Oracle Application Server Discoverer Configuration Guide 10g (9.0.4) Part Number B10273-01 |
|
This chapter describes the different security mechanisms that Discoverer uses to protect sensitive resources, and contains the following topics:
Discoverer uses (and must therefore protect) different sensitive resources, including:
The table below shows the sensitive resources used and protected by the different Discoverer components:
Discoverer uses a number of security mechanisms to prevent unauthorized access to the above resources. These security mechanisms are provided by the following security models:
The diagram below shows the multiple security mechanisms employed by Discoverer, all of which ultimately protect data and system resources from unauthorized access:
The security mechanisms that Discoverer employs will depend on the category of Discoverer user (as defined by the Discoverer product they are using), as follows:
The table below shows which security models are used by which Discoverer components:
At the most basic level, data in the database is protected from unauthorized access by the database's own security model. In the case of an Oracle database, this security model comprises:
The database privileges granted directly to database users (or granted indirectly via database roles) determine the data that users can access. Typically, you will set up database security using a database administration tool or SQL*Plus.
Discoverer uses the database's own security model to make sure that users never see information to which they do not have database access.
For more information about the database security model and how Discoverer uses it, see Oracle Discoverer Administrator Administration Guide.
Discoverer managers use Discoverer Administrator to grant Discoverer access permissions and task privileges directly to database users (or indirectly via database roles), as follows:
Regardless of the access permissions and task privileges granted in Discoverer Administrator, a Discoverer end user only sees folders if that user has been granted the following database privileges (either directly or through a database role):
Even if they share workbooks with each other, Discoverer users will never see information to which they do not have database access.
Discoverer Administrator also enables Discoverer managers to protect system resources by:
Discoverer managers can extend Discoverer functionality by registering their own PL/SQL functions. However, they can only register PL/SQL functions to which they have been granted the EXECUTE database privilege.
For more information about the Discoverer EUL security model, see Oracle Discoverer Administrator Administration Guide.
If you disable Discoverer Plus, Discoverer end users will only have read-only access to workbooks using Discoverer Viewer.
A common use of Discoverer is to provide ad-hoc query access to Oracle Applications databases. To provide such access, Discoverer managers can use Discoverer Administrator to create Applications mode EULs.
An Oracle Applications mode EUL is a Discoverer End User Layer based on an Oracle Applications schema (containing the Oracle Applications FND (Foundation) tables and views).
Oracle Applications EULs make use of the following Oracle Applications security model features:
Oracle Applications EULs employ Oracle Applications user names and responsibilities whereas standard EULs use database users and roles. Discoverer managers running Discoverer Administrator in Oracle Applications mode grant access permissions or task privileges to Oracle Applications responsibilities instead of roles.
Many Oracle Applications tables and views are user-sensitive, and will return different results depending on which user/responsibility is used to access these tables/views. Discoverer correctly runs queries that respect these user-sensitive tables and views.
Oracle Applications multiple organizations support enables Discoverer to work with data from more than one organization. Discoverer end users can query and analyze data from the set of organizations to which they have been granted access. The folders in the EUL must be based on Oracle Business Views (available in Oracle Applications 11i).
For more information about the Oracle Applications security model and how Discoverer uses it, see Oracle Discoverer Administrator Administration Guide.
OracleAS Security is an integrated management and security framework that provides:
The OracleAS Security model comprises:
To make sure that Discoverer fully leverages the OracleAS Security model:
In addition, the OracleAS Security model underpins the Discoverer connection mechanism (for more information, see Section 12.6.1, "About Discoverer public connections and the OracleAS Security model").
For more information about OracleAS Security, see:
Discoverer managers can give users access to information by using OracleAS Oracle Enterprise Manager to create public connections. Each connection specifies an EUL containing one or more business areas.
Discoverer managers can control users' access to information by restricting users to using public connections or by giving users permission to create their own private connections.
For more information about connections, see Section 3.1, "Managing OracleAS Discoverer connections".
OracleAS Framework Security provides a number of services, including:
You can specify that Discoverer uses the HTTPS/SSL support offered by the Oracle HTTP Server as one of the communication protocols to communicate between the Discoverer server and the Discoverer client tier components. For more information, see:
For more information about OracleAS Framework Security, see Oracle Application Server Security Guide.
You can use Discoverer in different network environments that might or might not include firewalls using different communication protocols (i.e. JRMP, HTTP, HTTPS).
The most appropriate network environment depends on both existing network strategies in your organization as well as your requirements for:
Note that you must use HTTPS if you want to make sure that sensitive information (e.g. passwords, data) is securely transmitted across a network.
Discoverer Viewer and Discoverer Plus require different security configurations:
For more information, see:
Discoverer Viewer uses standard HTTP or HTTPS protocols to connect Discoverer Viewer clients to the Discoverer servlet.
Note: Discoverer Viewer client machines require only a standard Web browser to run Discoverer Viewer.
In a default OracleAS installation, Discoverer Viewer is configured as follows:
Discoverer Plus uses standard Java Remote Method Protocol (JRMP), HTTP or HTTPS protocols to connect clients to the Discoverer servlet.
Discoverer Plus uses two communication channels:
In a default OracleAS installation, Discoverer Plus is configured as follows, depending on the environment:
Make sure that the default Discoverer Plus communication protocol (i.e. Default) is selected (for more information, Section 12.7.3.4, "How to set up Discoverer Plus to use the Default communication protocol").
Although a HTTP connection will work with the Discoverer Plus communication protocol option set to Default, you can improve performance by specifying the Tunneling option on the Discoverer Plus communication protocol page (for more information, Section 12.7.3.5, "How to set up Discoverer Plus to use the Tunneling communication protocol").
For more information about deploying Discoverer Plus over HTTPS, see Section 2.8, "About running Discoverer over HTTPS").
If you are using a non-standard SSL signing authority, you might need to configure the certdb.txt file on client machines (for more information, see Section 12.7.3.1, "About configuring Discoverer Plus for a non-standard SSL signing authority"). If you are using a firewall, open the firewall for the Oracle HTTP Server SSL port used by OracleAS (e.g. port 4443).
Although a HTTPS connection will work with Discoverer Plus communication protocol option set to Default, you can improve performance by specifying the Tunneling option or Secure Tunneling option on the Discoverer Plus communication protocol page (for more information, Section 12.7.3.2, "About specifying a Discoverer Plus communication protocol").
If you are deploying Discoverer Plus using a non-standard or private SSL signing authority, you need to make sure that the root certificate information is in the certdb.txt file on each client machine (for more information about the location of configuration files, see Section A.2, "List of Discoverer file locations"). Certificate information is required in the certdb.txt file because Discoverer Plus ignores the browser's signing authority and uses Oracle Jinitiator's SSL technology.
Using Application Server Control, you can specify which communication protocol the Discoverer Plus applet (i.e. the Discoverer client) and the Discoverer servlet (i.e. on the Discoverer middle tier) use to communicate. The three communication protocol options are:
Specify this option if you want the Discoverer Plus applet to attempt to use JRMP and if this fails, to use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.
The advantage of using the Default communication protocol is that Discoverer Plus works regardless of whether the client browser is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first.
For more information about specifying this option, see Section 12.7.3.4, "How to set up Discoverer Plus to use the Default communication protocol".
Specify this option if you want the Discoverer Plus client to connect using the same method to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS depending on the URL). This option works regardless of whether a firewall is being used.
This advantage of using the Tunneling communication protocol is that it is quicker that the Default option, because a JRMP is not attempted first before failing and trying again using HTTP.
For more information about specifying this option, see Section 12.7.3.5, "How to set up Discoverer Plus to use the Tunneling communication protocol".
Specify this option if you want the Discoverer Plus client to always use HTTPS to communicate with the Discoverer servlet.
This advantage of using the Secure Tunneling communication protocol is that it is quicker that the Default option, because a JRMP is not attempted first before failing and trying again using HTTPS.
For more information about specifying this option, see Section 12.7.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol".
You use the Discoverer Plus Communication Protocols page in Application Server Control to specify a Discoverer Plus communication protocol. For example, if you want to encrypt Discoverer Plus data, you might want to configure Discoverer Plus to use the HTTPS communication protocol.
How to display the OracleAS Discoverer Plus Configuration page in Application Server Control:
Hint: To display the Discoverer Plus link, either scroll down the page to the Components area, or select the Components link.
To set up Discoverer Plus to use the Default communication protocol:
For example, http://<host.domain>:7779/discoverer/plus
The Discoverer Plus applet will attempt to use JRMP. If JRMP is not available, the Discoverer Plus applet will use HTTP or HTTPS (depending on the URL) to communicate with the Discoverer servlet.
Note: This option works regardless of whether the applet is running inside or outside a firewall. However, it will be slower outside the firewall because JRMP will be tried first. For more information about the other options on this page, refer to Section 12.7.3.2, "About specifying a Discoverer Plus communication protocol".
To set up Discoverer Plus to use the Tunneling communication protocol:
For example, http://<host.domain>:7779/discoverer/plus
The Discoverer Plus applet will use the same protocol to communicate with the Discoverer servlet as was originally used to download the applet itself (i.e. either HTTP or HTTPS). This option works regardless of whether a firewall is being used.
To set up Discoverer Plus to use the Secure Tunneling communication protocol:
For example, https://<host.domain>:4443/discoverer/plus
The Discoverer Plus applet will use the HTTPS protocol to communicate with the Discoverer servlet.
When a Discoverer end user starts Discoverer Plus for the first time on a client machine, they are prompted to confirm that they want to accept a default security certificate. Before selecting the Yes option on the Security Alert dialog, the Discoverer end user must install a Discoverer Plus security certificate on the client machine (for more information, see Section 12.7.1, "About specifying Discoverer communication protocols").
Oracle Identity Management Infrastructure provides a number of services, including:
You can specify that Discoverer uses OracleAS Single Sign-On to enable users to access Discoverer using the same user name and password as other Web applications. For more information, see:
For more information about Oracle Identity Management Infrastructure, see Oracle Identity Management Concepts and Deployment Planning Guide.
This section describes OracleAS Single Sign-On and how to use it with Discoverer Discoverer.
OracleAS Single Sign-On is a component of Oracle Application Server that enables users to log in to all the features of the OracleAS product set (as well as to other Web applications) using a single user name and password that is entered once.
Note: OracleAS Single Sign-On is implemented using Oracle Single Sign-On Server.
When you install OracleAS, the OracleAS Single Sign-On service is installed automatically, but it is not enabled by default. For information about how to enable OracleAS Single Sign-On, see Section 12.8.2.2, "How to enable Single Sign-On for Discoverer").
Discoverer connections work in both Single Sign-On and non-Single Sign-On environments. In an OracleAS Single Sign-On environment, if a Discoverer end user starts Discoverer without having been authenticated by OracleAS Single Sign-On, the user is challenged for Single Sign-On details (user name and password). Having provided Single Sign-On details, the user can display the Discoverer connections page and start Discoverer without having to enter a user name or password again.
Note: For more information about how OracleAS Discoverer works with OracleAS Portal and Single Sign-On, see Section 12.8.2.3, "An example showing how Discoverer works with OracleAS Portal and Single Sign-on".
You enable Single Sign-On on the OracleAS Discoverer instance.
To enable Single Sign-On, do the following:
<Location /discoverer/plus*>
require valid-user AuthType Basic
</Location> <Location /discoverer/viewer>
require valid-user AuthType Basic
</Location>
opmnctl stopall opmnctl startall
When you publish Discoverer content in a portlet on an OracleAS Portal page, you give portal users access to the Discoverer workbooks and worksheets. However, portal users accessing Discoverer workbooks only see data to which they have database access. In other words, two different users accessing the same workbook might see different data, depending on their database privileges. For more information, see Section 9.1, "Using OracleAS Discoverer with OracleAS Portal".
To illustrate how OracleAS Discoverer works with OracleAS Portal, consider the following example:
Imagine that there are two single sign-on users:
User SSO-A using connection Conn-A creates two workbooks Workbook 1 and Workbook 2 in the Marketing EUL. User SSO-A uses Discoverer Plus to share Workbook 2 with DBUSER-B.
User SSO-B using connection Conn-B creates two workbooks Workbook 3 and Workbook 4 in the Marketing EUL. User SSO-B uses Discoverer Plus to share Workbook 4 with DBUSER-A.
This situation is shown in the figure below:
Now imagine that user SSO-A creates a List Of Workbooks portlet using Conn-A, and chooses the 'Use user's database connection' option in the Logged In users section (i.e. in the Select Database Connections page in the Discoverer Portlet Provider).
When user SSO-A accesses the List Of Workbooks portlet, the following workbooks are available:
When user SSO-B accesses the same List Of Workbooks portlet, the following workbooks are available:
This situation is shown in the figure below:
If you are not deploying Discoverer with Single Sign-On, end users must confirm the database password each time a private connection is used. In other words, when a Discoverer end user chooses a private connection for the first time in a browser session, they are prompted to confirm the database password. They are not prompted for SSO login details.
If the end user closes the Web browser and then starts the Web browser again (i.e. creates a new browser session), they are prompted to confirm their database password. End users do not have to confirm passwords for public connections (for more information, see Section 3.3.2, "About public connections").
A firewall is one system or a group of several systems put in place to enforce a security policy between the Internet and an organization's network.
In other words, a firewall is an electronic `fence' around a network to protect it from unauthorized access.
Typically, an organization using a Web Server machine that communicates across the Internet has a firewall between its Oracle HTTP Server machine and the Internet. This is known as a Server-side firewall. Other organizations (or remote parts of the same organization) connecting to this Web Server machine typically have their own firewall, known as a Client-side firewall. Information that conforms to the organization's firewall policy is allowed to pass through the firewalls enabling server machines and client machines to communicate.
A demilitarized zone (DMZ) is a firewall configuration that provides an additional level of security. In this configuration, the DMZ is an extra network placed between a protected network and the Internet. Resources residing within the DMZ are visible on the public Internet, but are secure. DMZs typically hold servers that host a company's public Web site, File Transfer Protocol (FTP) site, and Simple Mail Transfer Protocol (SMTP) server.
Firewall policies vary across organization and there are a wide variety of bespoke and off-the-shelf firewall packages in use.
A good firewall configuration assumes that resources in the DMZ will be breached, and if this happens should minimize damage to the internal network and any sensitive data residing on the network. This involves two steps:
The HTTPS protocol uses an industry standard protocol called Secure Sockets Layer (SSL) to establish secure connections between clients and servers.
The SSL protocol enables sensitive data to be transmitted over an insecure network, such as the Internet, by providing the following security features:
You can tell when SSL is enabled in Discoverer as follows:
You configure Discoverer to work in an intranet as follows:
Deploying Discoverer Viewer in an intranet (i.e. inside a firewall) requires no additional configuration after an OracleAS installation. Discoverer Viewer uses a HTTP connection.
Deploying Discoverer Plus in an intranet (i.e. inside a firewall) requires no additional configuration after an OracleAS installation. Discoverer Plus uses a direct connection using JRMP.
You configure Discoverer to work through firewalls with HTTP or HTTPS, as follows:
Discoverer Viewer requires no additional configuration as long as the firewall allows HTTP traffic to pass through.
Discoverer Plus requires no additional configuration as long as the firewall allows HTTP or HTTPS traffic to pass through.
To improve performance, you might want to change the Discoverer Plus communication protocol to one of the following:
Yes, if you are using HTTP or HTTPS, Discoverer will work through multiple firewalls (for more information, see Section 12.9.5, "How do I configure Discoverer to work through a firewall?").
You configure Discoverer to use encryption as follows:
Configure mod_ossl to use HTTPS (for more information, see Oracle Application Server HTTP Administrator's Guide) and deploy Discoverer Viewer on a HTTPS URL.
Configure mod_ossl to use HTTPS (for more information, see Oracle Application Server HTTP Administrator's Guide) and deploy Discoverer Plus on a HTTPS URL. You must change the Discoverer Plus communication protocol to Secure Tunneling (for more information, see Section 12.7.3.6, "How to set up Discoverer Plus to use the Secure Tunneling communication protocol").
You configure Discoverer to use encryption through firewalls as follows:
Configure Discoverer Viewer to work through a firewall (for more information, see Section 12.9.5, "How do I configure Discoverer to work through a firewall?"). Then, make sure that the firewall(s) allow HTTPS traffic to pass through.
Configure Discoverer Plus to work through a firewall (for more information, see Section 12.9.5, "How do I configure Discoverer to work through a firewall?"). Then, make sure that the firewall(s) allow HTTPS traffic to pass through.
In Discoverer Viewer, make sure that client browsers display a closed padlock or other equivalent symbol (browser dependent) in the Discoverer Viewer browser's status bar.
In Discoverer Plus, make sure that the client displays a closed padlock symbol in the bottom left-hand corner of the Discoverer Plus applet window.
Yes. you can configure Discoverer for both intranet users and Internet users. For example, if you use the Default Discoverer Plus communication protocol:
Yes, you can deploy Discoverer using any standard Network Address Translation (NAT) device.
|
![]() Copyright © 2003 Oracle Corporation. All Rights Reserved. |
|