server is not a member of the ORA_DBA group, then the Operating System (OS) authentication that allows privileged "/ as sysdba" connections will not work. However, connections using the Privileges: field on the Log In screen to enable SYSDBA or SYSOPER privileged connections using the Oracle HTTP Server authentication file will work.

• Once you have successfully logged in with AS SYSDBA or AS SYSOPER privileges and authenticated with your Oracle HTTP Server authentication username and password, you may not be required to re-authenticate to the Oracle HTTP Server until you restart your browser. However, you are still required to log in with your Oracle9i username and password.

• The Product User Profile (PUP) tables are per user, per database as for client server installations. See Appendix B, "Security" for more information about PUP tables.

• The global configuration file glogin.sql is read from the middle tier machine as for a client server installation. No user login.sql file is read.