7 OC4J Policy

This chapter provides the following information for the Oracle Application Server Containers for J2EE (OC4J) policy:

• Brief description of the policy

• Summary of the policy's main properties

• Default values for the policy: parameters with their default values and objects excluded by default

• Impact of the policy violation

• Action to perform when the violation occurs

The OC4J policies are categorized as follows:

• Section 7.1, "Configuration Policies"

• Section 7.2, "Security Policies"

7.1 Configuration Policies

The configuration policies for the OC4J target are:

7.1.1 Non-Shared Software Library Existence

This policy checks that all the software libraries are shared among all the Oracle Management servers.

Policy Summary

The following table lists the policy's main properties.

Severity	Category	Target Type	Versions Affected	Policy Rule EvaluationFoot 1	Automatically Enabled?	Alert Message
Warning	Configuration	OC4J	Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x	The underlying metric has a collection frequency of once every 24 hours.	Yes	Not Available.

^Footnote 1 The policy rule is evaluated each time its underlying metric is collected.

Defaults

Parameters and Their Default Values

None

Objects Excluded by Default

None

Impact of Violation

Not available

Action

Not available.

7.2 Security Policies

Security Policies for the OC4J target are:

7.2.1 OC4J Password Indirection

This policy verifies that password indirection is used in OC4J XML configuration and deployment files.

Policy Summary

The following table lists the policy's main properties.

Severity	Category	Target Type	Versions Affected	Policy Rule EvaluationFoot 1	Automatically Enabled?	Alert Message
Critical	Security	OC4J	Oracle Application Server 9.0.4.x and Oracle Application Server 10.1.2.x	The underlying metric has a collection frequency of once every 24 hours.	Yes	Password indirection is not used in configuration file %FILE_NAME%.

^Footnote 1 The policy rule is evaluated each time its underlying Password_Indirection metric is collected.

Defaults

Parameters and Their Default Values

None

Objects Excluded by Default

None

Impact of Violation

Embedding these passwords into deployment and configuration files poses a security risk, especially if the permissions on the files allow them to be read by any user.

Action

To avoid this problem, OC4J provides password indirection and password obfuscation.