12
Maintaining security with OracleAS Discoverer

12.1 Maintaining security with OracleAS Discoverer

This chapter describes the different security mechanisms that Discoverer uses to protect sensitive resources, and contains the following topics:

• Section 12.2, "About Discoverer and security"

• Section 12.3, "About Discoverer and the database security model"

• Section 12.4, "About Discoverer and the Discoverer EUL security model"

• Section 12.5, "About Discoverer and the Oracle Applications security model"

• Section 12.6, "About Discoverer and the OracleAS Security model"

• Section 12.7, "Using Discoverer with OracleAS Framework Security"

• Section 12.8, "Using Discoverer with Oracle Identity Management Infrastructure"

• Section 12.9, "Frequently asked questions about security"

12.2 About Discoverer and security

Discoverer uses (and must therefore protect) different sensitive resources, including:

• data (e.g. users must only see information they are allowed to see)

• metadata (e.g. users must not be able to edit workbooks to which they do not have access)

• Discoverer connections (e.g. database login details must not be transmitted or persisted without being securely encrypted)

• system resources (e.g. CPU, memory)

• network resources (or more precisely, the protection of data as it is transmitted across a network)

The table below shows the sensitive resources used and protected by the different Discoverer components:

Sensitive resources	Used and protected by Discoverer Plus	Used and protected by Discoverer Viewer	Used and protected by Discoverer Portlet Provider	Used and protected by Discoverer Administrator	Used and protected by Discoverer pages in Application Server Control
data	Yes	Yes	Yes	Yes	No
metadata	Yes	Yes	Yes	Yes	Yes
Discoverer connections	Yes	Yes	Yes	No	Yes
system resources	Yes	Yes	Yes	Yes	Yes
network resources	Yes	Yes	Yes	Yes	Yes

Discoverer uses a number of security mechanisms to prevent unauthorized access to the above resources. These security mechanisms are provided by the following security models:

• the database security model

• the Discoverer EUL security model

• the Oracle Applications security model

• the OracleAS Security model

The diagram below shows the multiple security mechanisms employed by Discoverer, all of which ultimately protect data and system resources from unauthorized access:

Text description of the illustration secure1.gif

The security mechanisms that Discoverer employs will depend on the category of Discoverer user (as defined by the Discoverer product they are using), as follows:

• Discoverer Plus, Discoverer Viewer, and Discoverer Portlet Provider users (i.e. Discoverer end users)

• Oracle Discoverer Administrator users (i.e. Discoverer managers)

• users administering Discoverer using Application Server Control (i.e. Discoverer middle tier administrators)

The table below shows which security models are used by which Discoverer components:

Security Model	Used by Discoverer Plus	Used by Discoverer Viewer	Used by Discoverer Portlet Provider	Used by Discoverer Administrator	Used by Discoverer pages in Application Server Control
Database	Yes	Yes	Yes	Yes	Yes
Discoverer EUL	Yes	Yes	Yes	Yes	No
Applications	Yes	Yes	Yes	Yes	Yes
OracleAS	Yes	Yes	Yes	No	Yes

12.3 About Discoverer and the database security model

At the most basic level, data in the database is protected from unauthorized access by the database's own security model. In the case of an Oracle database, this security model comprises:

• database users and roles

• database privileges

The database privileges granted directly to database users (or granted indirectly via database roles) determine the data that users can access. Typically, you will set up database security using a database administration tool or SQL*Plus.

Discoverer uses the database's own security model to make sure that users never see information to which they do not have database access.

For more information about the database security model and how Discoverer uses it, see Oracle Discoverer Administrator Administration Guide.

12.4 About Discoverer and the Discoverer EUL security model

Discoverer managers use Discoverer Administrator to grant Discoverer access permissions and task privileges directly to database users (or indirectly via database roles), as follows:

• to control who can see and use which business areas, Discoverer managers grant Discoverer access permissions

• to control the tasks each user is allowed to perform, Discoverer managers grant Discoverer task privileges

Regardless of the access permissions and task privileges granted in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):

• SELECT privilege on all the underlying tables used in the folder

• EXECUTE privilege on any PL/SQL functions used in the folder

Even if they share workbooks with each other, Discoverer users will never see information to which they do not have database access.

Discoverer Administrator also enables Discoverer managers to protect system resources by:

• setting scheduled workbook limits to control the system resources available to end users

• preventing end user queries from running for longer than a specified maximum duration

• preventing end user queries from returning more than a specified number of rows

Discoverer managers can extend Discoverer functionality by registering their own PL/SQL functions. However, they can only register PL/SQL functions to which they have been granted the EXECUTE database privilege.

For more information about the Discoverer EUL security model, see Oracle Discoverer Administrator Administration Guide.

Notes

• You can also enforce read-only access to Discoverer workbooks in any of the following ways:
  • you can disable Discoverer Plus by preventing access to the Discoverer Plus URL (for more information, see Section 2.4, "About restricting how users can run Discoverer")

    If you disable Discoverer Plus, Discoverer end users will only have read-only access to workbooks using Discoverer Viewer.

  • you can run Discoverer Plus in read-only mode for specified Discoverer end users by removing the Create/Edit Query privilege in Oracle Discoverer Administrator (for more information, see Oracle Discoverer Administrator Administration Guide)

• Some of the EUL maintenance scripts supplied with Discoverer grant database privileges to the Discoverer manager and the PUBLIC user (for more information, see Appendix C.1, "OracleAS Discoverer administrative account information").

12.5 About Discoverer and the Oracle Applications security model

A common use of Discoverer is to provide ad-hoc query access to Oracle Applications databases. To provide such access, Discoverer managers can use Discoverer Administrator to create Applications mode EULs.

An Oracle Applications mode EUL is a Discoverer End User Layer based on an Oracle Applications schema (containing the Oracle Applications FND (Foundation) tables and views).

Oracle Applications EULs make use of the following Oracle Applications security model features:

• Oracle Applications users and responsibilities

  Oracle Applications EULs employ Oracle Applications user names and responsibilities whereas standard EULs use database users and roles. Discoverer managers running Discoverer Administrator in Oracle Applications mode grant access permissions or task privileges to Oracle Applications responsibilities instead of roles.

• Oracle Applications row level security

  Many Oracle Applications tables and views are user-sensitive, and will return different results depending on which user/responsibility is used to access these tables/views. Discoverer correctly runs queries that respect these user-sensitive tables and views.

• Oracle Applications multiple organizations

  Oracle Applications multiple organizations support enables Discoverer to work with data from more than one organization. Discoverer end users can query and analyze data from the set of organizations to which they have been granted access. The folders in the EUL must be based on Oracle Business Views (available in Oracle Applications 11i).

  For more information about the Oracle Applications security model and how Discoverer uses it, see Oracle Discoverer Administrator Administration Guide.

12.6 About Discoverer and the OracleAS Security model

OracleAS Security is an integrated management and security framework that provides:

• central management for OracleAS and the Oracle environment to reduce total cost of ownership

• out-of-box monitoring, alerting, and diagnostics to eliminate unexpected downtime and performance problems

• end-to-end performance monitoring of Web applications, and root cause analysis to resolve performance bottlenecks

• a complete and integrated identity management infrastructure for user management, provisioning, single sign-on and Public Key infrastructure

• advanced security and identity management features to ensure end-to-end security of deployed Web applications

The OracleAS Security model comprises:

• OracleAS Framework Security

• Oracle Identity Management infrastructure

• Oracle Advanced Security

To make sure that Discoverer fully leverages the OracleAS Security model:

• use the HTTPS services provided by OracleAS Framework Security (for more information, see Section 12.7, "Using Discoverer with OracleAS Framework Security")

• use the single sign-on services provided by Oracle Identity Management infrastructure (for more information, see Section 12.8, "Using Discoverer with Oracle Identity Management Infrastructure")

In addition, the OracleAS Security model underpins the Discoverer connection mechanism (for more information, see Section 12.6.1, "About Discoverer public connections and the OracleAS Security model").

For more information about OracleAS Security, see:

• Oracle Application Server Security Guide

• Oracle Identity Management Concepts and Deployment Planning Guide

12.6.1 About Discoverer public connections and the OracleAS Security model

Discoverer managers can give users access to information by using OracleAS Oracle Enterprise Manager to create public connections. Each connection specifies an EUL containing one or more business areas.

Discoverer managers can control users' access to information by restricting users to using public connections or by giving users permission to create their own private connections.

For more information about connections, see Section 3.1, "Managing OracleAS Discoverer connections".

12.7 Using Discoverer with OracleAS Framework Security

OracleAS Framework Security provides a number of services, including:

• HTTPS/SSL support (using Oracle HTTP Server)

• user authentication and authorization (using Java Authentication and Authorization Service (JAAS), also known as JAZN)

• encryption (using Java Cryptography Extension (JCE))

You can specify that Discoverer uses the HTTPS/SSL support offered by the Oracle HTTP Server as one of the communication protocols to communicate between the Discoverer server and the Discoverer client tier components. For more information, see:

• Section 12.7.1, "About specifying Discoverer communication protocols"

• Section 12.7.2, "About Discoverer Viewer security and communication protocols"

• Section 12.7.3, "About Discoverer Plus security and communication protocols"

For more information about OracleAS Framework Security, see Oracle Application Server Security Guide.

Notes

• When you install OracleAS, SSL is installed automatically, but it is not enabled by default. To deploy Discoverer using SSL, make sure that SSL is enabled (i.e. make sure that the start-mode parameter in opmn.xml is set to 'ssl-enabled'). For more information, see Oracle HTTP Server Administrator's Guide.

12.7.1 About specifying Discoverer communication protocols

You can use Discoverer in different network environments that might or might not include firewalls using different communication protocols (i.e. JRMP, HTTP, HTTPS).

The most appropriate network environment depends on both existing network strategies in your organization as well as your requirements for:

• performance (how long it takes to display information)

• accessibility (whether data has to be accessed through a firewall)

• security (how secure the data needs to be during transmission)

Note that you must use HTTPS if you want to make sure that sensitive information (e.g. passwords, data) is securely transmitted across a network.

Discoverer Viewer and Discoverer Plus require different security configurations:

• for more information about configuring security for Discoverer Viewer, see Section 12.7.2, "About Discoverer Viewer security and communication protocols"

• for more information about configuring security for Discoverer Plus, see Section 12.7.3, "About Discoverer Plus security and communication protocols"

Notes

• If you are deploying OracleAS Discoverer with OracleAS Web Cache, there are security implications for some restricted user environments.

  For more information, see:

  • Section 6.5, "When to use Discoverer Viewer with OracleAS Web Cache"

  • Oracle Application Server Security Guide

• If you have deployed Discoverer in a multiple machine installation, note that you might want to specify different communication protocols on different Discoverer machines. For example, you might use:
  • the JRMP protocol on one machine for Plus users working inside a firewall

  • the HTTPS protocol on two other machines for Viewer users accessing reports across the Web

12.7.2 About Discoverer Viewer security and communication protocols

Discoverer Viewer uses standard HTTP or HTTPS protocols to connect Discoverer Viewer clients to the Discoverer servlet.

Text description of the illustration sec1.gif

Note: Discoverer Viewer client machines require only a standard Web browser to run Discoverer Viewer.

In a default OracleAS installation, Discoverer Viewer is configured as follows:

• In an Intranet environment (i.e. inside firewalls), no additional security configuration is required

• In a HTTP environment, no additional security configuration is required. If you are using a firewall, open the firewall for the Oracle HTTP Server port used by OracleAS (e.g. 7778).

• In a HTTPS environment, you need to configure the mod_ossl file on the OracleAS machine (for more information, see Oracle Application Server HTTP Administrator's Guide). If you are using a firewall, open the firewall for the Oracle HTTP Server SSL port used by OracleAS (e.g. 4443). In a HTTPS environment, Discoverer Viewer uses SSL security certificates on the client machine's browser. If you are using a non-standard or private SSL signing authority, you need to install the root certificates in the browser. For more information about deploying Discoverer Viewer over HTTPS, see Section 2.8, "About running Discoverer over HTTPS").

12.7.3 About Discoverer Plus security and communication protocols

Discoverer Plus uses standard Java Remote Method Protocol (JRMP), HTTP or HTTPS protocols to connect clients to the Discoverer servlet.

Text description of the illustration sec2.gif

Discoverer Plus uses two communication channels:

• when a Discoverer Plus client first connects to the Discoverer servlet, the Discoverer Plus applet is downloaded and installed on the Discoverer client machine

• after the Discoverer Plus applet is installed on the Discoverer client machine, the Discoverer Plus client machine uses one of JRMP, HTTP, or HTTPS to communicate with the Discoverer servlet

In a default OracleAS installation, Discoverer Plus is configured as follows, depending on the environment:

• In an Intranet environment (i.e. inside firewalls), no additional security configuration is required. Discoverer Plus clients connect to the Discoverer servlet using the JRMP protocol.

  Make sure that the default Discoverer Plus communication protocol (i.e. Default) is selected (for more information, Section 12.7.3.4, "How to set up Discoverer Plus to use the Default communication protocol").

• In a HTTP environment, no additional security configuration is required. If you are using a firewall, open the firewall for the Oracle HTTP Server port used by OracleAS (e.g. 7778).

  Although a HTTP connection will work with the Discoverer Plus communication protocol option set to Default, you can improve performance by specifying the Tunneling option on the Discoverer Plus communication protocol page (for more information, Section 12.7.3.5, "How to set up Discoverer Plus to use the Tunneling communication protocol").

• In a HTTPS environment, Discoverer Plus uses security certificates on the client machine's browser. When you run Discoverer Plus for the first time over HTTPS (i.e. in Secure Sockets Layer (SSL) mode), you need to install your Web server's security certificate into the Java Virtual Machine (JVM) certificate store in all client machines that need to run Discoverer Plus.

  For more information about deploying Discoverer Plus over HTTPS, see Section 2.8, "About running Discoverer over HTTPS").

  If you are using a non-standard SSL signing authority, you might need to configure the certdb.txt file on client machines (for more information, see Section 12.7.3.1, "About configuring Discoverer Plus for a non-standard SSL signing authority"). If you are using a firewall, open the firewall for the Oracle HTTP Server SSL port used by OracleAS (e.g. port 4443).

  Although a HTTPS connection will work with Discoverer Plus communication protocol option set to Default, you can improve performance by specifying the Tunneling option or Secure Tunneling option on the Discoverer Plus communication protocol page (for more information, Section 12.7.3.2, "About specifying a Discoverer Plus communication protocol").

Notes

• You typically use the same communication protocol to download the Discoverer applet as you do for communication with the Discoverer servlet (for more information, see Section 12.7.3.2, "About specifying a Discoverer Plus communication protocol").

12.7.3.1 About configuring Discoverer Plus for a non-standard SSL signing authority

If you are deploying Discoverer Plus using a non-standard or private SSL signing authority, you need to make sure that the root certificate information is in the certdb.txt file on each client machine (for more information about the location of configuration files, see Section A.2, "List of Discoverer file locations"). Certificate information is required in the certdb.txt file because Discoverer Plus ignores the browser's signing authority and uses Oracle Jinitiator's SSL technology.

12.7.3.2 About specifying a Discoverer Plus communication protocol

Using Application Server Control, you can specify which communication protocol the Discoverer Plus applet (i.e. the Discoverer client) and the Discoverer servlet (i.e. on the Discoverer middle tier) use to communicate. The three communication protocol options are:

• Default

  Specify this option if you want the Discoverer Plus applet to attempt to use JRMP and if this fails, to use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.

  The advantage of using the Default communication protocol is that Discoverer Plus works regardless of whether the client browser is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first.

  For more information about specifying this option, see Section 12.7.3.4, "How to set up Discoverer Plus to use the Default communication protocol".

• Tunneling

  Specify this option if you want the Discoverer Plus client to connect using the same method to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS depending on the URL). This option works regardless of whether a firewall is being used.

  This advantage of using the Tunneling communication protocol is that it is quicker that the Default option, because a JRMP is not attempted first before failing and trying again using HTTP.

  For more information about specifying this option, see Section 12.7.3.5, "How to set up Discoverer Plus to use the Tunneling communication protocol".

• Secure Tunneling

  Specify this option if you want the Discoverer Plus client to always use HTTPS to communicate with the Discoverer servlet.

  This advantage of using the Secure Tunneling communication protocol is that it is quicker that the Default option, because a JRMP is not attempted first before failing and trying again using HTTPS.

  For more information about specifying this option, see Section 12.7.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol".

12.7.3.3 How to display the OracleAS Discoverer Plus Communications Protocols page in Application Server Control

You use the Discoverer Plus Communication Protocols page in Application Server Control to specify a Discoverer Plus communication protocol. For example, if you want to encrypt Discoverer Plus data, you might want to configure Discoverer Plus to use the HTTPS communication protocol.

How to display the OracleAS Discoverer Plus Configuration page in Application Server Control:

1. Display Application Server Control on the Discoverer instance that you want to configure (for more information, see Section 4.2.2, "How to display Application Server Control").

2. Display the Application Server Control Discoverer Home page (for more information, see Section 4.2.3, "How to display the Application Server Control Discoverer Home page").

   
   
   Text description of the illustration em_maina.gif

3. Select the Discoverer Plus link to display the Application Server Control Discoverer Plus Home page.

   Hint: To display the Discoverer Plus link, either scroll down the page to the Components area, or select the Components link.

   
   
   Text description of the illustration em_plus.gif

4. Select the Communication Protocols link to display the Communication Protocols page.

   
   
   Text description of the illustration oem6.gif

12.7.3.4 How to set up Discoverer Plus to use the Default communication protocol

To set up Discoverer Plus to use the Default communication protocol:

1. Display Application Server Control and navigate to the OracleAS Discoverer Plus Communication Protocols page (for more information, see Section 12.7.3.3, "How to display the OracleAS Discoverer Plus Communications Protocols page in Application Server Control").

2. Select the Default radio button from the Communication Protocols options.

3. Click OK to save the details.

4. Give Discoverer Plus users the URL of the Discoverer servlet:

   For example, http://<host.domain>:7779/discoverer/plus

   The Discoverer Plus applet will attempt to use JRMP. If JRMP is not available, the Discoverer Plus applet will use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.

   Note: This option works regardless of whether the applet is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first. For more information about the other options on this page, refer to Section 12.7.3.2, "About specifying a Discoverer Plus communication protocol".

12.7.3.5 How to set up Discoverer Plus to use the Tunneling communication protocol

To set up Discoverer Plus to use the Tunneling communication protocol:

1. Display Application Server Control and navigate to the OracleAS Discoverer Plus Communication Protocols page (for more information, see Section 12.7.3.3, "How to display the OracleAS Discoverer Plus Communications Protocols page in Application Server Control").

2. Choose the Tunneling radio button from the Communication Protocols options.

3. Click OK to save the details.

4. (optional) If you are using a firewall, open the appropriate port in the firewall to accept HTTP or HTTPS traffic as appropriate.

5. Give Discoverer Plus users the URL of the Discoverer servlet:

   For example, http://<host.domain>:7779/discoverer/plus

   The Discoverer Plus applet will use the same protocol to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS). This option works regardless of whether a firewall is being used.

12.7.3.6 How to set up Discoverer Plus to use the Secure Tunneling communication protocol

To set up Discoverer Plus to use the Secure Tunneling communication protocol:

1. Display Application Server Control and navigate to the OracleAS Discoverer Plus Communication Protocols page (for more information, see Section 12.7.3.3, "How to display the OracleAS Discoverer Plus Communications Protocols page in Application Server Control").

2. Choose the Secure Tunneling radio button from the Communication Protocols options.

3. Click OK to save the details.

4. (optional) If you are using a firewall, open the appropriate port in the firewall to accept HTTP or HTTPS traffic as appropriate.

5. Give Discoverer Plus users the URL of the Discoverer servlet:

   For example, https://<host.domain>:4443/discoverer/plus

The Discoverer Plus applet will use the HTTPS protocol to communicate with the Discoverer servlet.

When a Discoverer end user starts Discoverer Plus for the first time on a client machine, they are prompted to confirm that they want to accept a default security certificate. Before selecting the Yes option on the Security Alert dialog, the Discoverer end user must install a Discoverer Plus security certificate on the client machine (for more information, see Section 12.7.1, "About specifying Discoverer communication protocols").

12.8 Using Discoverer with Oracle Identity Management Infrastructure

Oracle Identity Management Infrastructure provides a number of services, including:

• OracleAS Single Sign-On

• OracleAS Certificate Authority

• Oracle Internet Directory (OID)

• Oracle Delegated Administration Services

• Oracle Directory Integration and Provisioning

• LDAP Developer Kit

You can specify that Discoverer uses OracleAS Single Sign-On to enable users to access Discoverer using the same user name and password as other Web applications. For more information, see:

• Section 12.8.1, "Using Discoverer with OracleAS Single Sign-On"

• Section 12.8.2, "What is OracleAS Single Sign-On?"

For more information about Oracle Identity Management Infrastructure, see Oracle Identity Management Concepts and Deployment Planning Guide.

12.8.1 Using Discoverer with OracleAS Single Sign-On

This section describes OracleAS Single Sign-On and how to use it with Discoverer Discoverer.

12.8.2 What is OracleAS Single Sign-On?

OracleAS Single Sign-On is a component of Oracle Application Server that enables users to log in to all the features of the OracleAS product set (as well as to other Web applications) using a single user name and password that is entered once.

Note: OracleAS Single Sign-On is implemented using Oracle Single Sign-On Server.

12.8.2.1 About Single Sign-On and Discoverer

When you install OracleAS, the OracleAS Single Sign-On service is installed automatically, but it is not enabled by default. For information about how to enable OracleAS Single Sign-On, see Section 12.8.2.2, "How to enable Single Sign-On for Discoverer").

Discoverer connections work in both Single Sign-On and non-Single Sign-On environments. In an OracleAS Single Sign-On environment, if a Discoverer end user starts Discoverer without having been authenticated by OracleAS Single Sign-On, the user is challenged for Single Sign-On details (user name and password). Having provided Single Sign-On details, the user can display the Discoverer connections page and start Discoverer without having to enter a user name or password again.

Note: For more information about how OracleAS Discoverer works with OracleAS Portal and Single Sign-On, see Section 12.8.2.3, "An example showing how Discoverer works with OracleAS Portal and Single Sign-on".

12.8.2.2 How to enable Single Sign-On for Discoverer

You enable Single Sign-On on the OracleAS Discoverer instance.

To enable Single Sign-On, do the following:

1. Open the mod_osso.conf file in a text editor (for more information about the location of configuration files, see Section A.2, "List of Discoverer file locations").

2. Add the following text to the end of the file:

   <Location /discoverer/plus*>
   

   require valid-user
   AuthType Basic
   

   </Location>
   <Location /discoverer/viewer>
   

   require valid-user
   AuthType Basic
   

   </Location>
   
   

3. Save the mod_osso.conf file.

4. Type the following at a command prompt:

   opmnctl stopall
   opmnctl startall
   

For more information about the location of the opmnctl script, see Section A.2, "List of Discoverer file locations").

Notes

• Do not enable SSO for /discoverer/portlet provider. Discoverer relies on OracleAS Portal to protect the /discoverer/portlet provider URL. In other words, do not specify the Location value as /discoverer, as follows:

  <Location /discoverer>

  require valid-user

  AuthType Basic

  </Location>

• Make sure that the OssoIPCheck parameter value in the mod_osso.conf file is set to off.

12.8.2.3 An example showing how Discoverer works with OracleAS Portal and Single Sign-on

When you publish Discoverer content in a portlet on an OracleAS Portal page, you give portal users access to the Discoverer workbooks and worksheets. However, portal users accessing Discoverer workbooks only see data to which they have database access. In other words, two different users accessing the same workbook might see different data, depending on their database privileges. For more information, see Section 9.1, "Using OracleAS Discoverer with OracleAS Portal".

To illustrate how OracleAS Discoverer works with OracleAS Portal, consider the following example:

Imagine that there are two single sign-on users:

• User SSO-A has a private connection Conn-A pointing to DBUSER-A@discodb, EUL-Marketing.

• User SSO-B has a private connection Conn-B pointing to DBUSER-B@discodb, EUL-Marketing.

User SSO-A using connection Conn-A creates two workbooks Workbook 1 and Workbook 2 in the Marketing EUL. User SSO-A uses Discoverer Plus to share Workbook 2 with DBUSER-B.

User SSO-B using connection Conn-B creates two workbooks Workbook 3 and Workbook 4 in the Marketing EUL. User SSO-B uses Discoverer Plus to share Workbook 4 with DBUSER-A.

This situation is shown in the figure below:

Figure 12-1 Single sign-on users creating workbooks

Text description of the illustration portsec1.gif

Now imagine that user SSO-A creates a List Of Workbooks portlet using Conn-A, and chooses the 'Use user's database connection' option in the Logged In users section (i.e. in the Select Database Connections page in the Discoverer Portlet Provider).

When user SSO-A accesses the List Of Workbooks portlet, the following workbooks are available:

• Workbook 1

• Workbook 2

• DBUSER-B.Workbook 4

When user SSO-B accesses the same List Of Workbooks portlet, the following workbooks are available:

• Workbook 3

• Workbook 4

• DBUSER-A.Workbook 2

This situation is shown in the figure below:

Figure 12-2 Single sign-on users accessing Discoverer portlets

Text description of the illustration portsec2.gif

12.8.3 Using Discoverer without Single Sign-on

If you are not deploying Discoverer with Single Sign-On, end users must confirm the database password each time a private connection is used. In other words, when a Discoverer end user chooses a private connection for the first time in a browser session, they are prompted to confirm the database password. They are not prompted for SSO login details.

If the end user closes the Web browser and then starts the Web browser again (i.e. creates a new browser session), they are prompted to confirm their database password. End users do not have to confirm passwords for public connections (for more information, see Section 3.3.2, "About public connections").

Notes

• To store private Discoverer connections in non-SSO environments, cookies must be enabled in the Web browser.

• In non-SSO environments, a Discoverer end user can only access private connections created using the current machine and current Web browser. If an end user wants to use a different machine or different Web browser, they must re-create the private connections on the different machine or Web browser.

12.9 Frequently asked questions about security

12.9.1 What is a firewall?

A firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.

In other words, a firewall is an electronic `fence' around a network to protect it from unauthorized access.

Figure 12-3 A typical Internet connection with a Client-side and Server-side firewall

Text description of the illustration fw.gif

Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its Oracle HTTP Server machine and the Internet. This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall. Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.

12.9.2 What is a demilitarized zone (DMZ)?

A demilitarized zone (DMZ) is a firewall configuration that provides an additional level of security. In this configuration, the DMZ is an extra network placed between a protected network and the Internet. Resources residing within the DMZ are visible on the public Internet, but are secure. DMZs typically hold servers that host a company's public Web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server.

Figure 12-4 A Demilitarized Zone (DMZ)

Text description of the illustration dmz0.gif

Firewall policies vary across organization and there are a wide variety of bespoke and off-the-shelf firewall packages in use.

A good firewall configuration assumes that resources in the DMZ will be breached, and if this happens should minimize damage to the internal network and any sensitive data residing on the network. This involves two steps:

• move sensitive private resources (at a minimum, databases and application logic) from the DMZ to the internal network behind the internal firewall

• restrict access to sensitive private resources from the DMZ itself, as well as from internal networks

Notes

• An alternative security solution is to deploy the Oracle HTTP Server in the DMZ and deploy the Discoverer middle tier and the database behind the internal firewall. Note that this configuration is not supported.

12.9.3 What is HTTPS and why should I use it?

The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer (SSL) to establish secure connections between clients and servers.

The SSL protocol enables sensitive data to be transmitted over an insecure network, such as the Internet, by providing the following security features:

• authentication - a client can determine a server's identity and be certain that the server is not an impostor (and optionally, a server can also authenticate the identity of its client applications)

• privacy - data passed between the client and server is encrypted so that if a third party intercepts their messages, the third party will not be able to unscramble the data

• integrity - the recipient of encrypted data will know if a third party has corrupted or modified that data

You can tell when SSL is enabled in Discoverer as follows:

• the URL to start Discoverer Plus begins with https://, and a closed padlock appears at the left hand side of the applet's status bar

• the URL to start Discoverer Viewer starts with https://, and a closed padlock or other equivalent symbol (browser dependent) appears in the browser's status bar

12.9.4 How do I configure Discoverer to work in an intranet

You configure Discoverer to work in an intranet as follows:

• Discoverer Viewer

  Deploying Discoverer Viewer in an intranet (i.e. inside a firewall) requires no additional configuration after an OracleAS installation. Discoverer Viewer uses a HTTP connection.

• Discoverer Plus

  Deploying Discoverer Plus in an intranet (i.e. inside a firewall) requires no additional configuration after an OracleAS installation. Discoverer Plus uses a direct connection using JRMP.

Figure 12-5 A typical network configuration for Discoverer in an intranet

Text description of the illustration secure2.gif

12.9.5 How do I configure Discoverer to work through a firewall?

You configure Discoverer to work through firewalls with HTTP or HTTPS, as follows:

• Discoverer Viewer

  Discoverer Viewer requires no additional configuration as long as the firewall allows HTTP traffic to pass through.

• Discoverer Plus

  Discoverer Plus requires no additional configuration as long as the firewall allows HTTP or HTTPS traffic to pass through.

  To improve performance, you might want to change the Discoverer Plus communication protocol to one of the following:

  • for HTTP, set the communication protocol to Tunneling to prevent the Discoverer client from first trying to connect using JRMP, then by HTTP (for more information, see Section 12.7.3.5, "How to set up Discoverer Plus to use the Tunneling communication protocol").

  • for HTTPS, set the communication protocol to Secure Tunneling to prevent the Discoverer client from first trying to connect using JRMP, then by HTTP, then by HTTPS (for more information, see Section 12.7.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol").

Figure 12-6 A typical firewall configuration for Discoverer using HTTP

Text description of the illustration secure3.gif

12.9.6 Can I configure Discoverer to work through multiple firewalls?

Yes, if you are using HTTP or HTTPS, Discoverer will work through multiple firewalls (for more information, see Section 12.9.5, "How do I configure Discoverer to work through a firewall?").

12.9.7 How do I configure Discoverer to use encryption in an intranet?

You configure Discoverer to use encryption as follows:

• Discoverer Viewer

  Configure mod_ossl to use HTTPS (for more information, see Oracle Application Server HTTP Administrator's Guide) and deploy Discoverer Viewer on a HTTPS URL.

• Discoverer Plus

  Configure mod_ossl to use HTTPS (for more information, see Oracle Application Server HTTP Administrator's Guide) and deploy Discoverer Plus on a HTTPS URL. You must change the Discoverer Plus communication protocol to Secure Tunneling (for more information, see Section 12.7.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol").

12.9.8 How do I configure Discoverer to use encryption through firewalls?

You configure Discoverer to use encryption through firewalls as follows:

• Discoverer Viewer

  Configure Discoverer Viewer to work through a firewall (for more information, see Section 12.9.5, "How do I configure Discoverer to work through a firewall?"). Then, make sure that the firewall(s) allow HTTPS traffic to pass through.

• Discoverer Plus

  Configure Discoverer Plus to work through a firewall (for more information, see Section 12.9.5, "How do I configure Discoverer to work through a firewall?"). Then, make sure that the firewall(s) allow HTTPS traffic to pass through.

Figure 12-7 A typical firewall configuration for Discoverer using HTTPS

Text description of the illustration secure5.gif

12.9.9 How can I verify that Discoverer is encrypting communications?

In Discoverer Viewer, make sure that client browsers display a closed padlock or other equivalent symbol (browser dependent) in the Discoverer Viewer browser's status bar.

In Discoverer Plus, make sure that the client displays a closed padlock symbol in the bottom left-hand corner of the Discoverer Plus applet window.

12.9.10 Can I configure Discoverer for both intranet users and users accessing Discoverer through a firewall?

Yes. you can configure Discoverer for both intranet users and Internet users. For example, if you use the Default Discoverer Plus communication protocol:

• sessions connecting from inside the firewall use a direct JRMP connection because JRMP is a direct connection that only works inside a firewall

• sessions connecting from outside the firewall automatically use a HTTP or HTTPS connection (depending on the URL)

12.9.11 Can I use Discoverer with a NAT device?

Yes, you can deploy Discoverer using any standard Network Address Translation (NAT) device.