Oracle9iAS Single Sign-On
Administrator's Guide
Release 3.0.9 Part Number A88732-01 |
|
This chapter discusses deployment considerations for Oracle9iAS Single Sign-On and Login Server.
This chapter contains these topics:
This section contains the following topics:
The user ADMIN must have Full Administrator privileges and must be created before you switch authentication methods from Local User Authentication to External Repository Authentication. The user ADMIN, which is always authenticated by the local repository, can perform Login Server administrative tasks even if the external repository is not operational.
ADMIN can only log in to Login Server for administrative purposes and cannot access any partner or external applications.
The demo certificate that ships with the 9i Application Server cannot be used to configure the Oracle9iAS Portal for SSL. In order to enable SSL on Oracle9iAS Portal, you must obtain a valid certificate from a supported certificate vendor.
Oracle9iAS Portal currently supports the Verisign, GTE CyberTrust, Entrust, Thawte, and Netscape certificate providers.
For help with troubleshooting Oracle9iAS Portal technical problems, refer to the Oracle Portal Troubleshooting Guide in the Download/Install/Configure section in the Oracle9iAS Portal page on the Oracle Technology Network:
http://technet.oracle.com/products/iportal
Login Server logs user activity, such as login successes, login failures, and password changes the wwwsso_audit_log_view
audit log.
The following entries are logged in the audit table:
ACTION_LOGIN_OK ACTION_LOGIN_FAILED ACTION_CHNG_PASSWD_OK ACTION_CHANGE_PASSWD_FAILED ACTION_RESET_PASSWD_OK ACTION_RESET_PASSWD_FAILED ACTION_CLEAR_AUDIT_LOG ACTION_PURGE_AUDIT_LOG
To view the log table, use SQL*Plus to log into the schema as follows:
sqlplus> ??? sqlplus> select * from wwsso_audit_log_view;
The Login Server Administrator must occasionally purge the log table from the audit log to save disk space. To purge the log, run the purgelog.sql
script from the Login Server schema.
This section contains the following topics:
For a secure login, Login Server administrators must observe the following precautions:
portal30_sso.
Also, the administrator must change the password for all default Login Server administrator accounts.
mod_plsql
must be protected either by disabling from mod_plsql
or performing an authentication check, for example:
http://foo.com/pls/admin_/
The Login Server supports the following password rules. The Login Server administrator can enable or disable them from the Login Server Administration menu.
Login Server supports two kinds of user lockout:
When a user unsuccessfully tries to log in too many times from a single machine, the Login Server blocks that user from logging in from that machine's IP address for a certain amount of time.
If a user is IP locked out from more than one machine, then that user is locked out for all machine IP addresses for a certain amount of time.
The IP lockout configuration is as follows:
The Global lockout configuration is as follows:
To unlock a user, the Login Server must do the following:
|
Copyright © 2001 Oracle Corporation. All Rights Reserved. |
|