6.3 Securing Oracle Reports Services

In 12c Release (12.2.1), Reports Server is secure out-of-the-box using the Oracle Platform Security Services, which accomplishes both authentication and authorization. Oracle Reports uses this Java EE-based security model to allow you to create security policies for running report jobs and Web commands.

In prior releases, Reports Server authentication was restricted to use only Oracle Internet Directory. Authorization of Reports Server required an Oracle Portal-based security model (using Portal metadata repository for checking authorization). If you want to revert to the security mechanism of prior releases, refer to Section 6.3.1.1, "Switching to Oracle Portal Security".

In Oracle Reports 12c Release (12.2.1), administrators can use Oracle Enterprise Manager to more easily define and manage granular security policies and file system access:

• Enabling and Disabling Security and Changing Security Mechanism used

• Defining Security Policies for Reports

• Defining Security Policies for Directories

• Defining Security Policies for Web Commands

• Defining Read/Write Access to Directories

• Enabling and Disabling Single Sign-On

• Using Oracle Access Manager

• Managing Credentials

6.3.1 Enabling and Disabling Security and Changing Security Mechanism used

To enable or disable security for the Reports Server or Reports Application:

1. Log in to Oracle Enterprise Manager.

2. Navigate to the EM MBean browser Weblogic Domain > System MBean Browser

3. Navigate to reports server mbean

   Standalone server - oracle.reports.serverconfig:type=ReportsServer,name=rwserver-<componentName>

   Inprocess server - oracle.reportsApp.config:Location=<managedServername>,name=rwserver,type=ReportsApp,Application=reports,ApplicationVersion=12.2.1

4. Click child mbean ReportsServerJob.

5. For property securityId enter value as follows:

   • rwJaznSec - for OPSS based security

   • rwSec - for Portal based security

   • Empty - Unsecure

6.3.1.1 Switching to Oracle Portal Security

The steps for deploying reports in Oracle Portal is the same in 12c Release (12.2.1) as in prior releases, as described in Chapter 16, "Deploying Reports in Oracle Portal". However, the security mechanism underlying the deployment has changed. In that, authorization is enabled out of the box, but during installation if only Oracle Internet Directory is specified and Portal is not installed, authorization using Oracle Portal is disabled. The default installation of 12c Release (12.2.1) accomplishes both authentication and authorization through Oracle Platform Security Services

You can continue to use the security features in Oracle Portal from prior releases for backward compatibility. To switch from the new 12c Release (12.2.1) Oracle Platform Security Services to pre-11g Oracle Portal metadata repository-based security:

1. Log in to Oracle Enterprise Manager.

2. Navigate to the EM MBean browser Weblogic Domain > System MBean Browser.

3. Navigate to reports server mbean

   Standalone server - oracle.reports.serverconfig:type=ReportsServer,name=rwserver-<componentName>

   Inprocess server - oracle.reportsApp.config:Location=<managedServername>,name=rwserver,type=ReportsApp,Application=reports,ApplicationVersion=12.2.1

4. Click child mbean ReportsServerJob

5. For property securityId enter value as follows:

   rwSec - for Portal based security

Note:

If you enable Oracle Portal security features, then Oracle Portal must also be configured during installation for authorization to occur:

• If Oracle Portal is configured during installation, authentication is accomplished using the Oracle Internet Directory and authorization is accomplished using Oracle Portal (which stores authorization policies).

• If Oracle Portal is not configured during installation, authentication is accomplished using the Oracle Internet Directory and authorization does not occur.

6.3.2 Defining Security Policies for Reports

As administrator, you can specify the reports to which a particular user/role has access by creating security policies for each report. In the security policy, you can also specify the server, destination name (desname), destination type (destype), and other parameters. An authenticated user is authorized against these security policies.

To define security policies for reports for Reports Server or Reports Application (in-process Reports Server):

1. Log in to Oracle Enterprise Manager.

2. Navigate to Weblogic Domain > Security > Application Policies.

3. Select Application Stripe as reports

4. Click Search icon.

5. Enter appropriate values for the elements on the page to define or edit a security policy using the descriptions in the Help topic for the page.

6. Click online help for the page to access the page-level help.

7. Click Create to navigate to Create Application Grant page.

8. In the Grantee section add the reports roles to assign permissions to.

9. In the Permissions section add the new permission granted to the roles.

   The permission class to be used is "oracle.reports.server.ReportsPermission"

10. As Resource Name give the command line to give permission to. User can also use wildcard ("*") as parameter values.

11. As Permission Actions give "*" as the value

Note:

The security policies defined in Oracle Enterprise Manager are stored in the policy store configured by the user. The idstore contains information on the users and the policy store contains the security policies configured by the user.

6.3.3 Defining Security Policies for Directories

In certain cases, you will want to give a particular user access to multiple related reports. Rather than specify a security policy for each report, you can collect all the reports in a single directory, then specify a security policy for the directory. Again, the security policy is checked when the user provides the user name and password.

As an example, imagine that there are 15 finance reports, for which you want to give access to the FINANCE role, and there are 12 Human Resources reports for which you want to give access to the HR role. Rather than specify 15 security policies for FINANCE role, and 12 policies for HR role (one policy per report), you can collect all finance reports in one directory, and collect all the HR reports in another directory, then specify only 2 policies (one per directory). Instead of specifying the report name, you will specify the directory name in the security policy.

To define a security policy for directories:

1. Use the steps in Section 6.3.3, "Defining Security Policies for Directories" to define security policies. There you can also define security policies for directories.

2. Run a report as the specified role and other roles to test that security policies for authentication and authorization are enforced as you have defined. For example, run a report from your browser using the following URLs:

   http://host:port/reports/rwservlet?report=report_name.rdf&destype=cache&desformat=html&userid=user/password@mydb&server=ReportsServer_instancename
   
   http://host:port/reports/rwservlet?report=report_name.rdf&userid=user/password@mydb&destype=file&desformat=pdf&desname=report_name.pdf 
   

   where

   host is the machine where the Oracle Instance is set up

   port is the OHS main port

3. In command line option 'report' in security policy enter one or more report definition file names or the directories for which you are defining security policies. For example, to specify a directory, enter: /myreports/runtime/reports/*. Separate multiple entries with a comma (,).

Now, to use the defined directory access control at the Reports Server level, refer to Section 6.3.1, "Enabling and Disabling Security and Changing Security Mechanism used" to confirm that security is turned on.

Note:

The security policies defined in Oracle Enterprise Manager are stored in the policy store configured by the user. The idstore contains information on the users and the policy store contains the security policies configured by the user.

6.3.4 Defining Security Policies for Web Commands

You can also specify the Web commands to which a particular user/role has access by creating security policies for each Oracle Reports Servlet (rwservlet) Web command. The security policy is checked when the user provides the user name and password.

To define security policies for Web commands:

1. Log in to Oracle Enterprise Manager.

2. Navigate to Weblogic Domain > Security > Application Policies.

3. Select Application Stripe as reports

4. Click Search icon.

5. Enter appropriate values for the elements on the page to define or edit a security policy using the descriptions in the Help topic for the page.

6. Click online help for the page to access the page-level help.

7. Click Create to navigate to Create Application Grant page.

8. In the Grantee section add the reports roles to assign permissions to.

9. In the Permissions section add the new permission granted to the roles.

   The permission class to be used is "oracle.reports.server.WebCommandPermission"

10. As Resource Name give the command line to give permission to. User can also use wildcard ("*") as parameter values. It will be of the form given below:

    webcommands=<webcommands list separated by comma> server=<reports server names>

    webcommands=showmyjobs,getjobid,showjobid,getserverinfo,showjobs server=*
    

11. As Permission Actions give execute as the value

Note:

The security policies defined in Oracle Enterprise Manager are stored in the policy store configured by the user. The idstore contains information on the users and the policy store contains the security policies configured by the user.

6.3.5 Defining Read/Write Access to Directories

As an administrator, you can specify read/write access for Reports Server, Reports Application (in-process Reports Server), or Oracle Reports Runtime to directories. This feature only checks whether Reports Server, Reports Application, or Oracle Reports Runtime is authorized to read from or write to a specified directory, and is unrelated to security policies that check the user name and password.

• Read access. To avoid the security issue of exposing sensitive content of files, you can specify the directories from which Reports Server, Reports Application, or Oracle Reports Runtime is allowed to read.

  For example, a malicious user may specify the following keywords to run a report on Windows:

  distribute=yes&destination=C:\Temp
  

  This would generate an error stating that there was an error in the syntax of the file. To avoid this, enable file system access control to specify read directories that do not include system directories.

• Write access. To avoid the security issue of a malicious user potentially overwriting a system file by sending report output to a system directory, you can specify the directories to which Reports Server, Reports Application, or Oracle Reports Runtime is allowed to write. Attempts to write to other directories will return an error.

  For example, a user may run a report to the following destination on Windows:

  desname=C:\Temp
  

  This would overwrite a system file unless file system access control was enabled to specify write directories that do not include system directories.

To define read/write access to directories for Reports Server, Reports Application, or Oracle Reports Runtime:

1. Log in to Oracle Enterprise Manager.

2. Navigate to the EM MBean browser Weblogic Domain > System MBean Browser.

3. Navigate to reports server mbean:

   Standalone server - oracle.reports.serverconfig:type=ReportsServer,name=rwserver-<componentName>

   Inprocess server - oracle.reportsApp.config:Location=<managedServername>,name=rwserver,type=ReportsApp,Application=reports,ApplicationVersion=12.2.1

4. Click Operations.

5. Click addFolderAccess

6. Enter the names of the Read Directories and Write Directories to which Reports Server, Reports Application, or Oracle Reports Runtime should have access. These entries set the read and write sub-elements of the folderaccess element in the configuration file.

   Read Directories: To avoid the security issue of exposing sensitive content of files, enter the names of the directories from which Reports Server is allowed to read. Separate directory names with a semicolon (;).

   Write Directories: Enter the names of the directories to which Reports Server is allowed to write. Attempts to write to other folders will return an error.

7. Click Invoke.

6.3.6 Enabling and Disabling Single Sign-On

If you plan to take advantage of Oracle Application Server Single Sign-On, you can use Oracle Enterprise Manager to set the SINGLESIGNON parameter in the rwservlet.properties configuration file. SINGLESIGNON=YES by default on installation. For more information about Single Sign-On, refer to Chapter 17, "Configuring and Administering Oracle Single Sign-On".

To enable Single Sign-On:

1. Log in to Oracle Enterprise Manager.

2. Navigate to the EM MBean browser Weblogic Domain > System MBean Browser.

3. Navigate to reports servlet mbean

   oracle.reportsApp.config:Location=<managedServername>,name=rwservlet,type=ReportsApp,Application=reports,ApplicationVersion=12.2.1

4. Set property Singlesignon as yes/no to enable/disable single signon.

5. Click Apply.

6.3.7 Using Oracle Access Manager

Oracle Access Manager is a component of Oracle Fusion Middleware that you can use in place of OracleAS Single Sign-On 10g to implement centralized authentication, policy-based authorizations, delegated administration, and so on.

You can use the Oracle Fusion Middleware Upgrade Assistant to upgrade from OracleAS Single Sign-On 10g to Oracle Access Manager 11g. For more information about upgrading to Oracle Access Manager 11g, see the "Upgrading Your Oracle Single Sign-On Environment" chapter in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

6.3.8 Managing Credentials

This section explains how to use the oracle Enterprise Manager to manage credentials in a domain credential store.

1. Log in to Oracle Enterprise Manager and navigate to WebLogic Domain > Security > Credentials, to display the Credentials page.

2. Use the button Delete to remove a selected item (key or map) in the table. Note that deleting a credential map, deletes all keys in it. Similarly, use the button Edit to view or modify the data in a selected item.

3. To display credentials matching a given key name, enter the string to match in the box Credential Key Name, and then click the blue button to the right of it. The result of the query is displayed in the table.

4. To redisplay the list of credentials after examining the results of a query, select WebLogic Domain > Security > Credentials.

To add a new key to a credential map:

1. Click Create Map to display the Create Map dialog.

2. In this dialog, enter the name of the map for the credential being created.

3. Click OK to return to the Credentials page. The new credential map name is displayed with a folder icon in the table.

Note:

In CSF, the Reports Server can access credentials only from the Reports folder, hence you must create credentials under the Reports folder.

To add a new key to a credential map:

1. Click Create Key to display the Create Key dialog.

2. In this dialog, select a map from the pull-down list Select Map where the new key will be inserted, enter a key in the text box Key, select a type from the pull-down list Type (the appearance of the dialog changes according to the type selected), enter the required data.

3. Click OK when finished to return to the Credentials page. The new key is shown under the map icon corresponding to the map you selected.

For more information about Reassociating the Credential Store, see Securing Applications with Oracle Platform Security Services.