|Oracle® Collaboration Suite Security Guide
10g Release 1 (10.1.1)
Part Number B14489-02
The tier of Oracle Collaboration Suite that runs the server applications that provide specific functionality to end users. The term "Applications tier" replaces the term "middle tier" that was used in previous releases. Each Applications tier corresponds to an instance of Oracle Application Server. See also Oracle Collaboration Suite Applications.
The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message's origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender.
The percentage or amount of scheduled time that a computing system provides application service.
Also called a digital certificate. An ITU x.509 v3 standard data structure that securely binds an identity to a public key.
A certificate is created when an entity's public key is signed by a trusted identity, a certificate authority. The certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
A certificate contains the entity's name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it.
A trusted third party that certifies that other entities—users, databases, administrators, clients, servers—are who they say they are. When it certifies a user, the certificate authority first seeks verification that the user is not on the certificate revocation list (CRL), then verifies the user's identity and grants a certificate, signing it with the certificate authority's private key. The certificate authority has its own certificate and public key which it publishes. Servers and clients use these to verify signatures the certificate authority has made. A certificate authority might be an external company that offers certificate services, or an internal organization such as a corporate MIS department.
A set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, for example, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
Unencrypted data in ASCII format.
The tier of Oracle Collaboration Suite that consists of the end-user applications that reside on client devices, such as desktops, laptops, wireless phones, and PDAs. See also Oracle Collaboration Suite Applications.
The process of converting the contents of an encrypted message back into its original readable format.
Data Encryption Standard. A commonly used symmetric key encryption method that uses a 56-bit key.
demilitarized zone (DMZ)
A set of computers that is isolated from the Internet by a firewall on one side, and from a company's intranet by a firewall on the other side. This set of computers is viewed as semi-secure. They are protected from the open Internet, but are not completely trusted like computers that are inside the second firewall and part of the company's intranet. In a typical application server configuration with a DMZ, only the Web listener and the static content for the Web site are placed in the DMZ. All business logic, databases, and other critical data and systems in the intranet are protected.
distinguished name (DN)
The unique name of a directory entry. It comprises all of the individual names of the parent entries back to the root.
The process of disguising a message thereby rendering it unreadable to any but the intended recipient. Encryption is performed by translating data into secret code. There are two main types of encryption: public key encryption (or asymmetric-key encryption) and symmetric-key encryption. See symmetric key cryptography.
A computer that acts as an intermediary to protect a set of computers or networks from outside attack. It regulates access to computers on a local area network from outside, and regulates access to outside computers from within the local area network. A firewall can work either by acting as a proxy server that forwards requests so that the requests behave as though they were issued by the firewall computer, or by examining requests and attempting to eliminate suspect calls.
The tier of Oracle Collaboration Suite that consists of the components that provide services, such as identity management and metadata storage, for the Applications tier. Components of the Infrastructure tier include Oracle Collaboration Suite Database and Oracle Identity Management. See also Oracle Collaboration Suite Infrastructure.
A public key and its associated private key.
Lightweight Directory Access Protocol (LDAP)
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.
A hashing algorithm intended for use on 32-bit computers to create digital signatures. MD5 is a one-way hash function, meaning that it converts a message into a fixed string of digits that form a message digest.
Representation of text as a string of single digits. It is created using a formula called a one-way hash function.
Oracle Collaboration Suite
An integrated suite of software applications to enable communication, messaging, and content sharing in an enterprise environment. At an architectural level, it includes three tiers: an Applications tier, which consists of server applications that provide the basic functionality, a Client tier, which consists of applications on desktops, laptops, and wireless devices, and an Infrastructure tier, which provides centralized services, such as identity management and metadata storage, for the applications.
Oracle Collaboration Suite Applications
The applications that make up Oracle Collaboration Suite, namely:
Oracle Collaboration Suite Search
Oracle Content Services
Oracle Mobile Collaboration
Oracle Real-Time Collaboration
Oracle Voicemail & Fax
Oracle Collaboration Suite Database
The default database included with Oracle Collaboration Suite to hold application data and metadata. The Oracle Collaboration Suite Database is part of the Oracle Collaboration Suite Infrastructure.
Oracle Collaboration Suite Infrastructure
The underlying components that support Oracle Collaboration Suite and provide centralized product metadata and security services, configuration information, and data repositories for Oracle Collaboration Suite Applications. Oracle Collaboration Suite Infrastructure uses and builds on OracleAS Infrastructure. It includes the Oracle Collaboration Suite Database and Oracle Identity Management. See also Infrastructure tier.
Oracle Identity Management
An integrated set of components that provide distributed security to Oracle products and make it possible to centrally and securely manage enterprise identities and their access to applications in the enterprise. It includes the following components: Oracle Internet Directory, Oracle Directory Integration and Provisioning, Oracle Delegated Administration Services, OracleAS Single Sign-On, and Oracle Application Server Certificate Authority.
An Oracle product that enables two or more computers that run an Oracle database server or Oracle tools, such as Designer/2000 to exchange data through a third-party network. Oracle Net supports distributed processing and distributed databases. Oracle Net is an open system because it is independent of the communication protocol, and users can interface Oracle Net to many network environments.
A public key encryption standard (PKCS). RSA Data Security, Inc., PKCS #12 is an industry standard for storing and transferring personal authentication credentials—typically in a format called a wallet.
A server that typically sits on a network firewall and allows clients behind the firewall to access Web resources. All requests from clients go to the proxy server rather than directly to the destination server. The proxy server forwards the request to the destination server and passes the received information back to the client. The proxy server channels all Web traffic at a site through a single, secure port; this allows an organization to create a secure firewall by preventing Internet access to internal computers, while allowing Web access.
public key cryptography
public key encryption
The process where the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using its private key.
public/private key pair
A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key. Public and private keys are used only with asymmetric encryption algorithms, also called public-key encryption algorithms, or public-key cryptosystems. Data encrypted with either a public key or a private key from a key pair can be decrypted with its associated key from the key-pair. However, data encrypted with a public key cannot be decrypted with the same public key, and data encrypted with a private key cannot be decrypted with the same private key.
A public key encryption technology developed by RSA Data Security. The RSA algorithm is based on the fact that it is computationally expensive to factor very large numbers. This makes it mathematically unfeasible, because of the computing power and time required, to decode an RSA key.
A measure of how well the software or hardware product is able to adapt to future business needs.
Secure Hash Algorithm
An algorithm that assures data integrity by generating a 160-bit cryptographic message digest value from given data. If as little as a single bit in the data is modified, the Secure Hash Algorithm checksum for the data changes. Forgery of a given data set in a way that will cause the Secure Hash Algorithm to generate the same result as that for the original data is considered computationally infeasible.
An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
Secure Sockets Layer (SSL)
A protocol developed by Netscape Corporation. SSL is an industry-accepted standard for network transport layer security. SSL provides authentication, encryption, and data integrity, in a public key infrastructure (PKI). By supporting SSL, OracleAS Web Cache is able to cache pages for HTTPS protocol requests.
The ability of a user to authenticate once, combined with strong authentication occurring transparently in subsequent connections to other databases or applications. Single sign-on lets a user access multiple accounts and applications with a single password, entered during a single connection. Single password, single authentication.
symmetric key cryptography
Encryption method that uses the same key to encrypt and decrypt data using a mathematical formula.
A trusted certificate, sometimes called a root key certificate, is a third-party identity that is qualified with a level of trust. The trusted certificate is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust are called trusted certificates. If there are several levels of trusted certificates, a trusted certificate at a lower level in the certificate chain does not need to have all of its higher level certificates verified again.
Also called a digital wallet. A wallet is a data structure used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A wallet resource locator (WRL) provides all the necessary information to locate the wallet.
Web-based Distributed Authoring and Versioning. A protocol extension to HTTP 1.1 that supports distributed authoring and versioning. With WebDAV, the Internet becomes a transparent read and write medium, where content can be checked out, edited, and checked into a URL address.
Public keys can be formed in various data formats. The X.509 v3 format is one such popular format.