Skip Headers

Oracle9iAS Discoverer Configuration Guide
Version 9.0.2

Part Number A95458-02
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

13
Maintaining data security with Discoverer

13.1 Maintaining data security with Discoverer

This chapter describes the different security mechanisms that protect data accessed by Discoverer users, and contains the following topics:

13.2 About Discoverer and data security

Discoverer supports a number of security mechanisms to prevent unauthorized access to data.

The diagram below describes the different levels of security protecting data accessed by Discoverer users:


Text description of secure1.gif follows.
Text description of the illustration secure1.gif

Security is applied at three separate levels:

13.3 About Database security

At the most basic level, a user must log on to a database using a database username and password. Beyond that, access to information is regulated by the database privileges granted to the database user. The database privileges might be granted explicitly to the database user or indirectly by a database role. Discoverer users never see information to which they do not have database access.

Typically, you will set up database security using SQL*Plus or a DBA tool.

13.4 About End User Layer security

This section explains the Discoverer's End User Layer (EUL) security mechanisms.

13.4.1 About business areas

Discoverer managers can control access to information by creating and managing business areas. Discoverer users can only access information to which they have been granted access through a business area. Discoverer users can share information amongst themselves using shared workbooks, but they never see information to which they do not have database access.

Discoverer managers use Discoverer Administrator to set up EUL security. For more information about creating and maintaining business areas, see Oracle9i Discoverer Administrator Administration Guide.

13.4.2 About Discoverer connections

Discoverer managers can further control users' access to information by defining Discoverer connections, which contain Discoverer login information. Each connection specifies an End User Layer containing one or more business areas. Discoverer users can be restricted to using public connections or can be given permission to create their own private connections (see Oracle9i Discoverer Administrator Administration Guide).

Discoverer managers use Oracle9iAS Enterprise Manager to create public connections and give end users permission to create their own private connections. For more information about creating and maintaining Discoverer connections, see Oracle9i Discoverer Administrator Administration Guide.

13.4.3 About Single Sign-On

This section describes the relationship between Oracle9iAS Discoverer and Oracle9iAS Single Sign-On.

13.4.3.1 What is Oracle9iAS Single Sign-On?

Oracle9iAS Single Sign-On is a component of Oracle9i Application Server that enables users to log in to all features of the Oracle9iAS product complement, as well as to other Web applications, using a single user name and password that is entered once.

Note: Oracle9iAS Single Sign-On is implemented using Oracle Sign-On Server.

13.4.3.2 About Single Sign-On and Discoverer

When you install Oracle9i Application Server, the Oracle9iAS Single Sign-On service is installed automatically, but it is not enabled by default.

Discoverer connections work in both Single Sign-On and non-Single Sign-On environments. In an Oracle9iAS Single Sign-On environment, if a Discoverer end user starts Discoverer without having been authenticated by Oracle9iAS Single Sign-On, the user is challenged for Single Sign-On details (username and password). Having provided Single Sign-On details, the user can display the Discoverer connections page and start Discoverer without having to enter a username or password again.

Note: To enable Single Sign-On, open the mod_osso.conf file and enable SSO for discoverer/viewer and /discoverer/plus. Because Discoverer relies on Oracle9iAS Portal to protect the /discoverer/portlet provider URL, do not enable SSO for /discoverer/portlet provider.

13.4.3.3 About authentication in non-Single Sign-on environments

If you are not deploying Discoverer with Single Sign-On, when a Discoverer end user chooses a private connection for the first time in a browser session, they are prompted to confirm the database password. They are not prompted for SSO login details.

If the end user closes their browser and then starts it again (i.e. creates a new browser session), they will be prompted to confirm their database password. End users must confirm the database password each time a private connection is used. End users do not have to confirm passwords for public connections (for more information, see Oracle9i Discoverer Administrator Administration Guide).

Notes:

13.4.4 About Discoverer and Portal security

When you publish Discoverer content in a portlet produced using Oracle9iAS Portal, you give portal users access to the workbooks. However, portal users accessing Discoverer workbooks only see data to which they have database access. In other words, two different users accessing the same workbook might see different data, depending on their database privileges. For more information, see Section 11.1, "Using Discoverer with Oracle9iAS Portal".

13.5 About network security

You can use Discoverer in different network environments that might or might not include firewalls using different communication protocols (i.e. JRMP, HTTP, HTTPS).

The most appropriate network environment depends on both existing network strategies in your organization as well as your requirements for:

Discoverer Viewer and Discoverer Plus require different security configuration:

13.5.1 About Discoverer Viewer security

Discoverer Viewer uses standard HTTP or HTTPS protocols to connect Discoverer clients to the Discoverer servlet.


Text description of sec1.gif follows.
Text description of the illustration sec1.gif

Note: Discoverer Viewer client machines require only a standard Web browser to run Discoverer Viewer.

In an out-of-the-box Oracle9iAS install, Discoverer Viewer is configured as follows, depending on the environment:

13.5.2 About Discoverer Plus security

Discoverer Plus uses standard Java Remote Method Protocol (JRMP), HTTP or HTTPS protocols to connect clients to the Discoverer servlet.


Text description of sec2.gif follows.
Text description of the illustration sec2.gif

Discoverer Plus uses two communication channels:

In an out-of-the-box Oracle9iAS install, Discoverer Plus is configured as follows, depending on the environment:

Notes:

13.5.2.1 About configuring Discoverer Plus for a non-standard signing authority

If you are deploying Discoverer Plus using a non-standard or private SSL signing authority, you need to make sure that the certificate information is in the \lib\security\certdb.txt file on each client machine. This additional configuration is required because Discoverer ignores the browser's signing authority and uses Oracle JInititator's SSL technology.

13.5.2.2 About specifying a Discoverer Plus communication protocol

Using Oracle Enterprise Manager, you can specify which communication protocol the Discoverer Plus applet (i.e. the Discoverer client) and the Discoverer servlet (i.e. on the Discoverer server) use to communicate. The three communication protocol options are:

13.5.2.3 How to display the Oracle9iAS Discoverer Plus Configuration page in OEM

You use the Discoverer Plus Configuration page in Oracle Enterprise Manager to specify a Discoverer Plus communication protocol. For example, if you want to encrypt Discoverer Plus data, you might want to configure Discoverer Plus to use the HTTPS communication protocol.

How to display the Oracle9iAS Discoverer Plus Configuration page in OEM:

  1. Start Oracle Enterprise Manager.

    If you are connected to the Oracle HTTP Server locally, the URL will be in the form:

    http://hostname:1810

    If you are connecting to the Oracle HTTP server remotely, contact the contact the Oracle9iAS system manager for information about which URL to use.

    Note: For more information about starting OEM, see Oracle Enterprise Manager Configuration Guide.

  2. When prompted, enter a user name and password.

    Note: If you need an OEM user name and password, contact the Oracle9iAS system manager.

  3. Click OK to start Oracle Enterprise Manager.

The Oracle Enterprise Manager main page is displayed.


Text description of oem1.gif follows.
Text description of the illustration oem1.gif

  1. In the Name column, select the instance that you want to update to display a list of components on that machine (e.g. iasdb.host1.uk.companyname.com).

    A list of Oracle9iAS components on that machine is displayed (e.g. HTTP Server, OC4J_BI_Forms, Web Cache, OC4J_Portal).

  2. In the Name column, select the OC4J_BI_Forms link to display the Oracle9iAS Discoverer Services Configuration page.

Figure 13-1 Oracle9iAS Discoverer Services Configuration page


Text description of oem2.gif follows.
Text description of the illustration oem2.gif

  1. In the Update column, select the Update icon in the Discoverer Plus row to display the Discoverer Plus configuration page.


    Text description of oem3.gif follows.
    Text description of the illustration oem3.gif

The Discoverer Plus configuration page enables you to change the Discoverer Plus communication protocol (for more information, Section 13.5.2.2, "About specifying a Discoverer Plus communication protocol").

13.5.2.4 How to set up Discoverer Plus to use the default communication protocol

To set up Discoverer Plus to use the default communication protocol:

  1. Start Oracle Enterprise Manager and navigate to the Oracle9iAS Discoverer Plus Configuration page (for more information, see Section 13.5.2.3, "How to display the Oracle9iAS Discoverer Plus Configuration page in OEM").


    Text description of oem3.gif follows.
    Text description of the illustration oem3.gif

  1. Select the Default radio button from the Select a communication protocol for Discoverer Plus options.

    The Discoverer Plus applet will attempt to use JRMP. If JRMP is not available, the Discoverer Plus applet will use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.

    Note: This option works regardless of whether the applet is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first. For more information about the other options on this page, refer to "About specifying a Discoverer Plus communication protocol"

  2. Click Apply to save the details and display the Oracle9iAS Discoverer Services Configuration page.

  3. Give Discoverer Plus users the URL of the Discoverer servlet:

    For example, http://machinename.myorganization.com:7777/discoverer/plus

13.5.2.5 How to set up Discoverer Plus to use the Tunneling communication protocol

To set up Discoverer Plus to use the tunneling communication protocol:

  1. Start Oracle Enterprise Manager and navigate to the Oracle9iAS Discoverer Plus Configuration page (for more information, see Section 13.5.2.3, "How to display the Oracle9iAS Discoverer Plus Configuration page in OEM").


    Text description of oem3.gif follows.
    Text description of the illustration oem3.gif

  1. Choose the Tunneling radio button from the Select a communication protocol for Discoverer Plus options.

    The Discoverer Plus applet will use the same protocol to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS). This option works regardless of whether a firewall is being used.

  2. Click Apply.

  3. Open the appropriate port on the Oracle HTTP Server to accept HTTP or HTTPS traffic as appropriate.

  4. Give Discoverer Plus users the URL of the Discoverer servlet:

    For example, http://machinename.myorganization.com:7777/discoverer/plus

13.5.2.6 How to set up Discoverer Plus to use the Secure Tunneling communication protocol

To set up Discoverer Plus to use the secure tunneling communication protocol:

  1. Start Oracle Enterprise Manager and navigate to the Oracle9iAS Discoverer Plus Configuration page (for more information, see Section 13.5.2.3, "How to display the Oracle9iAS Discoverer Plus Configuration page in OEM").


    Text description of oem3.gif follows.
    Text description of the illustration oem3.gif

  1. Choose the Secure Tunneling radio button from the Select a communication protocol for Discoverer Plus options.

    The Discoverer Plus applet will use the HTTPS protocol to communicate with the Discoverer servlet.

  2. Click Apply.

  3. Open the appropriate port on the Oracle HTTP Server to accept HTTPS traffic.

  4. Give Discoverer Plus users the URL of the Discoverer servlet:

    For example, https://machinename.myorganization.com:7777/discoverer/plus

13.5.3 What are the differences between Oracle9iAS Discoverer Plus version 9.0.2 and version 4.1

Oracle9iAS Discoverer Plus does not require Visibroker Gatekeeper.

13.5.4 About security vulnerabilities

If you are deploying Oracle9iAS Discoverer with Oracle9iAS Web Cache, there are security implications for some restricted user environments.

For more information, see:

13.6 Frequently asked questions about security

13.6.1 What is a firewall?

A firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.

In other words, a firewall is an electronic `fence' around a network to protect it from unauthorized access.

Figure 13-2 A typical Internet connection with a Client-side and Server-side firewall


Text description of firewal0.gif follows.
Text description of the illustration firewal0.gif

Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its Oracle HTTP Server machine and the Internet. This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall. Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.

13.6.2 What is a demilitarized zone (DMZ)?

A demilitarized zone (DMZ) is a firewall configuration that provides an additional level of security. In this configuration, the DMZ is an extra network placed between a protected network and the Internet. Resources residing within the DMZ are visible on the public Internet, but are secure. DMZs typically hold servers that host a company's public web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server.

Figure 13-3 A Demilitarized Zone (DMZ)


Text description of dmz0.gif follows.
Text description of the illustration dmz0.gif

Firewall policies vary across organization and there are a wide variety of bespoke and off-the-shelf firewall packages in use.

A good firewall configuration assumes that resources in the DMZ will be breached, and should minimize damage to the internal network and any sensitive data residing on the network when this happens. This involves two steps:

Notes:

13.6.3 What is HTTPS and why should I use it?

The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer (SSL) to establish secure connections between clients and servers.

The SSL protocol enables sensitive data to be transmitted over an insecure network, such as the Internet, by providing the following security features:

You can tell when SSL is enabled in Discoverer as follows:

13.6.4 How do I configure Discoverer to work in an intranet

You configure Discoverer to work in an intranet as follows:

Figure 13-4 A typical network configuration for Discoverer in an intranet


Text description of secure2.gif follows.
Text description of the illustration secure2.gif

13.6.5 How do I configure Discoverer to work through a firewall?

You configure Discoverer to work through firewalls as follows:

Figure 13-5 A typical firewall configuration for Discoverer using HTTP


Text description of secure3.gif follows.
Text description of the illustration secure3.gif

13.6.6 Can I configure Discoverer to work through multiple firewalls?

Yes, if you are using HTTP or HTTPS Discoverer will work through multiple firewalls (for more information, see Section 13.6.5, "How do I configure Discoverer to work through a firewall?").

13.6.7 How do I configure Discoverer to use encryption in an intranet?

You configure Discoverer to use encryption as follows:

13.6.8 How do I configure Discoverer to use encryption through firewalls?

You configure Discoverer to use encryption through firewalls as follows:

Figure 13-6 A typical firewall configuration for Discoverer using HTTPS


Text description of secure5.gif follows.
Text description of the illustration secure5.gif

13.6.9 How can I verify that Discoverer is encrypting communications?

In Discoverer Viewer, make sure that client browsers displays a closed padlock or key symbol in the bottom left-hand corner of the Discoverer Viewer browser window.

In Discoverer Plus, make sure that the client displays a closed padlock symbol in the bottom left-hand corner of the Discoverer Plus applet window.

13.6.10 Can I configure Discoverer for both SSL and non-SSL communication?

Yes, you can configure Discoverer for both SSL and non-SSL communication. For example, you might use the default Discoverer Plus communication protocol that uses a direct JRMP connection inside the firewall, but automatically uses a HTTP or HTTPS for users outside the firewall.

13.6.11 Can I configure Discoverer for both intranet users and users accessing Discoverer through a firewall?

Yes. Discoverer can be configured to first attempt a JRMP connection, then HTTP and HTTP connection. Users inside a firewall will connect using JRMP, but because JRMP is a direct connection that only works inside a firewall, users outside the firewall are connected as HTTP or HTTPS (depending on the URL).

13.6.12 Can I use Discoverer with a NAT device?

You can deploy Discoverer using any standard Network Address Translation (NAT) device.


Go to previous page Go to next page
Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Table Of Contents
Contents
Go To Index
Index