7.8 Securing Oracle Reports Services

In 11g Release 1 (11.1.1), Reports Server is secure out-of-the-box using the Oracle Platform Security Services, which accomplishes both authentication and authorization. Oracle Reports uses this Java EE-based security model to allow you to create security policies for running report jobs and Web commands.

In prior releases, Reports Server authentication was restricted to use only Oracle Internet Directory. Authorization of Reports Server required an Oracle Portal-based security model (using Portal metadata repository for checking authorization). If you want to revert to the security mechanism of prior releases, refer to Section 7.8.1.1, "Switching to Oracle Portal Security".

In Oracle Reports 11g Release 1 (11.1.1), administrators can use Oracle Enterprise Manager to more easily define and manage granular security policies and file system access:

7.8.1 Enabling and Disabling Security

To enable or disable security for the Reports Server or Reports Application:

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the component's home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Advanced Configuration.

    The Advanced Configuration page is displayed.

  4. In the Reports Security region, check or uncheck Enable Security.

7.8.1.1 Switching to Oracle Portal Security

The steps for deploying reports in Oracle Portal is the same in 11g Release 1 (11.1.1) as in prior releases, as described in Chapter 16, "Deploying Reports in Oracle Portal". However, the security mechanism underlying the deployment has changed. In that, authorization is enabled out of the box, but during installation if only Oracle Internet Directory is specified and Portal is not installed, authorization using Oracle Portal is disabled. The default installation of 11g Release 1 (11.1.1) accomplishes both authentication and authorization through Oracle Platform Security Services

You can continue to use the security features in Oracle Portal from prior releases for backward compatibility. To switch from the new 11g Release 1 (11.1.1) Oracle Platform Security Services to pre-11g Oracle Portal metadata repository-based security:

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the Reports Server Home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Advanced Configuration.

    The Reports Server Advanced Configuration page is displayed.

  4. In the Reports Security section, check Enable Security, then select Security features available through Oracle Portal.

  5. Click Apply.

Note:

If you enable Oracle Portal security features, then Oracle Portal must also be configured during installation for authorization to occur:
  • If Oracle Portal is configured during installation, authentication is accomplished using the Oracle Internet Directory and authorization is accomplished using Oracle Portal (which stores authorization policies).

  • If Oracle Portal is not configured during installation, authentication is accomplished using the Oracle Internet Directory and authorization does not occur.

7.8.2 Defining Security Policies for Reports

As administrator, you can specify the reports to which a particular user/role has access by creating security policies for each report. In the security policy, you can also specify the server, destination name (desname), destination type (destype), and other parameters. An authenticated user is authorized against these security policies.

To define security policies for reports for Reports Server or Reports Application (in-process Reports Server):

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the component Home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Manage Reports Security Policies > Reports Policies.

  4. Click Create or Edit.

    The Security Policy Configuration for Reports page is displayed.

  5. Enter appropriate values for the elements on the page to define a security policy for directory access using the descriptions in the Help topic for the page.

    Click the Help icon on the page to access the page-level help.

    Perform the following to complete the elements on the page,

    • From the Server Name parameter checkbox, select one or more servers to which the security policy has to be applied. If you want to apply the security policy to all servers, select All.

    • In the Reports Definition Files or Directories parameter, enter one or more report definition file names or the directories for which you are defining security policies. For example, to specify a directory, enter: /myreports/runtime/reports/*. Separate multiple entries with a comma (,).

    • Click OK.

      All fields on this page require a restart to take effect.

  6. Run a report as the specified role and other roles to test that security policies for authentication and authorization are enforced as you have defined. For example, run a report from your browser using the following URLs:

    http://host:port/reports/rwservlet?report=report_name.rdf&destype=cache&desformat=html&userid=user/password@mydb&server=ReportsServer_instancename
    
    http://host:port/reports/rwservlet?report=report_name.rdf&userid=user/password@mydb&destype=file&desformat=pdf&desname=report_name.pdf 
    

    where

    host is the machine where the Oracle Instance is set up

    port is the OHS main port

Note:

The security policies defined in Oracle Enterprise Manager are stored in the policy store configured by the user. The idstore contains information on the users and the policy store contains the security policies configured by the user.

7.8.3 Defining Security Policies for Directories

In certain cases, you will want to give a particular user access to multiple related reports. Rather than specify a security policy for each report, you can collect all the reports in a single directory, then specify a security policy for the directory. Again, the security policy is checked when the user provides the user name and password.

As an example, imagine that there are 15 finance reports, for which you want to give access to the FINANCE role, and there are 12 Human Resources reports for which you want to give access to the HR role. Rather than specify 15 security policies for FINANCE role, and 12 policies for HR role (one policy per report), you can collect all finance reports in one directory, and collect all the HR reports in another directory, then specify only 2 policies (one per directory). Instead of specifying the report name, you will specify the directory name in the security policy.

To define a security policy for directories:

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the Reports Server Home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Manage Reports Security Policies > Reports Policies.

  4. Click Create or Edit.

    The Security Policy Configuration for Reports page is displayed.

  5. Enter appropriate values for the elements on the page to define a security policy for directory access using the descriptions in the Help topic for the page.

    Click the Help icon on the page to access the page-level help.

    Perform the following to complete the elements on the page,

    • From the Server Name parameter checkbox, select one or more servers to which the security policy has to be applied. If you want to apply the security policy to all servers, select All.

    • In the Reports Definition Files or Directories parameter, enter one or more report definition file names or the directories for which you are defining security policies. For example, to specify a directory, enter: /myreports/runtime/reports/*. Separate multiple entries with a comma (,).

    • Click OK.

      All fields in this page require a restart to take effect.

Now, to use the defined directory access control at the Reports Server level, refer to Section 7.8.1, "Enabling and Disabling Security" to confirm that security is turned on.

Note:

The security policies defined in Oracle Enterprise Manager are stored in the policy store configured by the user. The idstore contains information on the users and the policy store contains the security policies configured by the user.

7.8.4 Defining Security Policies for Web Commands

You can also specify the Web commands to which a particular user/role has access by creating security policies for each Oracle Reports Servlet (rwservlet) Web command. The security policy is checked when the user provides the user name and password.

To define security policies for Web commands:

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the Reports Application Home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Manage Reports Security Policies > Web Command Policies.

  4. Click Create or Edit to enter appropriate values for the elements on the page.

    The Security Policy Configuration for Web Commands page is displayed.

  5. Enter appropriate values for the elements on the page to define a web command security policy using the descriptions in the Help topic for the page.

    Click the Help icon on the page to access the page-level help.

    Perform the following steps to complete the elements on the page,

    • From the Server Name parameter checkbox, select one or more servers to which the security policy has to be applied. If you want to apply the security policy to all servers, select All.

    • From the Web Commands parameter checkbox, select one or more Web commands authorized for the specified servers and grantees. If you want to specify all Web commands, select All.

    • Click OK.

      All fields on this page require restart to take effect.

  6. Run a report as the specified role and other roles to test that security policies for authentication and authorization are enforced as you have defined. For example, run the showjobs Web command from your browser using the following URL:

    http://host:port/reports/rwservlet/showjobs?server=ReportsServer_instancename
    

    where,

    host is the machine where the Oracle Instance is set up.

    port is the OHS port.

Note:

The security policies defined in Oracle Enterprise Manager are stored in the policy store configured by the user. The idstore contains information on the users and the policy store contains the security policies configured by the user.

7.8.5 Defining Read/Write Access to Directories

As an administrator, you can specify read/write access for Reports Server, Reports Application (in-process Reports Server), or Oracle Reports Runtime to directories. This feature only checks whether Reports Server, Reports Application, or Oracle Reports Runtime is authorized to read from or write to a specified directory, and is unrelated to security policies that check the user name and password.

  • Read access. To avoid the security issue of exposing sensitive content of files, you can specify the directories from which Reports Server, Reports Application, or Oracle Reports Runtime is allowed to read.

    For example, a malicious user may specify the following keywords to run a report on Windows:

    distribute=yes&destination=C:\Temp
    

    This would generate an error stating that there was an error in the syntax of the file. To avoid this, enable file system access control to specify read directories that do not include system directories.

  • Write access. To avoid the security issue of a malicious user potentially overwriting a system file by sending report output to a system directory, you can specify the directories to which Reports Server, Reports Application, or Oracle Reports Runtime is allowed to write. Attempts to write to other directories will return an error.

    For example, a user may run a report to the following destination on Windows:

    desname=C:\Temp
    

    This would overwrite a system file unless file system access control was enabled to specify write directories that do not include system directories.

To define read/write access to directories for Reports Server, Reports Application, or Oracle Reports Runtime:

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the component's home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Advanced Configuration.

    The Advanced Configuration page displays.

  4. In the File System Access Control section, check Enable File System Access Control, then enter the names of the Read Directories and Write Directories to which Reports Server, Reports Application, or Oracle Reports Runtime should have access. These entries set the read and write sub-elements of the folderaccess element in the configuration file.

    Read Directories: To avoid the security issue of exposing sensitive content of files, enter the names of the directories from which Reports Server is allowed to read. Separate directory names with a semicolon (;).

    Write Directories: Enter the names of the directories to which Reports Server is allowed to write. Attempts to write to other folders will return an error.

7.8.6 Enabling and Disabling Single Sign-On

If you plan to take advantage of Oracle Application Server Single Sign-On, you can use Oracle Enterprise Manager to set the SINGLESIGNON parameter in the rwservlet.properties configuration file. SINGLESIGNON=YES by default on installation. For more information about Single Sign-On, refer to Chapter 17, "Configuring and Administering OracleAS Single Sign-On".

To enable Single Sign-On:

  1. Log in to Oracle Enterprise Manager.

  2. Navigate to the Reports Application Home page (see Section 7.3, "Viewing the Component Topology").

  3. From the Reports menu, select Administration > Advanced Configuration.

    The Reports Application Advanced Configuration page displays.

  4. In the Reports Security section, check Enable Single Sign-On.

  5. Click Apply.

7.8.7 Using Oracle Access Manager

Oracle Access Manager is a component of Oracle Fusion Middleware that you can use in place of OracleAS Single Sign-On 10g to implement centralized authentication, policy-based authorizations, delegated administration, and so on.

You can use the Oracle Fusion Middleware Upgrade Assistant to upgrade from OracleAS Single Sign-On 10g to Oracle Access Manager 11g. For more information about upgrading to Oracle Access Manager 11g, see the "Upgrading Your Oracle Single Sign-On Environment" chapter in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

7.8.8 Managing Credentials

This section explains how to use the oracle Enterprise Manager to manage credentials in a domain credential store.

  1. Log in to Oracle Enterprise Manager and navigate to WebLogic Domain > Security > Credentials, to display the Credentials page.

  2. Use the button Delete to remove a selected item (key or map) in the table. Note that deleting a credential map, deletes all keys in it. Similarly, use the button Edit to view or modify the data in a selected item.

  3. To display credentials matching a given key name, enter the string to match in the box Credential Key Name, and then click the blue button to the right of it. The result of the query is displayed in the table.

  4. To redisplay the list of credentials after examining the results of a query, select WebLogic Domain > Security > Credentials.

To add a new key to a credential map:

  1. Click Create Map to display the Create Map dialog.

  2. In this dialog, enter the name of the map for the credential being created.

  3. Click OK to return to the Credentials page. The new credential map name is displayed with a folder icon in the table.

Note:

In CSF, the Reports Server can access credentials only from the Reports folder, hence you must create credentials under the Reports folder.

To add a new key to a credential map:

  1. Click Create Key to display the Create Key dialog.

  2. In this dialog, select a map from the pull-down list Select Map where the new key will be inserted, enter a key in the text box Key, select a type from the pull-down list Type (the appearance of the dialog changes according to the type selected), enter the required data.

  3. Click OK when finished to return to the Credentials page. The new key is shown under the map icon corresponding to the map you selected.

For more information about Reassociating the Credential Store, see Oracle Fusion Middleware Security Guide.