1.2 Approving Oracle IRM Client Software

Oracle recognizes that many organizations have approval processes to ensure that software applications do not compromise network security, system stability, or general business rules. This section aims to provide information and assurances about the concerns that are typical during such an approval process.

1.2.1 Software Compatibility

Oracle IRM Desktop is exhaustively tested on a wide range of operating systems, and is tested for interoperability with a range of software applications, including the widely deployed versions of Microsoft Office, Microsoft Outlook, Microsoft Internet Explorer, Adobe Reader, and Lotus Notes.

Details of operating system and application support are available from the Oracle Information Rights Management Certification Information link on the Oracle IRM Downloads page of Oracle Technology Network.

1.2.2 System Security

The following key points should reassure you that system security will not be compromised by installing Oracle IRM Desktop:

  • Oracle IRM Desktop maintains an encrypted and tamper-proof configuration cache.

  • The communication protocol is encrypted and authenticated, and responses are not executable, so viruses cannot enter the company network via Oracle IRM Desktop.

  • Oracle IRM Desktop never receives incoming connections, only responses to outbound connections.

  • Sealed documents are not executable; they are encrypted versions of standard formats such as Microsoft Office, PDF, and HTML.

  • Scripting in sealed HTML is subject to the same client-side controls as scripting in unsealed HTML.

  • Any attempt to tamper with a sealed document is detected through the layer of encryption and digital signatures, causing Oracle IRM Desktop to refuse to open it.

1.2.3 Network Security Compatibility

Oracle IRM Desktop makes network connections to the Oracle IRM Server owned by the service host organization (the originators of the sealed documents or emails that people within your organization have received).

In security terms, communications with Oracle IRM Server are equivalent to browser communications with web servers. Oracle IRM Desktop communicates with 10g versions of Oracle IRM Server using a secure, encrypted variant of the HTTP protocol used by web browsers. For 11g versions of Oracle IRM Server, standardized HTTPS communications are used. Further:

  • Oracle IRM Desktop never receives inbound connections — only responses from Oracle IRM Server and its associated web server.

  • Oracle IRM Desktop does not keep TCP connections to Oracle IRM Server open.

  • Oracle IRM Desktop never communicates with anything other than the Oracle IRM Server and its associated web server. Oracle IRM Desktop never communicates with, for example, other clients.

  • All communications with Oracle IRM Server are encrypted and authenticated.

  • Oracle IRM Desktop does not attempt to modify network settings to enable communications. Oracle IRM Desktop uses the proxy settings in Internet Explorer, if present, but does not attempt to change them.

  • Oracle IRM Desktop provides a connection testing facility that can help diagnose connectivity issues, if required, but does not attempt to resolve those issues.

1.2.4 Network Use Considerations

Oracle IRM Desktop must periodically communicate with Oracle IRM Server to obtain decryption keys and licenses to use sealed documents. This communication needs to be permitted by any intervening firewalls.

In most cases firewalls need no special configuration because Oracle IRM Desktop uses the same network ports and protocols as web browsers. If users are already allowed access to the Internet, Oracle IRM Desktop can usually operate successfully without any additional network configuration.

By default, Oracle IRM Desktop automatically detects and uses Internet Explorer's proxy settings, which can be configured to use a designated proxy server, and to automatically authenticate to proxies, if required. If proxy authentication is not automatic, the user will be prompted to authenticate to the proxy manually.

If Oracle IRM Desktop experiences connectivity problems, it has a built-in network diagnostic test whose results can be used to make appropriate modifications to the network. Users can initiate this test by opening a sealed document, clicking on the Online Information icon on the toolbar, and clicking the Test link on the status page. Status pages open automatically if sealed content cannot be displayed because of a problem. A self-test reveals the address and port that Oracle IRM Desktop needs to be able to connect to. The firewall needs to allow connections and responses.

1.2.5 Virus Scanner Compatibility

Sealed documents are encrypted, which can (in extremely rare cases) cause a sealed document to contain what appears to be a virus signature. However, sealed documents are never executed, so they cannot transmit a virus.

Virus scanners might prevent users from downloading sealed documents because they have an unusual MIME type. To avoid this situation you might be able configure your virus scanner to recognize and accept the MIME types of sealed documents. The organization that originated the sealed document or email will be able to obtain a list of applicable MIME types from Oracle's Metalink support service.

1.2.6 Organizational Awareness of Document Content

Your organization may have a requirement to be aware of the content of all documents retained by it, even sealed ones (for example for legal or eDiscovery purposes). This requirement may be satisfied by using the Oracle IRM Desktop search component. Your organization will then be able to identify documents containing specific content and take any necessary action.

The Oracle IRM Desktop search component enables Windows search facilities and the Microsoft Indexing Service to search and index sealed documents, subject to the user's rights. A particular user's search right will normally be confined to documents that the user has the right to read. Therefore, to implement this solution, it will be necessary to create a privileged user who has the search right to all sealed documents retained by your organization. (The privileged user need not have the right to read all such documents, only to search them.) You will need to contact the originator of the sealed documents to have them create the privileged user, with the necessary rights, and send the authentication details (username and password) to an appropriate person within your organization.