| Oracle® Files Administrator's Guide Release 2 (9.0.4) Part Number B10872-02 |
|
|
View PDF |
| Oracle® Files Administrator's Guide Release 2 (9.0.4) Part Number B10872-02 |
|
|
View PDF |
Oracle Files provides the basic security infrastructure required by any shared, network-accessible system, including authentication and authorization. This chapter describes the architecture and configuration of security in Oracle Files. Topics include:
Authentication is a process in which a user provides some proof of identity (called a credential, which is often constructed from a user's password by means of a hashing or encryption algorithm) before that user can attempt to access objects in the system. Oracle Files uses Oracle Internet Directory, Oracle's LDAP-compliant directory service, for authentication.
Users supply a credential to the client software. This credential is passed to the Oracle Files protocol servers, which in turn pass it to Oracle Files for authentication. Then, Oracle Files passes the credential to Oracle Internet Directory. Oracle Internet Directory determines whether the credential is valid for the user.
The defined behavior of some industry-standard protocols is inherently insecure. Oracle has no control over the defined behavior of these protocols; these security issues do not represent defects in Oracle software.
The FTP and AFP protocols send unencrypted user passwords across the network. If you are unwilling to accept this behavior, you should disable these protocols. Alternatively, you can configure Oracle Files to require Oracle Files-specific passwords for these protocols to avoid compromising users' Oracle Internet Directory passwords.
The HTTP/DAV protocol allows both basic (plain text) and digest (hashed challenge/response) authentication. Oracle Files enables basic authentication by default. If basic authentication is enabled, unencrypted user passwords are sent across the network, unless HTTP/DAV is configured to use SSL. Whether HTTP/DAV uses SSL depends on the configuration of Oracle HTTP Server, and on whether Oracle Files has been configured for SSL. If you are concerned about HTTP/DAV basic authentication, you should configure Oracle HTTP Server and Oracle Files to use SSL.
AFP, FTP, HTTP/DAV, NFS, and SMB/NTFS protocols do not encrypt the network channel by default. This means that files transferred using these protocols are susceptible to interception. If you are unwilling to accept this behavior, you should disable these protocols, or configure them to use SSL (HTTP/DAV only).
Some protocols, including AFP and FTP, send unencrypted passwords over the network, which means that if one of these passwords is intercepted, it could provide access to all systems controlled by Oracle Internet Directory for that user. To provide more security, you should create an Oracle Files-specific password (rather than the default Oracle Internet Directory password) to authenticate users of these protocol servers.
The Oracle Files-specific password is stored in Oracle Internet Directory for use with specific protocols. This password is different from and additional to the regular Oracle Internet Directory password.
Each user can have only one Oracle Files-specific password per Oracle Files domain; users cannot create separate passwords for different protocol servers that are in the same domain.
Protocols with which to associate an Oracle Files-specific password were selected during Oracle Files configuration. By default, FTP and AFP require users to log in with an Oracle Files-specific password rather than an Oracle Internet Directory password.
To change the set of protocols that require the Oracle Files-specific password, edit the following service configuration property:
IFS.SERVICE.CREDENTIALMANAGER.Oid.IfsPasswordApplications
Only the AFP, FTP, and SMB/NTFS protocols may use the Oracle Files-specific password. See "Changing a Service Configuration" for information on editing service configuration parameters.
To set Oracle Files-specific passwords, use the Protocol Access page in Oracle Files. See the Oracle Files online help for details.
Read the following sections for security information about administration interfaces, JDBC, Oracle Internet Directory, and client software.
To perform Oracle Files administration tasks using the Oracle Enterprise Manager Web site or the Grid Control, administrators authenticate using an HTML form. Unless Oracle HTTP Server and Oracle Enterprise Manager are configured for SSL, unencrypted passwords are transmitted over the network.
By default, JDBC does not encrypt network connections between Oracle Files and the Oracle9i Database Server. Sites can opt to use Oracle Advanced Security to encrypt these connections.
You can choose whether to use SSL to connect to Oracle Internet Directory. If you do not choose to use SSL, unencrypted passwords may be sent over network connections between Oracle Files processes and Oracle Internet Directory.
Oracle FileSync, the client file synchronization software, stores a cookie in the client file system. The Oracle FileSync cookie stores an opaque token (in other words, a randomly-generated string) in order to authenticate a particular user. This credential expires by default after ten days. Administrators can change the expiration date or disable the token credential by changing the IFS.SERVER.PROTOCOL.DAV. IfsServer.Auth.TokenCredential.Timeout property. See "Changing a Server Configuration" for more information.
You can configure Oracle Files to use SSL. Before you do this, you must configure Oracle HTTP Server to use SSL. See the Oracle9i Application Server Security Guide for information about how to configure Oracle HTTP Server to use SSL.
You can also use SSL to connect to Oracle Internet Directory. Before you do this, Oracle Internet Directory must be configured for SSL. See the Oracle Internet Directory Administrator's Guide for detailed information about setting up Oracle Internet Directory for use with SSL.
There are two ways to configure the Oracle Files application to use SSL: you can specify SSL settings during Oracle Files configuration, or you can provide SSL settings after Oracle Files has been installed and configured.
During Oracle Files configuration, you must set key values in the Oracle Files Configuration Assistant in order to configure Oracle Files for SSL.
In the Website Information screen, specify one of the following values for HTTP Port:
If you are using Oracle9iAS Web Cache, enter the Web Cache SSL port. This value is typically 4444.
If you are not using Oracle9iAS Web Cache, enter the non-Web Cache SSL port. This value is typically 4443.
You must also select Uses SSL in this screen.
|
Note: If you are uncertain about which port to specify, use Oracle Enterprise Manager to look at the configuration of the Oracle HTTP Server. |
For full information about using the Oracle Files Configuration Assistant, see the Oracle Files chapter of the Oracle Collaboration Suite Installation and Configuration Guide.
If you did not provide SSL information during Oracle Files configuration, but still want to set up Oracle Files to use SSL, perform the steps outlined in the following two sections.
Use the Oracle Enterprise Manager Web site to set server configuration properties, as follows:
From the Oracle9iAS Farm Home page, click the name of the application server on which Oracle Files is running.
The Oracle9iAS Instance Home page appears, listing all the components running on the application server instance. The Oracle Files domain appears in the following format:
iFS_db_host:port:db_service:files_schema
Click the name of the Oracle Files domain. The Oracle Files Home page appears.
Click Server Configurations (under the Configuration heading).
Click FilesBaseServerConfiguration. The Edit page appears.
In the Properties section, select IFS.SERVER.APPLICATION.UIX.Application UseHttps and click Edit.
Set the Value to True and click OK.
Select IFS.SERVER.APPLICATION.UIX.ApplicationPort and click Edit.
Set the Value to be one of the following:
If you are using Oracle9iAS Web Cache, enter the Web Cache SSL port. This value is typically 4444.
If you are not using Oracle9iAS Web Cache, enter the non-Web Cache SSL port. This value is typically 4443.
Click OK on the Edit Property page.
Click OK on the Edit Server Configuration page.
Restart the Oracle Files domain. See "Starting and Stopping the Oracle Files Domain" for more information.
In addition to setting Oracle Files server configuration parameters, you may need to set URLs in Oracle9iAS Portal. Wherever the Files Portlet has been registered in Oracle9iAS Portal, you should update the Files Portlet URLs.
You should also check to see that the SSO server URLs for Oracle Files are set correctly for SSL. To do this, follow these steps:
Enter the following URL in a Web browser:
http://infra_host_name:port/pls/orasso
where port is the Oracle HTTP Server port (typically 7777).
Click Login and enter orcladmin as the user name.
Supply the orcladmin password and click Login.
Click SSO Server Administration.
Click Administer Partner Applications.
Click the pencil icon that corresponds to the Oracle Files middle-tier computer.
Ensure that the Home URL appears as follows:
https://mid-tier_host:ssl_port
Ensure that the Success URL appears as follows:
https://mid-tier_host:ssl_port/osso_login_success
Ensure that the Logout URL appears as follows:
https://mid-tier_host:ssl_port/osso_logout_success
Click Apply and confirm to save the changes.
|
Note: In steps 7, 8, and 9,ssl_port can be the Web Cache SSL port or the non-Web Cache SSL port, depending on whether you are using Oracle9iAS Web Cache. |
There are two ways to set up an SSL connection to Oracle Internet Directory: you can specify SSL settings during Oracle Files configuration, or you can provide SSL settings after Oracle Files has been installed and configured. Before you do this, Oracle Internet Directory must be configured for SSL. See the Oracle Internet Directory Administrator's Guide for detailed information about setting up Oracle Internet Directory for use with SSL.
During Oracle Files configuration, you must set key values in the Oracle Files Configuration Assistant in order to connect to Oracle Internet Directory using SSL.
In the Oracle Internet Directory Login screen, specify the Oracle Internet Directory SSL port in the Port field. Typically, the default port number for SSL-enabled Oracle Internet Directory is 636 or 4031. You must also select Uses SSL in this screen.
For full information about using the Oracle Files Configuration Assistant, see the Oracle Files chapter of the Oracle Collaboration Suite Installation and Configuration Guide.
If you did not provide Oracle Internet Directory SSL information during Oracle Files configuration, but still want to connect to Oracle Internet Directory using SSL, perform the following steps using the Oracle Enterprise Manager Web site:
From Oracle9iAS Farm Home page, click the name of the application server on which Oracle Files is running.
The Oracle9iAS Instance Home page appears, listing all the components running on the application server instance. The Oracle Files domain appears in the following format:
iFS_db_host:port:db_service:files_schema
Click the name of the Oracle Files domain. The Oracle Files Home page appears.
Click Service Configurations (under the Configuration heading).
Click the name of the service configuration you are using (for example, SmallServiceConfiguration). The Edit page appears.
In the Properties section, click IFS.SERVICE.CREDENTIALMANAGER.Oid. OidSsl. You may need to move to the second or subsequent page to see this property.
Set the Value to true and click OK.
Select IFS.SERVICE.CREDENTIALMANAGER.Oid.OidUrl and click Edit.
Change the port number listed in the URL to be the SSL-enabled Oracle Internet Directory port, typically 636 or 4031.
Click OK on the Edit Property page.
Click OK on the Edit Server Configuration page.
Restart the Oracle Files domain. See "Starting and Stopping the Oracle Files Domain" for more information.
You cannot change the Oracle Files site_admin password in Oracle Internet Directory. Instead, you must change the site_admin password in the Oracle Files schema.
To change the Oracle Files site_admin password:
Log in to the database as the user who owns the Oracle Files schema:
sqlplus files_schema/files_schema_password
For example:
sqlplus ifssys/ifssys
Execute the following:
variable i number; variable s char(512); call files_schema$cm.ifscredentialmanagerpackage.setpassword( 'site_admin', 'new_password', :s) into :i; print i; exit;
For example:
variable i number; variable s char(512); call ifssys$cm.ifscredentialmanagerpackage.setpassword( 'site_admin', 'xxx', :s) into :i; print i; exit;
A return value of 1 indicates success. Any return value other than 1 indicates failure.
Similar to the site_admin password, you cannot change password of the Oracle Files system user in Oracle Internet Directory. Instead, you must change the system password in the Oracle Files schema.
To change the password of the Oracle Files system user:
Stop the Oracle Files domain. See "Starting and Stopping the Oracle Files Domain" for more information.
Log in to the database as the user who owns the Oracle Files schema:
sqlplus files_schema/files_schema_password
For example:
sqlplus ifssys/ifssys
Execute the following:
variable i number; variable s char(512); call files_schema$cm.ifscredentialmanagerpackage.setpassword( 'system', 'new_password', :s) into :i; print i; exit;
For example:
variable i number; variable s char(512); call ifssys$cm.ifscredentialmanagerpackage.setpassword( 'system', 'xxx', :s) into :i; print i; exit;
A return value of 1 indicates success. Any return value other than 1 indicates failure.
Start the Oracle Files domain. See "Starting and Stopping the Oracle Files Domain" for more information.
After you change the system password, you should encrypt it in targets.xml. See the following section for more information.
The Oracle Files system password is encrypted and stored in Oracle Enterprise Manager, in targets.xml. Under certain conditions, such as after an upgrade, you will be prompted to enter the Oracle Files system user name and password when you navigate to the Oracle Files Home page in the Oracle Enterprise Manager Web site. If you see this prompt, you must provide the system user name and password in order to see elements of the Oracle Files domain from the Oracle Files Home page in the Oracle Enterprise Manager Web site.
The Oracle Enterprise Manager Web site will prompt you to enter the system user name and password in the following cases:
After you upgrade the Oracle Files schema.
After you run ifsca to add a second middle tier for an additional HTTP node, regular node, or to migrate the domain controller, and you choose to reuse the existing schema.
After you have changed the system password in the Oracle Files schema.
If you have performed one of these tasks, you can avoid the system password prompt in the Oracle Enterprise Manager Web site by manually encrypting the system password in targets.xml. To do this, follow these steps:
Stop the Oracle Enterprise Manager Web site:
For UNIX systems, use the emctl stop command. You can find the emctl command-line tool in $ORACLE_HOME/bin/.
For Windows systems, stop the Windows service for the Oracle Enterprise Manager Web site.
Back up the targets.xml file, located in $ORACLE_HOME/sysman/emd.
Change the system password in targets.xml:
Look for the following properties under the oracle_ifs target:
<property NAME="SysadminUsername" VALUE="system"/> <property NAME="SysadminPassword" VALUE="password" ENCRYPTED="TRUE"/>
If these lines are present, update the VALUE attribute of SysadminPassword with the new password, and make sure that the ENCRYPTED attribute is set to FALSE. For example:
<property NAME="SysadminPassword" VALUE="test123" ENCRYPTED="FALSE"/>
If these lines are not present, insert the two property entries. Specify the appropriate value for SysadminPassword, and set the ENCRYPTED attribute to FALSE.
Save the file.
Start the Oracle Enterprise Manager Web site:
For UNIX systems, use the emctl start command. You can find the emctl command-line tool in $ORACLE_HOME/bin/.
For Windows systems, start the Windows service for the Oracle Enterprise Manager Web site.
When the Oracle Enterprise Manager Web site is started, it encrypts the password in targets.xml and changes the ENCRYPTED attribute to TRUE.
Repeat steps 1 - 4 for each middle-tier host in the domain.
In addition to the system password, the Oracle Files schema password is also stored in the Oracle Enterprise Manager targets.xml file. The password is also stored in Oracle Internet Directory. Follow these steps to change the Oracle Files schema password:
Stop the Oracle Files domain using the Oracle Enterprise Manager Web site, or using the ifsctl stop [domain] command. You can find the ifsctl command-line tool in $ORACLE_HOME/ifs/files/bin.
You must also stop the OC4J instances for the HTTP node using the Oracle Enterprise Manager Web site, or using the opmnctl stopproc gid=OC4J_iFS_files command. You can find the opmnctl command-line tool in $ORACLE_HOME/opmn/bin.
See "Starting and Stopping the Oracle Files Domain" for more information about stopping the domain and HTTP nodes.
Change the schema password for the database user.
Change the schema password in Oracle Internet Directory:
In the System Objects directory tree, navigate to the following location:
Root_Oracle_Context
+ Entry Management
+ cn=OracleContext
+ cn=Products
+ cn=IFS
+ orclApplicationCommonName=domain_name
Click orclApplicationCommonName=domain_name to display the Properties tab.
Enter the new schema password in the userpassword field and click Apply.
Stop the Oracle Enterprise Manager Web site:
For UNIX systems, use the emctl stop command. You can find the emctl command-line tool in $ORACLE_HOME/bin/.
For Windows systems, stop the Windows service for the Oracle Enterprise Manager Web site.
Back up the targets.xml file, located in $ORACLE_HOME/sysman/emd.
Change the schema password in targets.xml. If the password is not changed in targets.xml, you will not be able to see any regular nodes or HTTP nodes when you browse to the Oracle Files Home page in the Oracle Enterprise Manager Web site.
Look for the following property under the oracle_ifs target:
<property NAME="SchemaPassword" VALUE="password" ENCRYPTED="TRUE"/>
Update the VALUE attribute with the new schema password.
Make sure that the ENCRYPTED attribute is set to FALSE:
<property NAME="SchemaPassword" VALUE="password" ENCRYPTED="FALSE"/>
Save the file.
Start the Oracle Enterprise Manager Web site:
For UNIX systems, use the emctl start command. You can find the emctl command-line tool in $ORACLE_HOME/bin/.
For Windows systems, start the Windows service for the Oracle Enterprise Manager Web site.
When the Oracle Enterprise Manager Web site is started, it encrypts the password in targets.xml and changes the ENCRYPTED attribute to TRUE.
Repeat steps 4 - 7 for each middle-tier host in the domain.
Restart the Oracle Files Domain using the Oracle Enterprise Manager Web site, or using the ifsctl start [-v] [-n] [domain] command. You can find the ifsctl command-line tool in $ORACLE_HOME/ifs/files/bin.
See "Starting and Stopping the Oracle Files Domain" for more information.
Stop and then start the OC4J instances for the HTTP node (OC4J_iFS_files) on each Oracle Files middle tier.
See "Starting HTTP Nodes" for more information.
