|
Oracle® Application Server Security Guide
10g Release 2 (10.1.2) B13999-03 |
|
 Previous |
 Next |
|
Oracle® Application Server Security Guide
10g Release 2 (10.1.2) B13999-03 |
|
|
Previous |
Next |
Oracle Application Server provides a comprehensive security framework supporting all Oracle Application Server components, as well as third-party and custom applications deployed on the application server. The framework is based on Oracle Application Server Single Sign-On for authentication, Oracle Internet Directory for authorization and centralized user provisioning, Oracle HTTP Server for Web access, and OracleAS JAAS Provider for security in Java2 Enterprise Edition (J2EE) applications.
This chapter provides an overview of the security architecture and features of Oracle Application Server. It contains the following topics:
Oracle Application Server is a reliable, scalable, secure middle-tier application server designed to support a company's evolution into e-business. With this product, the technological complexity of assembling a complete middle-tier Internet foundation is managed for you. The technological foundation that Oracle Application Server provides can grow with your business. Your application can start small and support growing numbers of users and sophisticated functionality on all of your Web sites.
Oracle Application Server components provide a general framework for development and deployment of applications, as well as specific application services and functionality. This chapter focuses on the security services provided by Oracle Application Server Infrastructure, which includes Oracle Application Server Single Sign-On and Oracle Internet Directory, an LDAP version 3-compliant directory service. This chapter also provides an overview of the security services provided by Oracle HTTP Server, OracleAS Web Cache, OracleAS Portal, and OracleAS JAAS Provider (Java Authentication and Authorization Service), which provide support for a broad range of application development and deployment strategies.
Security is a system issue, not a single-product issue. Each component of your computer application affects the security of the entire system. Proper security requires careful configuration of all system components, including the following third-party components:
Oracle Application Server was designed and coded to integrate smoothly with all these external components.
In the overall system security picture, the Web browser is the component over which e-business sites have least control. When running a Web storefront, for example, you may not be able to control the browser that customers use. The customer's browser nonetheless impacts the security of your system, and must be taken into consideration. To securely implement Web transactions, your application must support specific communications and security technologies, including HTTP, LDAP, SSL, x.509 certificates, and Java.
Most commercially available Web browsers support several of these security-related features. However, users must configure the browser properly to take advantage of its security capabilities.
By default, information sent to and from a Web browser is transmitted in the clear; any intermediate site can read the data and potentially alter it in midstream. Web browsers and servers partially address this problem by using the Secure Sockets Layer to encrypt HTTP transmissions (referred to as HTTP/SSL or HTTPS). This ensures the security of data transmitted between the client to the server. However, because commercially available Web browsers do not ship with client certificates, most HTTP/SSL transmissions are authenticated in only one direction, from server to client; the client does not authenticate itself to the server.
Because the HTTP protocol does not support sessions, many e-commerce applications use cookies to store session data for individual customers. These cookies are transmitted as cleartext; this means that they can be intercepted by a third party. For this reason, it is wise for the application to encrypt or obfuscate information that is stored in cookies, even when using HTTPS.
|
Note: The W3C has a useful discussion of cookie security issues athttp://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q10.
|
Firewalls control access between the full Internet and a corporation's internal network. A firewall defines which sorts of Internet communications will be permitted into the corporate network, and which will be blocked. A well-designed firewall can foil many common Internet-based security attacks. However, a firewall is only as secure as its maintenance. New Internet-based attacks are constantly being designed, and firewall configurations must constantly be updated to keep abreast of these attacks.
Firewalls monitor communications methods, not communications content. Therefore, firewalls cannot protect your application against misuse of permitted communications channels. For instance, to permit the use of the Web, a firewall must permit HTTP communication. Because firewalls do not monitor content, a firewall cannot protect against security attacks transmitted within valid HTTP messages. Similarly, because a firewall does not monitor the content of e-mail messages, it cannot prevent the transmission of e-mail viruses.
Load balancing distributes an application's load over many identically configured servers. This distribution ensures consistent application availability, even when one or more server fails. Load balancing has a significant impact on security design, especially on encryption issues. For instance, in many installations, SSL keys are unique to a particular server in a cluster, and are not necessarily shared with other servers. This sharing complicates moving an SSL session from one server to another.
A Virtual Private Network (VPN) allows applications to use the public Internet to communicate securely with the corporate LAN. All IP communications between the application and the corporate LAN are encrypted so that they cannot be read or altered by intermediate sites. A VPN prevents a third party from monitoring or altering communications. Like other network-based security solutions, VPNs cannot prevent the transmission of viruses, nor can they control the content of the information being transmitted.
The Secure Socket Layer provides secure communications over intranets and the Internet. This section discusses the basic concepts underlying SSL implementations.
In SSL communication between two entities, such as companies or individuals, the server has a public key and an associated private key. Each key is a number, with the private key of an entity being kept secret by that entity, and the public key of an entity being publicized to any other parties with which secure communication might be necessary. The security of the data exchanged is guaranteed by keeping the private key secret, and by the complex encryption algorithm. This system is known as asymmetric encryption, because the key used to encrypt data is not the same as the key used to decrypt data.
Asymmetric encryption has a performance cost due to its complexity. A much faster system is symmetric encryption, where the same key is used to encrypt and decrypt data. But the weakness of symmetric encryption is that the same key has to be known by both parties, and if anyone intercepts the exchange of the key, then the communication becomes insecure.
SSL uses both asymmetric and symmetric encryption to communicate. An asymmetric key (PKI public key) is used to encode a symmetric encryption key (the bulk encryption key); the bulk encryption key is then used to encrypt subsequent communication. After both sides agree on the bulk encryption key, faster communication is possible without losing security and reliability.
When an SSL session is negotiated, the following steps take place:
The server sends the client its public key.
The client creates a bulk encryption key, often a 128 bit RC4 key, using a specified encryption suite.
The client encrypts the bulk key with the server's public key, and sends the encrypted bulk key to the server.
The server decrypts the bulk encryption key using the server's private key.
This set of operations is called key exchange. After key exchange has taken place, the client and the server use the bulk encryption key to encrypt all exchanged data.
|
Note: It is possible, but rare, for the client to have its own private and public keys as well. |
In SSL the public key of the server is sent to the client in a data structure known as an X.509 certificate. This certificate, created by a certificate authority (CA), contains a public key, information concerning the owner of the certificate, and optionally some digital rights of the owner. Certificates are digitally signed by the CA which created them using that CA's digital certificate public key.
In SSL, the CA's signature is checked by the receiving process to ensure that it is on the approved list of CA signatures. This check is sometimes performed by analysis of certificate chains. This occurs if the receiving process does not have the signing CA's public key on the approved list. In that case the receiving process checks to see if the signer of the CA's certificate is on the approved list or the signer of the signer, and so on. This chain of certificate, signer of certificate, signer of signer of certificate, and so on is a certificate chain. The highest certificate in the chain (the original signer) is called the root certificate of the certificate chain.
The root certificate is often on the approved list of the receiving process. Certificates in the approve list are called trust points or trusted certificates. A root certificate can be signed by a CA or can be self-signed, meaning that the digital signature that verifies the root certificate is encrypted through the private key that corresponds with the public key that the certificate contains, rather than through the private key of a higher CA.
Functionally, a certificate acts as a container for public keys and associated signatures. A single certificate file can contain one or multiple chained certificates, up to an entire chain. Private keys are normally kept separately to prevent them from being inadvertently revealed, although they can be included in a separate section of the certificate file for convenient portability between applications.
A keystore is used to store certificates, including the certificates of all trusted parties, for use by a program. Through its keystore, an entity such as OC4J (for example) can authenticate other parties as well as authenticate itself to other parties. Oracle HTTP Server has what is called a wallet for the same purpose. Sun's SSL implementation introduces the notion of a truststore, which is a keystore file that includes the trusted certificate authorities that a client will implicitly accept during an SSL handshake.
In Java, a keystore is a java.security.KeyStore instance that you can create and manipulate using the keytool utility that is provided with the Sun Microsystems JDK. The underlying physical manifestation of this object is a file. Go to http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html for information about keytool.
|
Note: For a full discussion of Oracle Application Server and SSL, see the Oracle Application Server Administrator's Guide. |
The security objectives for Oracle Application Server derive from the overall architecture and functions of the product, as well as the range of operational environments and risk scenarios in which Oracle anticipates the product will be deployed.
Oracle Application Server was designed to meet the following objectives:
Certain security services are fundamental to providing security in a multiuser, networked environment. Oracle Application Server has been designed to provide all these services, including:
Authentication. Allows a system to verify the identity of users and other systems that request access to services or data. Authentication is a prerequisite for many other security services, including access control, authorization, and accountability.
The authentication process deals with the question ÒWho is trying to access my services?Ó In any system and application it is paramount to ensure that the identity of the entity or caller trying to access your application is identified in a secure manner. In a multitier application, the entity or caller can be a human user, a business application, a host, or one entity acting on behalf of (or impersonating) another entity.
Authorization. Allows a system to determine the privileges which users and other systems have for accessing resources on that system. Authorization is generally required for effective access control.
The authorization (or access control) process deals with the question ÒWho can access what services offered by which components?Ó For large-scale enterprises, where the access to various business-critical services and resources by millions of users need to be managed, it is important that a scalable authorization infrastructure be in place to deal with user and application provisioning. Unfortunately, in part due to the complex nature of authorization, this is also an area where confusion reigns and incompatible technologies and standards are prevalent.
Access Control. Ensures that a system grants access to resources only in ways that are consistent with security policies defined for those resources. Access decisions are based on the authenticated identity and/or authorization of the requesting user, and on what type of access that user is requesting.
Data Protection. Protects sensitive data against access by those who are not authorized users of the system. For example, encryption mechanisms can protect data sent through a public network from interception. Encryption can also protect highly sensitive data (such as passwords) stored on a disk from users who bypass system access control mechanisms, such as by exploiting a vulnerability in the underlying operating system or by stealing the physical disk storage medium.
Oracle Application Server is an open standards-based product. It complies with the J2EE framework and supports standard protocols, such as HTTP, and markup languages, such as HTML and XML. Corresponding Oracle Application Server security services also comply with relevant standards, facilitating interoperation with third-party products. For example, most Oracle Application Server applications support browser-based clients, typically Internet Explorer or Netscape Navigator. Oracle Application Server therefore supports the security standards that these browsers implement, including SSL for encryption, and X.509v3 when certificates are in use. Similarly, OC4J supports the J2EE security standards such as the Java Authentication and Authorization Service (JAAS), so that customers can deploy third-party Java applications securely.
Oracle Application Server supports a wide range of potential configurations and deployment options. These configurations span the range from standalone developer installations of Oracle Application Server Java Edition on a small desktop computer to large, distributed, multi-server deployments of Oracle Application Server serving hundreds of thousands of users in a worldwide enterprise.
Oracle Application Server security services have been designed to support the full range of product deployment options. In particular, the security services deployed on each edition of Oracle Application Server have been chosen to support the particular deployment scenarios and types of applications for which that edition of Oracle Application Server is targeted. Moreover, security mechanisms in Oracle Application Server have been designed to ensure that practical, real-world constraints on deployment can be met, such as the need to deploy certain components of Oracle Application Server in the DMZ, other components in the corporate intranet, and allow those components to communicate through firewalls.
|
See Also: Chapter 3, "Recommended Deployment Topologies" for more information about deployment options, typical configurations for Oracle Application Server, and specific examples of real-world constraints and how to deploy Oracle Application Server in the face of them. |
Oracle Application Server serves as a development and deployment environment for web applications. Oracle Application Server is designed to provide services and tools that reduce the time, effort, and expense to develop and deploy such applications. Because security is an important part of deploying applications in a production environment, Oracle Application Server has been designed to provide the essential security services common to most web applications. Individual components work together with your application and the application server to furnish a complete assortment of security services.
Working in cooperation, the security services provided in Oracle Application Server ensure the following:
Easy development and deployment of secure applications. Oracle Application Server provides the basic, easy-to-use services required to deploy applications. These basic security services are discussed in "Providing Basic Security Services".
Scalability, supporting complex deployments that support large numbers of users and servers. Oracle Application Server provides additional security services that reduce cost and complexity for large or complex deployments. These services include centralized user provisioning, single sign-on, and authorization, so that customers do not need to develop or purchase and integrate these services themselves.
Protection of existing investments in third-party technology. Oracle Application Server protects your existing investment through compliance with security standards and support for specific third-party security mechanisms and infrastructure where required.
An important design objective for Oracle Application Server is to provide security in depth, meaning that:
Security mechanisms are implemented with high assurance, so that the probability of failure of any given security mechanism is low. This is achieved through secure coding practices, developer security education and training, secure coding compliance checklist/testing, independent evaluations, independent security assessments and penetration testing, and security incident response.
Security must degrade gracefully, and there must be no single points of failure. Failure of any single security mechanism should cause only incremental loss of security, not compromise the entire system.
Privileges are minimized by default. You must explicitly grant permission to perform sensitive functions or access sensitive data.
Intrusions are contained. The system should detect and limit damage from security breaches.
This section gives a brief overview of the Oracle Application Server middle-tier components. You should be aware of three important points about application servers and the middle tier:
An application server is a deployment environment for business applications and provides a standard Web interface to these applications. The development environment Oracle supports is based on Java 2, Enterprise Edition. Standard interfaces and standard development and deployment environments are important for interoperability, so that your investment in standards-based technology is protected and the costs to develop and deploy applications are reduced.
An application server typically provides common integration and management functions, such as application monitoring, application and resource access control, user authentication, and centralized authorization. These functions reduce costs to develop, manage, and deploy applications.
An application server typically supplies specific services, such as business functions and presentation and UI services, which are commonly needed when developing applications. This improves productivity and reduces deployment cost and time.
Oracle Application Server provides the following middle-tier components that are particularly important in developing secure applications:
OracleAS Web Cache can be configured to receive HTTPS browser requests and send HTTPS requests to origin servers. OracleAS Web Cache caches frequently accessed Web pages or partial pages.
Oracle HTTP Server is the Web server component of Oracle Application Server. It is based on the Apache HTTP Server. The Apache open source Web server is among the most widely adopted Web server products; it supports a rich set of existing applications, and provides a flexible and well-understood security model. Apache is a very well-tested platform on which to deploy secure applications. Customers familiar with Apache should find it easy to build and deploy secure Web applications using Oracle HTTP Server.
Oracle HTTP Server extends Apache with several standard enhancements, called mods (a shortened form of ÒmodulesÓ), as well as with mods developed by Oracle Corporation. Oracle HTTP Server allows users with Web browsers to access Oracle Application Server using standard Web protocols. Oracle HTTP Server provides an HTTP listener that supports HTTP and HTTPS and serves up information to users in standard HTML format. Oracle HTTP Server provides access to both static Web pages and dynamic content.
Oracle HTTP Server security services include the ability to restrict or allow access to files and services based on the identity of users established by means of basic authentication, by client- supplied X.509 certificates, and by IP or hostname addresses.
Another important feature of Oracle HTTP Server security is protection of data exchanged between clients and the server. This is provided by means of the SSL protocol, which also provides data integrity and strong authentication of both users and HTTP servers.
In addition, Oracle HTTP Server supplies logging and other facilities needed to detect and resolve intrusion attempts. It provides integration with the other Oracle Application Server components, such as mod_osso, which enables the HTTP server to receive and route requests for single sign-on services to Oracle Application Server Single Sign-On server. Oracle HTTP Server is also well integrated with other Oracle products such as Oracle applications and the database. In this way, the Oracle HTTP Server offers a comprehensive set of security services for building and deploying Web applications.
|
See Also: Oracle HTTP Server Administrator's Guide for detailed information about configuring and using the HTTP server |
Oracle Application Server Containers for J2EE provides the Java runtime environment for Oracle Application Server components. Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider ensures secure access to and execution of Java applications, as well as integration of Java-based applications with Oracle Application Server Single Sign-On.
In addition to these core security capabilities, OracleAS Portal leverages Oracle Identity Management to manage and provide secure access to content and applications.
The following products may also be installed with Oracle Application Server:
OracleAS Reports Services
OracleAS Forms Services
OracleBI Discoverer
OracleBI Beans
These products have their own product-specific security features, which are discussed in their individual documentation.
Enterprise portals are specifically designed to be the single source of interaction with corporate information and to be the focal point for conducting day-to-day business. OracleAS Portal is a complete and integrated solution for building, deploying, and maintaining a world-class enterprise portal. It combines a rich, declarative environment for creating a portal Web interface, publishing and managing information, accessing dynamic data, and customizing the portal experience with an extensible framework for J2EE-based application access. Using OracleAS Portal, e-businesses have the power to connect employees, partners, and suppliers with the information they need and the flexibility to create views tailored to each community.
Oracle Identity Management is an integrated infrastructure on which Oracle products rely for distributed security. Oracle Identity Management ships with Oracle Application Server but it also ships as part of the infrastructure of other Oracle products. The Oracle Identity Management infrastructure is discussed in detail in Chapter 4, "Oracle Identity Management".
The following are common installation and configuration options for Oracle Application Server. For full information on these topologies, see Chapter 3, "Recommended Deployment Topologies", and the Oracle Application Server Installation Guide.
This is a single-computer development topology on which you can build, run, and test J2EE applications. It does not have an Oracle Application Server Infrastructure; it includes Oracle HTTP Server, Oracle Application Server Containers for J2EE, and Oracle Application Server Web Cache.
Portal and Wireless Developer Topology
This is a single-computer development topology containing an Oracle Application Server Infrastructure and a OracleAS Portal and Oracle Application Server Wireless middle tier. The Oracle Application Server Infrastructure installation creates a new Oracle Database and Oracle Internet Directory.
Forms, Reports, and Discoverer Developer Topology
This topology enables Oracle Application Server Forms Services and Oracle Reports developers to build and test their applications. Developers use Forms Builder and Reports Builder to develop their applications. This is a single-computer development topology containing:
Oracle Application Server Infrastructure (a new Oracle Database and Oracle Internet Directory)
Business Intelligence and Forms middle tier
Forms Builder (part of Developer Suite 10g )
Reports Builder (part of Developer Suite 10g )
Oracle Business Intelligence Discoverer Administrator (part of Developer Suite 10g )
Integration Architect and Process Modeler Topology
This development topology enables Oracle BPEL Process Analytics architects and modelers to design applications that can communicate with external applications using Oracle Application Server and Oracle BPEL Process Analytics. This development topology includes:
Oracle Application Server Infrastructure
J2EE and Oracle Application Server Web Cache middle tier
Oracle BPEL Process Analytics
This topology consists of an Oracle Application Server Infrastructure with two metadata repositories and multiple middle tiers, including at least one Portal and Wireless middle tier. This topology uses two metadata repositories:
One for Oracle Identity Management services; all the middle tiers use this metadata repository for Oracle Identity Management services.
One for product metadata; the OracleAS Portal and OracleAS Wireless middle tier uses this metadata repository.
Enterprise Data Center Topology: J2EE Applications
This deployment topology is optimized to support J2EE applications. It contains the components required to run J2EE applications in a secure, high availability environment. This topology is intended for enterprises that have users internal as well as external to the organization. Requests from external users go through firewalls.
Enterprise Data Center Topology: Portal Wireless Applications
This deployment topology supports J2EE applications as well as applications that use components in OracleAS Portal OracleAS Wireless. This topology is intended for enterprises that have users internal as well as external to the organization. Requests from external users go through firewalls.
Development Life Cycle Support Topology
This topology is a combination of other topologies to support moving applications from test to stage to production environments.
Test environment: Application developers test their applications in their own environments.
Stage environment: QA personnel test all applications before deploying them to the production environment.
Production environment: Applications are ready for use by users internal and external to the enterprise.
Oracle Application Server Certificate Authority Topology
In this topology, Oracle Application Server Certificate Authority has its own Oracle Application Server Metadata Repository, and both these components run on a computer separate from other infrastructure components. The other components use a different metadata repository.
Oracle Identity Management is a security solution for Oracle Application Server 10g. In addition, security enhancements have been made across the entire product.
This section discusses the following security enhancements:
Oracle Identity Management is an integrated package of directory, security and user management functionality. Oracle Identity Management provides the integrated infrastructure on which Oracle products rely for distributed security.
Oracle Identity Management includes the following components:
The following features and capabilities for Oracle Identity Management components are described:
Oracle Internet Directory provides Windows integration, password policy options, partial replication, and other important security features.
Windows Integration Capabilities—Oracle Internet Directory now provides a preconfigured directory synchronization solution for Windows Active Directory Services. This feature allows users to have a single identity and password credential across the Oracle and Windows environments. It also includes directory plug-ins that support mastering and changing passwords stored in the Windows environment, relieving customers of overhead and potential security concerns associated with synchronizing passwords across the two environments.
Flexible Password Policy—Oracle Internet Directory supports password policy options. In addition, Oracle Internet Directory plug-in support allows customers to implement an almost unlimited variety of site-specific password policies.
Partial Replication—-Oracle Internet Directory now supports replication models, enabling improved scalability and performance in large network configurations.
Other Features—Other features include support for dynamic groups, an expanded Oracle Internet Directory Self-Service Console, easy synchronization of directory data with database tables, and features to permit user identity synchronization with the Oracle e-Business Suite Release 11i.
The features of OracleAS Single Sign-On include support for:
Federated Identity Management—OracleAS Single Sign-On can obtain user identities from one or more trusted authentication sources, and proxy these identities into the Oracle Application Server environment. This feature supports federated identity management scenarios.
For example, customers could configure Oracle Application Server to obtain and accept authenticated user identities from the identity management systems of business partners.
Multilevel Authentication—OracleAS Single Sign-On allows customers to establish more than one authentication mechanism, and to indicate the way in which a user authenticated to single sign-on enabled applications. Applications can take advantage of this to grant different degrees of privilege to users, depending on how they authenticated.
For example, users may get partial privileges if they authenticate using password, but more complete privileges if they use stronger authentication, such as X.509v3.
OracleAS Certificate Authority completes the Oracle public key infrastructure (PKI) offering by allowing customers to create and manage X.509v3 digital certificates for use in Oracle or third-party software. OracleAS Certificate Authority is fully standards compliant and is seamlessly integrated with Oracle Application Server Single Sign-On and Oracle Internet Directory. It provides an out-of- the-box PKI solution for Oracle customers that is easy to use and manage. OracleAS Certificate Authority provides Web-based certificate management and administration, as well as XML-based configuration. It leverages the identity management infrastructure, high availability, and scalability of the Oracle Application Server platform.
Oracle Application Server has added many other security enhancements across the entire product, including:
To incorporate the latest optimizations and security features of Apache, the Oracle HTTP Server uses Apache v1.3. In addition, Oracle HTTP Server has the following security enhancements:
Session Renegotiation support—This feature allows individual directories to be protected by different strength encryption, some with weaker encryption, while others with stronger encryption.
SSL HW Acceleration support (for nCipher)—SSL encryption is slower when performed in software. Oracle HTTP Server now supports dedicated nCipher hardware for SSL encryption.
Port Tunneling—Oracle9iAS 9.0.2 introduced the AJP protocol for routing between Oracle HTTP Server and Oracle Application Server Containers for J2EE (OC4J). The firewall configuration required knowledge of several ports— especially for deployments that had several OC4J instances behind a firewall being routed to and from a front-end Oracle HTTP Server. This is now simplified with the Port Tunnel, which lets all communication between Oracle HTTP Server and OC4J happen on a limited number of designated ports. The port tunnel daemon routes the requests to the appropriate OC4J. Therefore, only one port (possibly more, depending on configuration) has to be opened through the firewall, regardless of the number of back-end OC4J instances.
Oracle HTTP Server to OC4J SSL Support—Oracle HTTP Server and OC4J communication can now occur over AJP/SSL, providing end-to-end SSL support for OC4J requests.
This release of Oracle Application Server provides fine-grained control over system administration and management privileges, allowing you to:
Delegate only the privileges necessary for installation and administration
Grant application administration permissions without making the application administrator an Oracle Internet Directory superuser
Isolate application installation privileges from application administration privileges
Encapsulate privileges for each application, so that permission to deploy one component does not grant the right to deploy or administer other components
With Oracle Application Server 10g Release 2 (10.1.2), Oracle Workflow supports Oracle Application Server Single Sign-On. All users can be authenticated using Oracle Application Server Single Sign-On technology with the users stored in Oracle Internet Directory. As a result, the default Oracle Workflow directory service is based on users stored in Oracle Internet Directory. Oracle Workflow also provides fine-grained security using VPD, which can be used in a hosted environment. Each subscriber's or organization's data is secured from other subscribers or organizations. The subscribers in the hosted environment are stored in Oracle Internet Directory.
