Skip Headers
Oracle® Collaboration Suite Security Guide
10
g
Release 1 (10.1.2)
Part Number B25494-10
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Part I Oracle Collaboration Suite Security
1
Overview of Oracle Collaboration Suite Security
1.1
Overview of Oracle Collaboration Suite
1.1.1
Oracle Collaboration Suite Infrastructure
1.1.1.1
Oracle Collaboration Suite Database
1.1.1.2
Oracle Internet Directory
1.1.1.3
OracleAS Single Sign-On
1.1.2
Oracle Collaboration Suite Applications
1.2
Security Objectives of Oracle Collaboration Suite
1.2.1
Providing Basic Security Services
1.2.2
Supporting Standards
1.2.3
Ensuring Deployment and Configuration Flexibility
1.2.4
Ensuring Scalability and Predictability
1.3
Security Architecture of Oracle Collaboration Suite
1.4
Secure Sockets Layer and Public Key Infrastructure Authentication
1.4.1
Overview of SSL and TLS
1.4.2
SSL Handshake
1.4.3
Public Key Infrastructure
1.4.3.1
Security Features of PKI
1.4.3.2
Benefits of the PKI Approach
1.4.4
Public Key Infrastructure Components
1.4.4.1
Certificate Authority
1.4.4.2
Certificates
1.4.4.3
Certificate Revocation Lists
1.4.4.4
Wallets
1.4.4.5
Hardware Security Modules
1.4.5
Public Key Cryptography and the Public Key and Private Key Pair
1.4.6
Secure Credentials: Certificate-Based Authentication in PKI
1.4.6.1
Authentication Methods Used with PKI
1.4.7
Storing Secure Credentials with PKI
1.4.8
Single Sign-On Using PKI
1.5
Recommended Deployment Topologies
1.5.1
Hardware Load Balancers and HTTPS to HTTP Appliances
1.6
Compliance Across Oracle Collaboration Suite
1.6.1
Managing Unstructured Content with Oracle Collaboration Suite
1.6.2
Oracle Records Management
1.6.3
Preventive Measures in Oracle Collaboration Suite
2
Oracle Collaboration Suite Applications Security
2.1
Controlling Applications Tier Administration and Access
2.2
Using Oracle Collaboration Suite to Access Web Content
2.2.1
Client Authentication
2.2.2
Administration Interfaces
2.2.3
JDBC
2.2.4
Oracle Internet Directory
2.3
Securing Oracle Calendar
2.3.1
ACE Framework
2.3.1.1
Secure Connections to Clients and Other Calendar Servers
2.3.1.2
Available Plug-Ins
2.3.1.3
Configuration
2.3.1.4
Extending the ACE Framework
2.3.1.5
Integrating the Oracle Calendar Web Client with a Third-Party Authentication Framework
2.3.2
Kerberos 5 Authentication with Oracle Calendar
2.3.2.1
Background
2.3.2.2
Configuring Oracle Calendar with Kerberos 5
2.3.3
Kerberos 5 with Third-Party Directory Servers
2.3.3.1
Directory Server Security
2.3.4
Enabling MD5 Authentication
2.3.4.1
Enabling the Dynamic Verifier in Oracle Internet Directory for Passwords
2.3.4.2
Enabling the Dynamic Verifier in Oracle Internet Directory for PINs
2.3.4.3
Ensuring that the Dynamic Verifier Is Enabled Correctly for Passwords
2.3.4.4
Ensuring that the Dynamic Verifier Is Enabled Correctly for PINs
2.3.4.5
Steps to be Performed After the Dynamic Verifier Is Enabled
2.3.4.6
Enabling MD5 on the Oracle Calendar Server
2.3.4.7
Enabling MD5 on the Oracle Mobile Data Sync Server
2.3.5
Other Security Considerations
2.3.5.1
Dedicated Server
2.3.5.2
Password Management
2.3.5.3
Trust Management
2.3.5.4
Networking
2.3.5.5
Auditing
2.3.5.6
Backup and Recovery
2.3.5.7
Defense Against Denial of Service Attacks
2.3.5.8
Application Security
2.3.5.9
Calendar Administrator
2.3.5.10
Oracle Real-Time Collaboration Web Conferencing Server
2.4
Securing Oracle Content Services
2.4.1
Authentication Using Oracle Internet Directory
2.4.2
Security Considerations for Protocol Servers
2.4.2.1
FTP/FTPS
2.4.2.2
HTTP/WebDAV
2.4.2.3
Network Channel Encryption
2.4.3
Malicious Uploads
2.4.4
Client Session Timeout Period
2.4.5
HTTPS Configuration for Oracle Content Services
2.4.6
SSL Configuration for Oracle Content Services
2.4.7
SSL Connection to Oracle Internet Directory
2.4.8
Oracle Content Services Schema Password
2.4.9
Oracle Records Management
2.4.9.1
Using a Retention Hardware Solution
2.5
Securing Oracle Mail
2.5.1
Securing Oracle Mail Protocol Servers
2.5.2
Configuring Oracle Mail Protocol Servers for SSL
2.5.3
Configuring SSL Between Oracle Collaboration Suite 10
g
WebMail and Oracle Internet Directory
2.5.4
Configuring Oracle Mail Protocol Servers for TLS
2.5.5
Configuring SASL for Oracle Mail
2.5.6
Providing Virus Protection
2.5.7
Prescanning Using the Virus Scrubber
2.5.8
Rejecting Spam
2.5.9
Preventing Mailing List Abuse
2.5.10
Implementing Secure Multipurpose Internet Mail Extension (S/MIME)
2.6
Securing Oracle Mobile Collaboration
2.6.1
Introducing Push Mail Security
2.6.2
Push Mail System Architecture
2.6.3
Mobile Push Mail Security
2.6.3.1
Downloading and Registering Push Mail Client
2.6.3.2
Normal Use with In-Band Notification
2.6.3.3
Normal Use with Out-Band Notification
2.6.3.4
Loss of Device
2.6.3.5
Preventing Malicious Actions Against the Client and the Server
2.6.3.6
Deployment Options for Push Mail Server
2.6.4
Conclusions
2.7
Securing Oracle Real-Time Collaboration
2.7.1
Oracle Real-Time Collaboration Architecture and Security
2.7.2
Secure Access for Oracle Real-Time Collaboration Clients
2.7.3
Secure Connections for Oracle Real-Time Collaboration
2.7.3.1
Voice Chat Encryption in Oracle Messenger
2.7.4
Oracle Real-Time Collaboration User Management and Authentication
2.7.4.1
Authenticating Oracle Real-Time Collaboration Integration Services
2.7.4.2
Accounts for Automated Tests of Oracle Messenger
2.7.5
Oracle Real-Time Collaboration User Roles and User Privileges
2.7.5.1
Creating Administrative Users
2.7.5.2
Controlling User Privileges with Properties
2.7.5.3
Using Conference Keys to Protect Conference Access
2.7.5.4
Privileges Within Web and Chat Conferences
2.7.5.5
Restricting Access to Web Conferences by User Role
2.7.5.6
Privileges for an Acting Conference Host
2.7.6
Secure Archives for Oracle Real-Time Collaboration
2.7.6.1
Web Conference Archives
2.7.6.2
Oracle Messenger Archives
2.7.6.3
Creating a Privacy or Acceptable Use Policy
2.7.7
Security Report for Oracle Real-Time Collaboration
2.8
Securing Oracle Voicemail & Fax
2.8.1
Authenticating Using Oracle Internet Directory
2.8.2
Securing Oracle Voicemail & Fax Connections
2.8.2.1
Encrypting Connections to the Oracle Collaboration Suite Database
2.8.2.2
Using SSL to Connect to Oracle Internet Directory
2.8.3
Changing Passwords
2.9
Security Issues Related to Microsoft Internet Explorer
2.9.1
Relaxing Security to Enable Downloads Using Microsoft Internet Explorer
2.9.1.1
Relaxing the Cache Settings for Web Mail
2.9.1.2
Relaxing the Cache Settings for Web Access Client
2.9.2
Enabling Downloads for Web Calendar Using Microsoft Internet Explorer
2.10
Setting Client Session Timeout Period for Web Access Client
3
Oracle Collaboration Suite Infrastructure Security
3.1
Security in Oracle Collaboration Suite Infrastructure
3.1.1
Oracle HTTP Server Security
3.1.2
Directory Security Concepts
3.1.2.1
Data Integrity
3.1.2.2
Data Privacy
3.1.2.3
Authorization
3.1.2.4
Authentication
3.1.2.5
Protection of User Passwords for Directory Authentication
3.1.2.6
Password Policies
3.1.3
Physical Hardware Security
3.1.4
Network Security
3.1.5
Operating System Security
3.1.6
Database Security
3.1.7
Application Server Security
3.1.8
Third-Party Software Security
3.1.9
User Security
3.1.10
Password Security
3.2
Oracle Identity Management
3.2.1
Overview of Identity Management
3.2.2
Infrastructure of Oracle Identity Management
3.2.2.1
Oracle Application Server Single Sign-On
3.2.2.2
Provisioning Service
3.2.2.3
Delegated Administration Services
3.2.2.4
Oracle Internet Directory
3.2.2.5
Oracle Application Server Certificate Authority
3.2.3
Oracle Identity Management and Third-Party Applications
3.2.4
Benefits of Oracle Identity Management
3.2.4.1
Centralized User Management
3.2.4.2
Password Management Policies
3.3
SSL Configuration in Oracle Internet Directory
3.3.1
Configuring SSL Parameters
3.3.2
Starting a Directory Server Instance with SSL Enabled
3.3.3
Limitations of the Use of SSL in Oracle Internet Directory
3.4
Privilege Delegation
3.4.1
Security Goals for the Privilege Delegation Model
3.4.2
Understanding the Delegation Model
3.4.3
Understanding Roles and Responsibilities
3.4.4
Delegating Privileges
3.4.5
Granting Privileges to Manage User and Group Data
3.4.6
Delegating Privileges for Component Runtime
4
Oracle Collaboration Suite Database Security
4.1
Introduction to Database Security Concepts
4.2
Oracle Advanced Security Architecture
4.3
Solving Security Challenges with Oracle Advanced Security
4.3.1
Data Encryption
4.3.1.1
Supported Encryption Algorithms
4.3.1.2
Data Integrity
4.3.1.3
FIPS
4.3.2
Strong Authentication
4.4
SSL Combined with Other Authentication Methods
4.4.1
Oracle Advanced Security and SSL
4.4.2
How SSL Works with Other Authentication Methods
4.4.3
SSL and Firewalls
4.4.4
SSL Usage Issues
4.5
Secure Configuration Practices
4.6
Database Security Policies
4.6.1
Security Threats and Countermeasures
4.6.2
What Information can Security Policies Cover
4.7
Authentication by the Oracle Database
4.7.1
Password Encryption While Connecting
4.7.2
Account Locking
4.7.3
Password Lifetime and Expiration
4.7.4
Password History
4.7.5
Password Complexity Verification
Part II Secure Sockets Layer Configuration
5
Overview of SSL Configuration in Oracle Collaboration Suite
5.1
SSL Configuration Overview
5.1.1
Default SSL Configuration
5.1.2
Partial SSL Configuration
5.1.3
High-Level Tasks to Enable SSL in Oracle Collaboration Suite
5.1.3.1
Validating Your Installation
5.2
System Requirements for Using SSL in Oracle Collaboration Suite
5.3
Certificates and Oracle Wallets
5.3.1
Obtaining an SSL Certificate
5.3.2
Configuring the Network Listener for SSL
5.3.3
Oracle Wallet
5.3.4
Client Certificates
5.4
Integration with Hardware Security Modules
5.4.1
Protocol Converters
5.4.2
Mathematics Accelerators (PKCS #11 Integration)
6
Managing Wallets and Certificates
6.1
Using Oracle Wallet Manager
6.1.1
Overview of Oracle Wallet Manager
6.1.1.1
Wallet Password Management
6.1.1.2
Strong Wallet Encryption
6.1.1.3
Microsoft Windows Registry Wallet Storage
6.1.1.4
Third-Party Wallet Support
6.1.1.5
LDAP Directory Support
6.1.2
Starting Oracle Wallet Manager
6.1.3
Creating a Complete Wallet: Process Overview
6.1.4
Managing Wallets
6.1.4.1
Guidelines for Creating Wallet Passwords
6.1.4.2
Creating a Wallet
6.1.4.3
Opening an Existing Wallet
6.1.4.4
Closing a Wallet
6.1.4.5
Exporting Oracle Wallets to Third-Party Environments
6.1.4.6
Exporting Oracle Wallets to Tools That Do Not Support PKCS #12
6.1.4.7
Uploading a Wallet to an LDAP Directory
6.1.4.8
Downloading a Wallet from an LDAP Directory
6.1.4.9
Saving Changes
6.1.4.10
Saving an Open Wallet to a New Location
6.1.4.11
Saving a Wallet in System Default
6.1.4.12
Deleting a Wallet
6.1.4.13
Changing the Password
6.1.4.14
Using Auto Login
6.1.5
Managing Certificates
6.1.5.1
Managing User Certificates
6.1.5.2
Managing Trusted Certificates
6.2
Performing Certificate Validation and CRL Management With the orapki Utility
6.2.1
Overview of orapki
6.2.1.1
orapki Utility Syntax
6.2.2
Displaying orapki Help
6.2.3
Creating Signed Certificates for Testing Purposes
6.2.4
Managing Oracle Wallets with the orapki Utility
6.2.4.1
Creating and Viewing Oracle Wallets with the orapki Utility
6.2.4.2
Adding Certificates and Certificate Requests to Oracle Wallets with orapki
6.2.4.3
Exporting Certificates and Certificate Requests from Oracle Wallets with the orapki Utility
6.2.5
Managing Certificate Revocation Lists (CRLs) with the orapki Utility
6.2.5.1
Certificate Validation with Certificate Revocation Lists
6.2.5.2
Certificate Revocation List Management
6.2.6
orapki Utility Commands
6.2.6.1
orapki cert create
6.2.6.2
orapki cert display
6.2.6.3
orapki crl delete
6.2.6.4
orapki crl display
6.2.6.5
orapki crl hash
6.2.6.6
orapki crl list
6.2.6.7
orapki crl upload
6.2.6.8
orapki wallet add
6.2.6.9
orapki wallet create
6.2.6.10
orapki wallet display
6.2.6.11
orapki wallet export
6.3
Interoperability With X.509 Certificates
6.3.1
Public Key Cryptography Standards (PKCS) Support
6.3.2
Multiple Certificate Support
6.3.3
Importing Wallets Created with a Third-Party Tool
7
Enabling SSL in Oracle Collaboration Suite
7.1
Recommended SSL Configurations
7.2
SSL Configuration in Oracle Collaboration Suite Infrastructure
7.3
SSL Configuration in Oracle Collaboration Suite Applications
7.3.1
Running the SSL Script on the Applications Tier
7.3.2
Additional Steps For Enabling SSL in Oracle Collaboration Suite
7.3.3
Enabling SSL in Oracle Mobile Collaboration
7.3.4
Enabling SSL in Oracle Content Services
7.3.4.1
Setting Parameters in the Application Server Control for Collaboration Suite
7.3.4.2
Setting Additional SSL Information
7.3.4.3
Connecting to Oracle Internet Directory Using SSL
7.3.4.4
If the Oracle Content Services Portlet Fails to Retrieve Content After Implementing SSL
7.3.5
Enabling SSL in Oracle Real-Time Collaboration
7.3.6
Enabling SSL in Oracle Voicemail & Fax
7.3.7
Enabling SSL Between Oracle Mobile Data Sync Server and OracleAS Webcache
7.3.8
Enabling SSL in Oracle Collaborative Portlets
7.3.9
Securing Enterprise Manager
7.4
SSL Configutation For Single-Computer Installation
7.4.1
Preinstallation Tasks
7.4.2
Infrastructure Tier Setup
7.4.3
Applications Tier Setup
8
Changing Ports for Web Components
8.1
Redirecting SSO Traffic
8.2
Changing Ports
8.2.1
Obtaining the Port Numbers from the portslist.ini File
8.2.2
Changing the SSO Port on the Infrastructure Tier
8.2.3
Changing Ports on the Applications Tier
8.2.3.1
Create the Input File
8.2.3.2
Run the SSL Configuration Tool to Set the Ports for Applications Tier
8.2.3.3
Run the infra_ssotrans Script
8.2.3.4
Update the DAS URL
8.2.3.5
Stop and Restart the OPMN Processes
Part III Appendixes
A
System Security and Non-Oracle Components
A.1
Web Browsers
A.2
Firewalls
A.3
Load Balancers
A.4
Virtual Private Networks
B
Troubleshooting SSL Configuration
B.1
Troubleshooting SSL Configuration in OracleAS Portal
B.2
Troubleshooting SSL Configuration in Oracle Mail
B.3
Troubleshooting SSL Configuration in Oracle Real-Time Collaboration
B.4
Troubleshooting SSL Configuration in Oracle Calendar
Glossary
Index