[/map {"- map/map "}) [/map/title {"- topic/title "}) Endeca Information Discovery Studio: Studio Security Guide (title] [/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) About this guide (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) About this guide (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) This guide explains how to install, configure, and use Oracle Endeca Information Discovery Studio securely. (shortdesc] (topicmeta] (topicref] [/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) About Security in Studio (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) About Security in Studio (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Here is a high-level look at the available security features for Studio and the Provisioning Service, and sources for additional information. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) About Studio security functions (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) About Studio security functions (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio can support varying levels of security.For the most part, Studio security features follow basic industry standards. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Sources for additional information (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Sources for additional information (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In addition to this guide, the following documents contain additional information to help you secure your Studio implementation. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Using SSL for Secure Communication (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Using SSL for Secure Communication (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) SSL can be used to secure communications among Studio, the Provisioning Service, and Endeca Server. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) How SSL is used for communication within Oracle Endeca Information Discovery (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) How SSL is used for communication within Oracle Endeca Information Discovery (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The SSL protocol helps protect the privacy and integrity of data while it is transferred across a network.Studioでは、ネットワーク通信は複数のポイントで発生します。In addition to the connections with the application user’s browser and with the LDAP server, there are other connections between Oracle Endeca components. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Configuring SSL on the Studio application server (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Configuring SSL on the Studio application server (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) For increased security, Oracle recommends that you configure the Studio application server to use SSL. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Implementing SSL communication from the Provisioning Service (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Implementing SSL communication from the Provisioning Service (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) For the Provisioning Service (see the Studio Installation Guide), most of the configuration is handled by the domain template. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Connecting Studio to an SSL-enabled Provisioning Service (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Connecting Studio to an SSL-enabled Provisioning Service (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) When you configure the connection from Studio to the Provisioning Service, you must also configure the SSL communication. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Connecting a Studio Endeca Server connection to a secured Endeca Server (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Connecting a Studio Endeca Server connection to a secured Endeca Server (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) When you install Endeca Server, the default option is to use SSL to secure it.保護されたEndeca Serverに接続するには、Endeca Serverの証明書ファイルをStudioにコピーします。When configuring an Endeca Server connection in Studio, you include the certificate file names and passwords. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Preventing Studio from Being Displayed in an iFrame (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Preventing Studio from Being Displayed in an iFrame (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Allowing Studio to be displayed in an iFrame raises the risk of "clickjacking", where an end user thinks they are clicking a legitimate link, but are actually performing an action set up by an attacker. (shortdesc] (topicmeta] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling User Access to Studio (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Controlling User Access to Studio (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) One aspect of securing Studio is controlling who can log in to Studio and the functions they have access to within Studio. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Using LDAP to manage Studio users (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Using LDAP to manage Studio users (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In any application that protects secure information, a key requirement is to clearly identify those users who should be granted access.In Studio, one way to do this is to use your existing LDAP system. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Limiting the number of Studio administrators (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Limiting the number of Studio administrators (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In Studio, users with the Administrator user role have unlimited access to all Studio functions and applications.To reduce the possibility unwanted changes to your Studio configuration and applications, we recommend limiting the number of users who have the Administrator role. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling Access to Studio Applications and Data (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Controlling Access to Studio Applications and Data (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In addition to restricting access to Studio as a whole, you should also restrict access to the applications and application data. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Restricting the data viewed by users (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Restricting the data viewed by users (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio provides filtering functions to ensure that users only see the data they should have access to. (shortdesc] (topicmeta][/map/topicref/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Using a base filter to restrict the data displayed for a data set (navtitle][/map/topicref/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Using a base filter to restrict the data displayed for a data set (linktext][/map/topicref/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) For each data set, you can create a base filter to restrict the data displayed to end users. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Using role-based security to control access to Studio Endeca Server connections (navtitle][/map/topicref/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Using role-based security to control access to Studio Endeca Server connections (linktext][/map/topicref/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) By default, Studio provides role-based security for Endeca Server connections. (shortdesc] (topicmeta] (topicref] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling access to Studio applications (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Controlling access to Studio applications (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) You can configure Studio applications to minimize the number of users who can create applications, and can view or configure each application. (shortdesc] (topicmeta][/map/topicref/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Restricting who can create applications (navtitle][/map/topicref/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Restricting who can create applications (linktext][/map/topicref/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) By default, new users are assigned the Power User role, which allows them to create Studio applications. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Using private applications to manage access (navtitle][/map/topicref/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Using private applications to manage access (linktext][/map/topicref/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio applications can be either public or private.パブリックのアプリケーションは、ログインしているすべてのユーザーが表示できます。Private applications can only be viewed by application members. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Restricting who can configure applications (navtitle][/map/topicref/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Restricting who can configure applications (linktext][/map/topicref/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Studio applications can only be configured by Studio administrators and by users assigned as application administrators for that application. (shortdesc] (topicmeta] (topicref] (topicref] (topicref][/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling Access to the Studio Databases and File Systems (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Controlling Access to the Studio Databases and File Systems (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) As part of a secure Studio configuration, you should make sure to control access to the Studio and Provisioning Service databases and file systems. (shortdesc] (topicmeta][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Restricting access to the Studio and Provisioning Service databases (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Restricting access to the Studio and Provisioning Service databases (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The Studio database stores the Studio Endeca Server connections, applications, and configuration.プロビジョニング・サービスにも関連付けられているデータベースがあります。Access to these databases should be restricted to prevent corruption of the data. (shortdesc] (topicmeta] (topicref][/map/topicref/topicref {"- map/topicref "}) [/map/topicref/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicref/topicmeta/navtitle {"- topic/navtitle "}) Restricting access to the Studio and Provisioning Service file systems (navtitle][/map/topicref/topicref/topicmeta/linktext {"- map/linktext "}) Restricting access to the Studio and Provisioning Service file systems (linktext][/map/topicref/topicref/topicmeta/shortdesc {"- map/shortdesc "}) For the application server, for additional security, you should restrict access to the file system. (shortdesc] (topicmeta] (topicref] (topicref] [/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Conventions used in this document (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Conventions used in this document (linktext][/map/topicref/topicmeta/shortdesc {"- map/shortdesc "}) The following conventions are used in this document. (shortdesc] (topicmeta] (topicref] [/map/topicref {"- map/topicref "}) [/map/topicref/topicmeta {"- map/topicmeta "}) [/map/topicref/topicmeta/navtitle {"- topic/navtitle "}) Copyright and disclaimer (navtitle][/map/topicref/topicmeta/linktext {"- map/linktext "}) Copyright and disclaimer (linktext] (topicmeta] (topicref] [/map/reltable {"- map/reltable "}) [/map/reltable/relheader {"- map/relheader "}) [/map/reltable/relheader/relcolspec {"- map/relcolspec "}) (relcolspec][/map/reltable/relheader/relcolspec {"- map/relcolspec "}) (relcolspec] (relheader] [/map/reltable/relrow {"- map/relrow "}) [/map/reltable/relrow/relcell {"- map/relcell "}) [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) About this guide (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) This guide explains how to install, configure, and use Oracle Endeca Information Discovery Studio securely. (shortdesc] (topicmeta] (topicref] (relcell][/map/reltable/relrow/relcell {"- map/relcell "}) [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/navtitle {"- topic/navtitle "}) About Security in Studio (navtitle][/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) About Security in Studio (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Here is a high-level look at the available security features for Studio and the Provisioning Service, and sources for additional information. (shortdesc] (topicmeta] (topicref] [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/navtitle {"- topic/navtitle "}) Using SSL for Secure Communication (navtitle][/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) Using SSL for Secure Communication (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) SSL can be used to secure communications among Studio, the Provisioning Service, and Endeca Server. (shortdesc] (topicmeta] (topicref] [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/navtitle {"- topic/navtitle "}) Preventing Studio from Being Displayed in an iFrame (navtitle][/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) Preventing Studio from Being Displayed in an iFrame (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) Allowing Studio to be displayed in an iFrame raises the risk of "clickjacking", where an end user thinks they are clicking a legitimate link, but are actually performing an action set up by an attacker. (shortdesc] (topicmeta] (topicref] [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling User Access to Studio (navtitle][/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) Controlling User Access to Studio (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) One aspect of securing Studio is controlling who can log in to Studio and the functions they have access to within Studio. (shortdesc] (topicmeta] (topicref] [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling Access to Studio Applications and Data (navtitle][/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) Controlling Access to Studio Applications and Data (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) In addition to restricting access to Studio as a whole, you should also restrict access to the applications and application data. (shortdesc] (topicmeta] (topicref] [/map/reltable/relrow/relcell/topicref {"- map/topicref "}) [/map/reltable/relrow/relcell/topicref/topicmeta {"- map/topicmeta "}) [/map/reltable/relrow/relcell/topicref/topicmeta/navtitle {"- topic/navtitle "}) Controlling Access to the Studio Databases and File Systems (navtitle][/map/reltable/relrow/relcell/topicref/topicmeta/linktext {"- map/linktext "}) Controlling Access to the Studio Databases and File Systems (linktext][/map/reltable/relrow/relcell/topicref/topicmeta/shortdesc {"- map/shortdesc "}) As part of a secure Studio configuration, you should make sure to control access to the Studio and Provisioning Service databases and file systems. (shortdesc] (topicmeta] (topicref] (relcell] (relrow] (reltable] (map]