This chapter summarizes security concerns for Oracle WebCenter deployments. While this chapter provides a summary of security needs, it is not intended to replace the services of a qualified security professional.
This chapter is divided into the following sections:
For further details on securing your deployment, see the “Network Security” chapter of the Oracle WebCenter Interaction Networking and Authentication Guide.
Determining Your Security Needs
This section describes best practices for determining the security needs of your Oracle WebCenter deployment. It is divided into the following sections:
To better understand your security needs, ask yourself the following questions:
Which resources am I protecting?
Many resources in the production environment can be protected, including information in databases accessed by Oracle WebCenter Interaction and the availability, performance, applications, and the integrity of the website. Consider the resources you want to protect when deciding the level of security you must provide.
From whom am I protecting the resources?
For most websites, resources must be protected from everyone on the Internet. But should the website be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the Oracle WebCenter environment? Should the system administrators have access to all Oracle WebCenter resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators access to the data or resources.
What will happen if the protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the website. Understanding the security ramifications of each resource will help you protect it properly.
Hire Security Consultants or Use Diagnostic Software
Whether you deploy Oracle WebCenter on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. Oracle partners offer services and products that can help you to secure a Oracle WebCenter production environment. For details, visit the Oracle Support site at
http://www.oracle.com/support/index.html.
Read Security Publications
For the latest information about securing web servers, Oracle recommends the "Security Practices & Evaluations" information available from the CERT™ Coordination Center operated by Carnegie Mellon University.
Report possible security issues in Oracle WebCenter products in the following ways by contacting Oracle technical support. For technical support contact information, see Oracle Documentation and Resources.
Ensuring the Security of Your Production Environment
This section provides high-level descriptions of the security measures that can be employed to secure your Oracle WebCenter environment. It is divided into the following sections:
An Oracle WebCenter production environment is only as secure as the security of the machines on which it is running. It is important that you secure the physical machine, the operating system, and all other software that is installed on the host machine. The following are suggestions for securing your Oracle WebCenter Interaction host in a production environment. Also check with the manufacturer of the machine and operating system for recommended security measures.
Table 3-1 Securing Oracle WebCenter Hosts
Security Action
Description
Physically secure the hardware.
Keep your hardware in a secured area to prevent unauthorized operating system users from tampering with the deployment machine ore its network connections.
Secure networking services that the operating system provides
Have an expert review network services such as e-mail programs or directory services to ensure that a malicious attacker cannot access the operating system or system-level commands. The way you do this depends on the operating system you use.
Sharing a file system with other machines in the enterprise network imposes risks of a remote attack on the file system. Be certain that the remote machines and the network are secure before sharing the file systems from the machine that hosts Oracle WebCenter components.
Use a file system that can prevent unauthorized access.
Make sure the file system on each Oracle WebCenter component host can prevent unauthorized access to protected resources. For example, on a Windows computer, use only NTFS.
Set file access permissions for data stored on disk.
Set operating system file access permissions to restrict access to data stored on disk. This data includes, but is not limited to, the following:
Third-party authentication directories.
Portal configuration files.
For example, operating systems such as Unix and Linux provide utilities such as umask and chmod to set the file access permissions. At a minimum, consider using “umask 066”, which denies read and write permissions to Group and Others..
Set file access permissions for data stored in the portal database.
Set operating system file access permissions to restrict access to data stored in the portal database.
Safeguard passwords.
The passwords for user accounts on production machines should be difficult to guess and should be guarded carefully.
Set a policy to expire passwords periodically.
Never code passwords in client applications.
Do not develop on a production machine.
Develop first on a development machine and then move code to the production machine when it is completed and tested. This process prevents bugs in the development environment from affecting the security of the production environment.
Do not install development and sample software on a production machine.
Do not install development tools on production machines. Keeping development tools off the production machine reduces the leverage intruders have should they get partial access to an Oracle WebCenter production machine. Do not install the Oracle WebCenter sample applications on production machines.
Enable security auditing.
Configure security auditing to enable monitoring of sensitive portal functions using the Audit Manager function.
Consider using additional software to secure your operating system.
Most operating system can run additional software to secure a production environment. For example, and Intrusion Detection System (IDS) can detect attempts to modify the production environment.
Refer to the vendor of your operating system for information about available software.
Apply operation-system service packs and security patches.
Refer to the vendor of your operating system for a list of recommended service packs and security-related patches.
Apply the latest Oracle WebCenter maintenance packs and implement the latest security advisories.
If you are responsible for security related issues on your site, review the alerts and patches available on the Oracle Support site at
http://www.oracle.com/support/index.html.
In addition, you are advised to apply each maintenance pack as it is released. Maintenance packs are a roll-up of all bug fixes for each version of the product.
Securing Your Database
Most web applications use a database to store their data. Common databases used with Oracle WebCenter are Oracle 10G and Microsoft SQL Server. The databases frequently hold sensitive data. When creating your web application you must consider what data is going to be in the database and how secure you need to make that data. You also need to understand the security mechanisms provided by the manufacturer of the database and decide whether they are sufficient for your needs. If the mechanisms are not sufficient, you can use other security techniques to improve the security of the database, such as encrypting sensitive data before writing it to the database. For example, leave all customer data in the database in plain text except for the encrypted credit card information.
