6
Deployment Considerations

This chapter discusses deployment considerations for Oracle9iAS Single Sign-On and Login Server.

This chapter contains these topics:

• Troubleshooting

• Auditing

• Security

Troubleshooting

This section contains the following topics:

• User ADMIN

• Demo Certificate

• Oracle9iAS Portal Troubleshooting

User ADMIN

The user ADMIN must have Full Administrator privileges and must be created before you switch authentication methods from Local User Authentication to External Repository Authentication. The user ADMIN, which is always authenticated by the local repository, can perform Login Server administrative tasks even if the external repository is not operational.

ADMIN can only log in to Login Server for administrative purposes and cannot access any partner or external applications.

Demo Certificate

The demo certificate that ships with the 9i Application Server cannot be used to configure the Oracle9iAS Portal for SSL. In order to enable SSL on Oracle9iAS Portal, you must obtain a valid certificate from a supported certificate vendor.

Oracle9iAS Portal currently supports the Verisign, GTE CyberTrust, Entrust, Thawte, and Netscape certificate providers.

Oracle9iAS Portal Troubleshooting

For help with troubleshooting Oracle9iAS Portal technical problems, refer to the Oracle Portal Troubleshooting Guide in the Download/Install/Configure section in the Oracle9iAS Portal page on the Oracle Technology Network:

http://technet.oracle.com/products/iportal

Auditing

Login Server logs user activity, such as login successes, login failures, and password changes the wwwsso_audit_log_view audit log.

The following entries are logged in the audit table:

ACTION_LOGIN_OK
ACTION_LOGIN_FAILED
ACTION_CHNG_PASSWD_OK
ACTION_CHANGE_PASSWD_FAILED
ACTION_RESET_PASSWD_OK
ACTION_RESET_PASSWD_FAILED
ACTION_CLEAR_AUDIT_LOG
ACTION_PURGE_AUDIT_LOG

To view the log table, use SQL*Plus to log into the schema as follows:

sqlplus>   ???
sqlplus> select * from wwsso_audit_log_view;

The Login Server Administrator must occasionally purge the log table from the audit log to save disk space. To purge the log, run the purgelog.sql script from the Login Server schema.

Note: User lockout (global or IP) functionality depends upon the audit log. If the audit log is fully purged, all users of the login server will be unlocked.

Security

This section contains the following topics:

• Secure Login

• Password Policy

• Account Lock Policy

• Unlocking a User

Secure Login

For a secure login, Login Server administrators must observe the following precautions:

1. The Login Server should have SSL to protect password transmission from the user's browser to the Login Server.

2. The schema password for the Login Server should be changed from the default value and should not be either the default schema name or portal30_sso. Also, the administrator must change the password for all default Login Server administrator accounts.

   Note: When you change the schema password for Login Server, you must also change the password in the corresponding DAD.

3. The administrator URL for mod_plsql must be protected either by disabling from mod_plsql or performing an authentication check, for example:

   http://foo.com/pls/admin_/
   
   

4. The Login Server database must be in a trusted environment so that it is accessible only by the administrator. All Oracle Net connections to the Login Server database must be protected if they do not come from trusted zones.

5. When the Login Server is LDAP enabled, the connection from the LDAP Server to the Login Server must be within a protected channel. SSL can be used to protect the channel.

Password Policy

The Login Server supports the following password rules. The Login Server administrator can enable or disable them from the Login Server Administration menu.

1. The password expires after certain time interval.

2. The user is prompted to change the password before the password expiries

3. The password must have a minimum length

4. The password cannot be the same as the user name.

5. A new password cannot be the same as an existing password.

6. The password must contain at least one numeric digit.

7. The password must contain at least one character.

Account Lock Policy

Login Server supports two kinds of user lockout:

• IP Lockout:

  When a user unsuccessfully tries to log in too many times from a single machine, the Login Server blocks that user from logging in from that machine's IP address for a certain amount of time.

• Global Lockout:

  If a user is IP locked out from more than one machine, then that user is locked out for all machine IP addresses for a certain amount of time.

The IP lockout configuration is as follows:

1. Number of login failures allowed from any IP address is per day

2. Lockout duration for one IP address in minutes.

The Global lockout configuration is as follows:

1. Number of login failures allowed from one IP address

2. Global lockout duration in days

Unlocking a User

To unlock a user, the Login Server must do the following:

1. Log in to the Oracle9iAS Single Sign-On schema using SQL*Plus

2. Run the script ssounlck.sql to unlock the user.

   Note: The ssounlck.sql script prompts the administrator for the user name to be unlocked.

   .