| Oracle® Content Database Administrator's Guide for Oracle WebCenter Suite 10g (10.1.3.2) Part Number B32191-01 |
|
|
View PDF |
| Oracle® Content Database Administrator's Guide for Oracle WebCenter Suite 10g (10.1.3.2) Part Number B32191-01 |
|
|
View PDF |
Oracle Content DB provides the basic infrastructure required by any shared, network-accessible system, including authentication and authorization. This section describes the architecture and configuration of security in Oracle Content DB.
This chapter provides information about the following topics:
|
Note: Do not make any configuration changes to your Oracle Content DB deployment beyond those described in the documentation or required by the support team. Making undocumented changes to your system could have serious security implications. |
You can set up SSL for client connections to Oracle Content DB, including Web client, WebDAV, and Web services access. You can also set up SSL for the connection between Oracle Content DB and the user repository.
This section contains the following topics:
You must configure Oracle HTTP Server to use SSL before configuring Oracle Content DB for SSL. Be sure to use a valid certificate when you configure Oracle HTTP Server for SSL. See Oracle HTTP Server Administrator's Guide for more information.
After configuring Oracle HTTP Server for SSL, follow these steps to configure Oracle Content DB for SSL:
Connect to the Application Server Control and go to the Content DB Home page. See "Accessing the Oracle Content DB Home Page" for information about how to do this.
On the Content DB Home page, click the Administration tab.
In the Domain Properties table row, click the Go to Task icon.
Click IFS.DOMAIN.APPLICATION.ApplicationPort.
Update the value to the appropriate SSL port and click OK. This value may be the Oracle HTTP Server SSL port, a load balancer port, or some other port.
Click IFS.DOMAIN.APPLICATION.ApplicationUseHttps.
Set the value to true and click OK.
Return to the Cluster Topology page and restart the Oracle Content DB domain. See "Starting and Stopping the Oracle Content DB Domain" for information about how to do this.
If you are using an LDAP server as your Oracle Content DB user repository, you can use SSL for the connection between Oracle Content DB and the LDAP server. You cannot use SSL for the connection to a file-based user repository.
There are two supported authentication modes for an SSL connection between Oracle Content DB and the LDAP server: Server Only or Anonymous. You can only use Anonymous authentication mode if you are using Oracle Internet Directory.
This section contains the following topics:
Setting Up Server Only SSL Between Oracle Content DB and Your LDAP Server
Setting Up Anonymous SSL Between Oracle Content DB and Your LDAP Server
The following procedure explains how to set up Server Only SSL authentication between Oracle Content DB and your LDAP server. In Server Only authentication, also called SSL Server Authentication, the directory server authenticates itself to the client, then the directory server sends the client a certificate verifying that the server is authentic.
You must first configure your LDAP server for SSL before you perform the steps in the following procedure. If you are using Oracle Internet Directory, see Oracle Internet Directory Administrator's Guide for more information. If you are using a third-party LDAP server, refer to the documentation for your LDAP server for more information.
To set up Server Only SSL between Oracle Content DB and your LDAP server:
Ensure that the LDAP server certificate has been created on the LDAP host. Refer to the documentation for your LDAP server for more information.
On each Oracle Content DB middle tier, create a keystore for the LDAP server, as follows:
At the command prompt, go to ORACLE_HOME/jdk/bin.
Create an LDAP keystore by running the following keytool command:
./keytool -genkey -keystore keystore_file_name -keypass key_password -storepass keystore_password
For example:
./keytool -genkey -keystore ORACLE_HOME/content/settings/ldap-keystore.jks -keypass defaultkp -storepass ldapksp
The -keypass argument is required in order to create the keystore, but this key password is generic and is not used for anything.
Repeat these steps for each Oracle Content DB middle tier.
|
Tip: If you want to avoid performing Step 2 and Step 3 on each middle tier, you can choose one of the following alternatives:
If you choose to copy the keystore file onto each middle tier, wait until after you have performed Step 3, importing the LDAP server certificate, to do so. Even if you choose one of these options, other steps in this procedure must be performed on each middle tier. Choosing one of these options only enables you to avoid having to perform Step 2 and Step 3 on each middle tier. |
On each Oracle Content DB middle tier, import the LDAP server certificate into the keystore, as follows:
At the command prompt, go to ORACLE_HOME/jdk/bin.
Import the LDAP server certificate into the keystore by running the following keytool command:
./keytool -import -file server_certificate -keystore keystore_file_name -keypass key_password -storepass keystore_password
For example:
./keytool -import -file myldapserver.cer -keystore ORACLE_HOME/content/settings/ldap-keystore.jks -keypass ldapkp -storepass ldapksp
Repeat these steps for each Oracle Content DB middle tier, unless you chose one of the alternatives mentioned in Step 2.
On each Oracle Content DB middle tier, store the LDAP keystore password in a secure location so that Oracle Content DB can access the keystore. To do this, follow these steps:
At the command prompt, go to ORACLE_HOME/content/bin.
./changepassword -l
|
Note: Do not use the option-k. The -k option is used to change the password for the WS-Security keystore, not the LDAP keystore. |
When prompted for the old password, just press Enter. Then, enter and confirm the LDAP keystore password that you provided in Step 2.
Be sure to follow the steps described in "Changing the LDAP Keystore Password" if you need to change this password later.
Repeat these steps for each Oracle Content DB middle tier.
On each Oracle Content DB middle tier, edit the oc4j.properties file, as follows:
Go to ORACLE_HOME/j2ee/OC4J_Content/config and open the oc4j.properties file for editing.
Add the following properties:
oracle.ifs.security.LdapSslEnabled=true oracle.ifs.security.LdapSslAuthenticationMode=ServerOnly
The LDAP keystore location is also stored in the oc4j.properties file, in the property oracle.ifs.security.LdapKeyStoreLocation. Update the value of this property if needed.
|
Note: Do not update the value oforacle.ifs.security.KeyStoreLocation. This property stores the location of the keystore for WS-Security, not the LDAP keystore location. |
Save and close the oc4j.properties file.
Repeat these steps for each Oracle Content DB middle tier.
If you are using a third-party LDAP server, you must edit the system-jazn-data.xml file on each Oracle Content DB middle tier. You do not need to perform this step if you are using Oracle Internet Directory as your user repository. To edit the system-jazn-data.xml file:
Go to ORACLE_HOME/j2ee/OC4J_Content/config and open the system-jazn-data.xml file for editing.
Go to the oracle.security.jazn.login.module.LDAPLoginModule for the content application, and change the oracle.security.jaas.ldap.provider.url option to the LDAP SSL URL, in the format:
ldaps://ldap_host:ldap_ssl_port
For example:
<application>
<name>content</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
...
...
<option>
<name>oracle.security.jaas.ldap.provider.url</name>
<value>ldaps://myhost.mydomain.com:636</value>
</option>
</options>
</login-module>
</login-modules>
</application>
Save and close the system-jazn-data.xml file.
Repeat these steps for each Oracle Content DB middle tier.
Update Oracle Content DB domain properties with the new SSL port of your LDAP server. You only need to perform this step on one Oracle Content DB middle tier. To update Oracle Content DB domain properties:
Connect to the Application Server Control and go to the Content DB Home page. See "Accessing the Oracle Content DB Home Page" for information about how to do this.
On the Content DB Home page, click the Administration tab.
In the Domain Properties table row, click the Go to Task icon.
Click IFS.DOMAIN.CREDENTIALMANAGER.Idm. You may need to move to the next page to find this property, or you can use the Search field.
Click IFS.DOMAIN.CREDENTIALMANAGER.Idm.LdapSslEnabled.
Set the value to true and click OK.
Click IFS.DOMAIN.CREDENTIALMANAGER.Idm.LdapPort.
Change the port number listed in the URL to be the SSL-enabled LDAP port, such as 636 or 4031, and click OK.
Click OK on the Edit Domain Property page.
On each Oracle Content DB middle tier, edit the opmn.xml file, as follows:
Go to ORACLE_HOME/opmn/conf and open the opmn.xml file for editing.
In the start-parameters for OC4J_Content, add the java options -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword.
For example:
<process-type id="OC4J_Content" module-id="OC4J" status="enabled">
<module-data>
<category id="start-parameters">
<data id="java-options" value="-server -XX:MaxPermSize=128M -ms512M -mx1024M -XX:AppendRatio=3 -Djava.security.policy=$ORACLE_HOME/j2ee/OC4J_Content/config/java2.policy -Djava.awt.headless=true -Dhttp.webdir.enable=false -Doc4j.userThreads=true -Djavax.net.ssl.trustStore=your_keystore_location -Djavax.net.ssl.trustStorePassword=your_keystore_password"/>
</category>
</process-type>
Save and close the opmn.xml file.
Restart OPMN. Note that restarting OPMN will interrupt your OPMN-managed processes on this middle tier.
Repeat these steps for each Oracle Content DB middle tier.
The following procedure explains how to set up Anonymous SSL authentication between Oracle Content DB and your LDAP server. In Anonymous authentication, also called No SSL Authentication, neither the client nor the server authenticates itself to the other. No certificates are sent or exchanged; only SSL encryption and decryption is used.
You can only use Anonymous SSL authentication if you are using Oracle Internet Directory as your user repository.
You must first configure Oracle Internet Directory for Anonymous SSL authentication (No SSL Authentication) before you perform the steps in the following procedure. See Oracle Internet Directory Administrator's Guide for more information.
To set up Anonymous SSL between Oracle Content DB and Oracle Internet Directory:
On each Oracle Content DB middle tier, edit the oc4j.properties file, as follows:
Go to ORACLE_HOME/j2ee/OC4J_Content/config and open the oc4j.properties file for editing.
Add the following properties:
oracle.ifs.security.LdapSslEnabled=true oracle.ifs.security.LdapSslAuthenticationMode=ServerOnly
Save and close the oc4j.properties file.
Repeat these steps for each Oracle Content DB middle tier.
Update Oracle Content DB domain properties with the new Oracle Internet Directory SSL port. You only need to perform this step on one Oracle Content DB middle tier. To update Oracle Content DB domain properties:
Connect to the Application Server Control and go to the Content DB Home page. See "Accessing the Oracle Content DB Home Page" for information about how to do this.
On the Content DB Home page, click the Administration tab.
In the Domain Properties table row, click the Go to Task icon.
Click IFS.DOMAIN.CREDENTIALMANAGER.Idm. You may need to move to the next page to find this property, or you can use the Search field.
Click IFS.DOMAIN.CREDENTIALMANAGER.Idm.LdapSslEnabled.
Set the value to true and click OK.
Click IFS.DOMAIN.CREDENTIALMANAGER.Idm.LdapPort.
Change the port number listed in the URL to be the SSL-enabled Oracle Internet Directory port, such as 636 or 4031, and click OK.
Click OK on the Edit Domain Property page.
Return to the Cluster Topology page and restart the Oracle Content DB domain. See "Starting and Stopping the Oracle Content DB Domain" for information about how to do this.
Authentication is a process in which a user provides some proof of identity (called a credential, which is often constructed from a user's password by means of a hashing or encryption algorithm) before that user can attempt to access objects in the system.
The user repository uses JAZN authentication to determine whether the user name and password are valid for the user. Because of JAZN limitations, to fully log out of Oracle Content DB, users must close all browser windows associated with the browser they used to log in to Oracle Content DB. For example, if users logged in using Microsoft Internet Explorer, they must close all Internet Explorer windows after they log out.
The Oracle Content DB JCR adapter, or any application using a Web Services client to connect to the Oracle Content DB server, can authenticate as a trusted application to the server. Under this model, the trusted client application does not need to provide a user credential. The server authenticates the trusted client application and assumes that the trusted client application has already verified the identity of the user.
You can use WS-Security to authenticate as a trusted application to Oracle Content DB. WS-Security is based on public key cryptography. A keystore must be configured for both the server and the client, and then the public keys of the client and server must be imported into the server and client keystores.
You can use commercially purchased secure certificates for these keys, or you can generate your own, as long as they are kept secure.
To enable WS-Security trusted authentication for the Oracle Content DB server, you must first create a server keystore. You can use the keytool utility provided in ORACLE_HOME/jdk/bin to set up a server keystore and to import public keys.
See Oracle WebCenter Framework Developer's Guide for information about how to configure keystores for the client, and how to import server-side public keys into the client keystore.
When you create a server keystore for WS-Security, you also create a private server key. This private server key is protected by two passwords: one password for the server keystore, and one password for the private server key itself, called the private server key password.
After these passwords have been created, they must be stored in a secure location so that Oracle Content DB can access the private server key at run time. The Oracle Content DB changepassword utility is used to store these passwords in a secure location that can be accessed by Oracle Content DB.
To configure a keystore at the server side, follow these steps:
At the command prompt, go to ORACLE_HOME/jdk/bin.
Create the server keystore by running the following keytool command:
./keytool -genkey -keyalg RSA -validity number_of_days_certificate_is_valid -alias server_public_key_alias -keystore keystore_file_name -dname distinguished_name -keypass private_server_key_password -storepass keystore_password
For example:
./keytool -genkey -keyalg RSA -validity 5000 -alias server -keystore server-keystore.jks -dname "cn=server" -keypass serverprivkeypass -storepass serverksp
You can list the keys in the keystore by running the following keytool command:
./keytool -list -keystore keystore_file_name -keypass private_server_key_password -storepass keystore_password
For example:
./keytool -list -keystore server-keystore.jks -keypass serverprivkeypass -storepass serverksp
To use the key, sign it by running the following keytool command:
./keytool -selfcert -validity number_of_days_certificate_is_valid -alias server_public_key_alias -keystore keystore_file_name -keypass private_server_key_password -storepass keystore_password
For example:
./keytool -selfcert -validity 5000 -alias server -keystore server-keystore.jks -keypass serverprivkeypass -storepass serverksp
Export the server public key from the server keystore to a file by running the following keytool command:
./keytool -export -alias server_public_key_alias -keystore keystore_file_name -file server.pubkey -keypass private_server_key_password -storepass keystore_password
For example:
./keytool -export -alias server -keystore server-keystore.jks -file server.pubkey -keypass serverprivkeypass -storepass serverksp
Store the keystore password and the private server key password in a secure location so that Oracle Content DB can access the keystore and the private key. To do this, follow these steps:
At the command prompt, go to ORACLE_HOME/content/bin.
Run the following command:
./changepassword -k
When prompted for the old password, just press Enter. Then, enter and confirm the keystore password that you provided in Step 2.
Be sure to follow the steps described in "Changing the Keystore Password for WS-Security" if you need to change this password later.
Run the following command:
./changepassword -p
When prompted for the old password, just press Enter. Then, enter and confirm the private server key password that you provided in Step 2.
Be sure to follow the steps described in "Changing the Private Server Key Password" if you need to change this password later.
To verify the signature of trusted clients, you must import the client public key into the server keystore.
To import a client public key into the server keystore, follow these steps:
At the command prompt, go to ORACLE_HOME/jdk/bin.
Run the following keytool command:
./keytool -import -alias client_private_key_alias -file client.pubkey -keystore keystore_file_name -keypass private_server_key_password -storepass keystore_password
For example:
./keytool -import -alias client -file client.pubkey -keystore server-keystore.jks -keypass serverprivkeypass -storepass serverksp
If you created a server keystore for Oracle Content DB for WS-Security, you specified a password for both the private server key and for the keystore itself when you created the keystore. If you are using SSL for the connection between Oracle Content DB and the LDAP server, you also specified an LDAP keystore password when you created the LDAP keystore.
If you need to change any of these passwords, you must first change the passwords in the appropriate keystore by running a keytool command. Then, you must run the Oracle Content DB changepassword utility. This utility updates the passwords in the secure location where they are stored for use by Oracle Content DB.
This section contains the following topics:
To change the private server key password:
First, change the private server key password in the keystore by running the appropriate keytool command.
On each Oracle Content DB middle tier, store the private server key password in a secure location so that Oracle Content DB can access it. To do this, follow these steps:
To change the WS-Security keystore password:
First, change the WS-Security keystore password in the keystore by running the appropriate keytool command.
On each Oracle Content DB middle tier, store the WS-Security keystore password in a secure location so that Oracle Content DB can access the keystore. To do this, follow these steps:
To change the LDAP keystore password:
First, change the LDAP keystore password in the keystore by running the appropriate keytool command.
On each Oracle Content DB middle tier, store the LDAP keystore password in a secure location so that Oracle Content DB can access the keystore. To do this, follow these steps:
To change the Oracle Content DB schema password, first change the password in Oracle Database. Then, you need to run a script to change the password on each Oracle Content DB middle tier.
To change the Oracle Content DB schema password:
Stop the Oracle Content DB domain. See "Starting and Stopping the Oracle Content DB Domain" for information about how to do this.
Change the Oracle Content DB schema password in Oracle Database, as follows:
Log in to SQL*Plus. For example, on UNIX systems:
cd $ORACLE_HOME/bin ./sqlplus /nolog
Connect as the SYSDBA user. For example:
SQL>conn / as sysdba
Change the password for the CONTENT schema, as follows:
SQL>alter user CONTENT identifiedby new_password;
Change the Oracle Content DB schema password on each middle tier, as follows:
Start the Oracle Content DB domain. See "Starting and Stopping the Oracle Content DB Domain" for information about how to do this.
The HTTP and WebDAV protocol allows digest (hashed challenge/response) authentication. Whether HTTP and WebDAV use SSL depends on the configuration of Oracle HTTP Server, and on whether Oracle Content DB has been configured for SSL.
|
Note: You can only use digest authentication with Oracle Internet Directory or file-based user repositories. You cannot use digest authentication with third-party LDAP servers due to limitations in JAZN support. |
Oracle Drive is a desktop client that uses the WebDAV protocol to access Oracle Content DB. After it is installed, Oracle Drive appears as a mapped drive in Windows Explorer. Oracle Drive also provides file synchronization capabilities between your local computer and Oracle Content DB.
The HTTP and WebDAV protocols do not encrypt the network channel by default. This means that files transferred using these protocols are susceptible to interception. If you are unwilling to accept this behavior, then you should disable these protocols or configure them to use SSL.
See "SSL Configuration for Oracle Content DB" for more information.
Because user quota is managed asynchronously through the Quota Agent, it is possible for a malicious user to upload a very large file for filling up disk space. To prevent such attacks, you can limit the size of any single file uploaded to Oracle Content DB by setting the IFS.DOMAIN.MEDIA.CONTENTTRANSFER. ContentLimit domain property. If you try to upload a file beyond the specified limit, then the upload fails. This limit does not apply to administrators.
When this property is set to 0, the default value, the content limit is disabled. You will be able to upload any file whose size is within the last calculated available quota, as of the beginning of the upload.
See "Changing Domain Properties" for information about how to set the IFS.DOMAIN.MEDIA.CONTENTTRANSFER.ContentLimit property.
The client session timeout period is the number of minutes of idle time after which a Web user interface session expires. By default, the client session timeout for Oracle Content DB is set to 30 minutes.
To change the client session timeout period:
Connect to the Application Server Control.
On the Cluster Topology page, in the Members table, click the plus icon next to one of the OC4J_Content instances. It does not matter which OC4J_Content instance you choose to expand.
You cannot expand the OC4J instance unless it is running. To start the OC4J instance, select it and click Start.
Under the OC4J_Content heading, click content.
On the Application: content page, in the Modules table, click content.
On the Web Module: content page, click the Administration tab.
In the Configuration Properties table row, click the Go to Task icon.
Change the value for Session Timeout (seconds). The default is 1800 seconds (30 minutes).
Click OK.
Under the Confirmation heading, click Restart to restart the Oracle Content DB (content) application.
