Skip Headers
Oracle® Application Server Best Practices Guide
10
g
(10.1.4.0.1)
Part Number B31762-02
Home
Book List
Index
Master Index
Contact Us
Next
View PDF
Contents
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introduction to Best Practices for the Oracle Identity and Access Management Suite
1.1
Key Best Practices for Oracle Identity and Access Management Suite Deployments
2
Oracle Access Manager
2.1
General Best Practices
2.1.1
Deploy Oracle Access Manager in Multiple Environments to Minimize Service Disruptions
2.1.2
Deploy Oracle Access Manager Access and Identity Servers on Dedicated Hardware to Improve Reliability
2.1.3
Store Configuration and Policy Data in a Separate Directory to Provide Greater Deployment and Upgrade Flexibility
2.1.4
Point Directly to a Domain Controller to Avoid Potential Data Inconsistency Problems
2.1.5
Use LDAP Over SSL Rather than ADSI When Connecting to Microsoft Active Directory
2.1.6
When Deploying on Top of Microsoft Active Directory, Fine Tune the Appropriate Active Directory Configuration Parameters to Optimize Performance
2.1.7
Size and Tune the Environment to Support Production Deployment
2.1.8
Host Administration Interfaces on Dedicated Web Servers to Protect the Environment
2.1.9
Use SSL Transport between Components to Secure the Environment
2.1.10
Store Audit Trails in a Database to Maximize the Usability of Audit Data
2.1.11
Take Steps to Simplify Management of Your Environment
2.2
Access System Best Practices
2.2.1
Use IP Validation, HTTPS, and Secure Cookies to Mitigate The Risk of a Cookie Reply Attack
2.2.2
Avoid Using Nested Groups for Authorization to Improve Group Membership Performance
2.2.3
Configure Dynamic Groups Rather than Authorization Filters to Simplify Authorization Administration
2.2.4
Performance Considerations when Using ObMyGroups
2.2.5
Consider Deploying WebGates On Reverse Proxies to Simplify Management
2.2.6
Design Document Protection Policies to Minimize WebGate Calls to the Access Server
2.2.7
Use Best Practices When Configuring Form-based Authentication to Avoid Login Errors
2.2.8
Code API-Based Plug-ins to Avoid Access Server crashes
2.2.9
Use Best Practices to Secure Access Manager SDK (AccessGate) Clients
2.3
Identity System Best Practices
2.3.1
Avoid Searches to Improve Identity Administration Performance
2.3.2
Use the Manage Members Page of the Group Manager Application to Efficiently Manage Large Groups
2.3.3
Configure a Single Idle Timeout for the Entire Oracle Access Manager Deployment to Avoid Potential Discrepancies in User Behavior
2.3.4
Turn Off Tracking to Improve Workflow Performance
2.3.5
Periodically Clean Up Workflow Tickets to Improve Directory Performance
2.3.6
Build Event API Plug-Ins for Performance
2.3.7
Use PresentationXML to Customize the Look and Feel of Embeddable User Interface Elements
2.3.8
Use an XML/XSL Editor When Developing PresentationXML to Expedite Development and Test
2.3.9
Always Work from a Copy of The Default Style Sheet
2.3.10
Use Caution When Implementing Javascript Code in PresentationXML
3
Oracle Internet Directory
3.1
Use bulkload Utility to Bootstrap System
3.2
Replicate to Provide High Availability
3.3
Use TLS/SSL Binding to Secure Traffic
3.4
Use Backup and Restore Utilities to Secure Data
3.5
Monitor and Audit Oracle Internet Directory to Improve Availability
3.6
Use OPMN to Manage Oracle Internet Directory Processes
3.7
Assign Oracle Internet Directory Privileges to Limit Access
3.8
Change Access Control Policies to Control User Administration
3.9
Use User Attributes and Password Hints to Make Resetting Credentials Easier
3.10
Incorporate Group Assignment During User Creation to Avoid Multiple Steps
3.11
Configure Active Directory Synchronization to Enable Windows Native Authentication
3.12
Oracle Directory Integration Platform Best Practices
3.12.1
Use Identity Management Realms to Build Connectivity Between Oracle Internet Directory and Third-Party Directories
3.12.2
Configure Synchronization Service to Enable Users to Interact with Deployed Applications
3.12.3
Synchronize Oracle Human Resources and Oracle Internet Directory to Provide Access to OracleAS Single Sign-On and Oracle Delegated Administration Services
4
Security
4.1
General Best Practices
4.1.1
HTTPS Best Practices
4.1.2
Assign Lowest-Level Privileges Adequate for the Task to Contain Security Leaks
4.1.3
Cookie Security Best Practices
4.1.4
Systems Setup Best Practices
4.1.5
Certificates Use Best Practices
4.1.6
Review Code and Content Against Already Known Attacks to Minimize the Attack Recurrence
4.1.7
Firewall Best Practices
4.1.8
Leverage Declarative Security
4.1.9
Use Switched Connections in DMZ
4.1.10
Place Application Server in the DMZ to Prevent Security Issues
4.1.11
Use Secure Sockets Layer Encryption to Secure LDAP and HTTP Traffic
4.1.12
Tune the SSLSessionCacheTimeout Directive to Meet Your Application Needs
4.1.13
Plan Out The Final Topology Before Installing Oracle Application Server Security Components
4.2
Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider Best Practices
4.3
J2EE Security Best Practices
4.3.1
Avoid Writing Custom User Managers and Instead Use Included APIs to Focus Time on Business Logic
4.3.2
Use the Authentication Mechanism with the JAAS Provider to Leverage Benefits
4.3.3
Use Fine-Grained Access Control
4.3.4
Use Oracle Internet Directory as the Central Repository to Provide LDAP Standard Features
4.3.5
Develop Appropriate Logout Functionality to Prevent Users from Closing the Web Browsers
4.3.6
Secure the OC4J Environment
4.3.6.1
Restrict Access to the OC4J Standalone Administration Application Server Control
4.3.6.2
Remove Unneeded Features
4.3.6.3
Disable Debug Mode
4.3.6.4
Disable Default Invoker
4.3.6.5
Disable Directory Browsing
4.3.6.6
Disable File Aliases
4.3.6.7
Change Your Account Passwords
4.3.6.8
Use Password Indirection
4.3.6.9
Restrict Access to Network Service Ports
4.4
OracleAS Single Sign-On Best Practices
4.4.1
Configure for High Availability to Prevent Inaccessible Applications
4.4.2
Leverage OracleAS Single Sign-On to Optimize Administration and Customer Experience
4.4.3
Use an Enterprise-Wide Directory to Eliminate User Data in Multiple Systems
4.4.4
Use OracleAS Single Sign-On to Validate User Credentials
4.4.5
Always Use SSL with Oracle Application Server to Protect Applications
4.4.6
Provide Username and Password Only on Login Screen to Prevent Users from Providing Credentials to Inappropriate Servers
4.4.7
Log Out to Prevent Active Cookies
5
Oracle Virtual Directory
5.1
Give Each Adapter Its Own Namespace to Simplify Configuration
5.2
Use Routing Priority to Control How Order Entries Are Returned for Better Performance
5.3
Use Attribute Flow to Improve Security, Performance and Flexibility
5.4
Use Mapping Scripts to Unify Schema
5.5
Add Microsoft Schema if Using ActiveX Data Objects to Query Oracle Virtual Directory
6
Oracle Application Server High Availability Solutions
6.1
Oracle Application Server Cluster (Identity Management)
6.2
Load Balancers
6.2.1
Use Fault-Tolerant Hardware Load Balancers to Avoid Single Points of Failure
6.2.2
Use Monitoring of Services to Automatically Disable Traffic to Unavailable Nodes
6.2.3
Configure All Idle Time Timeouts to Maximize Time for Unused or Idle Service
6.3
Oracle Application Server Cold Failover Clusters
6.3.1
Use Shared Oracle Home Installs for OracleAS Cold Failover Cluster (Middle-Tier) to Simplify Administration
6.3.2
Use Oracle Universal Installer Commands to Attach OracleAS Cold Failover Cluster Oracle Home with the oraInventory
6.3.3
Use Disk Redundancy for OracleAS Cold Failover Cluster to Avoid Oracle Home Failures
6.3.4
Standardize Port Allocation and Pre-Allocate Ports to the OracleAS Cold Failover Cluster Instances to Avoid Failures
6.4
Oracle Application Server Guard
6.4.1
Clean Up Invalid Records to Avoid Instantiation and Synchronization Errors
6.4.2
Use the Same Ports for OracleAS Guard to Avoid Manual Configuration Steps in Synchronization Operations
6.4.3
Use Different Labels and Colors in OracleAS Guard Shells to Avoid Errors
6.4.4
Enable High-Logging Level to Troubleshoot OracleAS Guard Operations
6.5
Backup and Recovery
6.5.1
Whenever an Operation is Exposed through Application Server Control, Use It as the Standard Way to Perform Backup and Recovery to Avoid the Common Errors and Typos in Command-Line Operations
6.5.2
Use Instance-Level Backup to Guarantee Consistency
6.5.3
Perform an Image Backup to Recover from Loss of Host Scenario
6.5.4
Use Incremental Backups to Save Time and Disk Space
Index