Skip Headers
Oracle® Application Server Security Guide
10
g
Release 2 (10.1.2)
Part No. B13999-01
Home
Solution Area
Index
Next
Contents
List of Figures
Title and Copyright Information
Send Us Your Comments
Preface
Documentation Accessibility
Audience
Organization
Related Documentation
Conventions
1
Oracle Application Server Security Overview
Introduction to Oracle Application Server
Security As a System Issue
Web Browsers
Firewalls
Load Balancers
Virtual Private Networks (VPNs)
Overview of SSL Keys and Certificates
Security Objectives
Providing Basic Security Services
Supporting Standards
Ensuring Deployment and Configuration Flexibility
Minimizing Application Development and Deployment Cost
Providing Security In Depth
Oracle Application Server Middle-Tier Components
Oracle Application Server Web Cache
Oracle HTTP Server
Oracle HTTP Server Security Services Overview
Oracle Application Server Containers for J2EE (OC4J) and OracleAS JAAS Provider
Applications and Tools
OracleAS Portal
Identity Management Infrastructure
Configuration Options and Common Topologies
Security Platform Capabilities in Oracle Application Server 10g
Oracle Identity Management Enhancements
Oracle Identity Management Components
General Security Enhancements
Oracle HTTP Server Enhancements
Privilege Delegation
Oracle Workflow
Oracle Application Development Framework (Oracle ADF)
2
Oracle Application Server Security Architecture
Security Architecture of Oracle Application Server
Elements of Oracle Application Server Security Architecture
Oracle HTTP Server Security
Message Flow With Single Sign-On
Authenticating To an External Application For the First Time
SSL Acceleration
J2EE Security and JAAS
Oracle Application Server Portal Security
Oracle Application Server Web Cache Security
Oracle Advanced Security
3
Recommended Deployment Topologies
The Need for Firewalls and Hardware Load Balancers
General Architecture and Concepts
DMZ Zones
Configuring DMZ-Based Architectures
Hardware Load Balancers and HTTPS to HTTP Appliances
Enterprise Data Center Topologies
J2EE Applications
Mod_plsql Applications
OracleAS Portal OracleAS Wireless Applications
OracleAS Single Sign-On and OracleAS Web Cache Considerations
Oracle Application Server Single Sign-On Considerations
Oracle Application Server Web Cache Considerations
4
Oracle Identity Management
The Role Of Oracle Identity Management
Dependencies on Oracle Identity Management
Leveraging Third-Party Identity Management Services
Features and Benefits Of Oracle Identity Management
Centralized User Management
Password Management Policies
Changing Instance Passwords in Oracle Internet Directory
OracleAS Single Sign-On for Authentication
Transparent Sign-On To Non-Oracle Environments
Secure and Transparent Sign-On To Oracle Database
Delegated Administration and Self-Service Interfaces
Role-Based Access Control and Privilege Delegation
Installation and Deployment Privileges
Provisioning Integration
Public Key Infrastructure (PKI) and OracleAS Certificate Authority
Integrating Third-Party Identity Management Solutions
Integrating Third-Party LDAP Directories and Other Directory Sources
Integrating Third-Party Single Sign-On Services
Integrating Third-Party Provisioning Solutions
5
Privilege Delegation
Introduction
How Delegation Works
Delegating Privileges
How Privileges Are Granted for Managing User and Group Data
Security Goals for Privilege Model
Roles and Responsibilities
Delegation of Privileges for Component Runtime
6
Security Best Practices
General Best Practices
Best Practices for HTTPS Use
Assign Lowest Level Privileges Adequate for the Task
Best Practices for Cookie Security
Best Practices in Systems Setup
Best Practices for Certificates Use
Review Code and Content Against Already Known Attack
Follow Common Sense Firewall Practices
Leverage Declarative Security
Use Switched Connections in DMZ
Place Application Server in the DMZ
Secure Sockets Layer
Tune the SSL SessionCacheTimeout Directive
Plan Out Final Topology Before Installing Security Components
JAAS Best Practices
J2EE Security Best Practices
Avoid Writing Custom User Managers
Authentication Mechanism with the JAAS Provider
Use Fine-Grained Access Control
Use Oracle Internet Directory as the Central Repository
Develop Appropriate Logout Functionality for J2EE Applications
OracleAS Single Sign-On Best Practices
Configure for High Availability
Leverage Oracle Application Server Single Sign-On
Use an Enterprise-Wide Directory in Place
Use OracleAS Single Sign-On Instead of Writing Custom Authentication Logic
Always Use SSL with Oracle Application Server
Username and Password Only on Login Screen
Log Out So Cookies Do Not Remain Active
Oracle Internet Directory Deployment Best Practices
Use bulkload.sh Utility
Replicate for High Availability
Use SSL Binding
Use Backup and Restore Utilities
Monitoring and Auditing Oracle Internet Directory
Assign Oracle Internet Directory Privileges
Change Access Control Policies
Best Practice for Directory Integration Platform
Use Identity Management Realms
Configuring DIP Synchronization Service
Oracle HR Synchronization
Recommendations for Migrating Oracle9
i
AS Applications to an Existing Oracle Internet Directory
Configuration of the Self-Service Console
Use opmnctl instead of oidmon and oidctl
Configure Active Directory Synchronization
Use User Attributes and Password Hints for Resets
Glossary
Index
