2.5 Managing Instance Settings

Note:

Functionality in the Administration Services application is not available in Oracle Database Cloud Service (Database Schema).

This section describes how to configure feature availability, security, instance settings, and workspace purge settings.

2.5.1 Configuring Features

This section describes how to use the Feature Configuration page to configure your application development environment, SQL Workshop functionality, and database monitoring.

2.5.1.1 Disabling PL/SQL Program Unit Editing

By default, developers can change and compile PL/SQL source code when browsing database procedures, packages, and functions in Object Browser. As an Instance administrator, you can control if PL/SQL program unit editing is available on an Oracle Application Express instance.

To disable PL/SQL program unit editing:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Locate the Application Development section.

  5. For Allow PL/SQL Program Unit Editing, select No.

  6. Click Apply Changes.

2.5.1.2 Enabling or Disabling the Creation of Demonstration Objects

When an Instance administrator creates a new workspace, Oracle Application Express automatically creates demonstration objects for sample applications.

To disable or enable the creation of demonstration objects:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Locate the Application Development section.

  5. For Create demonstration objects in new workspaces, select No.

  6. Click Apply Changes.

2.5.1.3 Disabling the Creation of Sample Websheet Objects

When an Instance administrator creates a new workspace, Oracle Application Express automatically creates sample objects for sample Websheets.

To disable the creation of sample Websheet objects:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Locate the Application Development section.

  5. For Create Websheet objects in new workspaces, select No.

  6. Click Apply Changes.

2.5.1.4 Enabling and Disabling SQL Access in Websheets

An Instance administrator can control the ability to use the SQL tag and the ability to create SQL reports in Application Express Websheets. When disabled, all Websheet applications in all workspaces in the instance are prevented from using the SQL tag or creating SQL reports.

To control SQL access in Websheets:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Locate the Application Development section.

  5. For Enable SQL Access in Websheets, select Yes or No.

  6. Click Apply Changes.

2.5.1.5 Configuring Packaged Application Installation Options

When installing a packaged application, Instance administrators can support for the following authentication schemes.

See Also:

"Utilizing Packaged Applications" in Oracle Application Express Application Builder User's Guide

To configure packaged application installation options:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Under Packaged Application Install Options, select Yes to support for the following authentication schemes when installing new packaged for the following options:

    • Allow HTTP Header Variable authentication

    • Allow LDAP Directory authentication

    • Allow Oracle Application Server Single Sign-On authentication.

  5. Click Apply Changes.

2.5.1.6 Configuring SQL Workshop

As an Instance administrator, you can use the attributes under SQL Workshop to configure basic SQL Workshop behavior.

To configure SQL Workshop:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Under SQL Workshop, enter the attributes described in Table 2-1.

    Table 2-1 SQL Workshop Attributes

    Attribute Description

    SQL Commands Maximum Inactivity in minutes

    Identify the maximum amount of time a transactional command in the SQL Command Processor waits before timing out.

    SQL Scripts Maximum Script Output Size in bytes

    Identify the maximum amount of output a single SQL script can generate. SQL scripts are run from the SQL Workshop.

    SQL Scripts Maximum Workspace Output Size in bytes

    Identify the maximum amount of space all scripts within a workspace may consume. SQL script results are the output generated when running SQL scripts from the Script Editor or from the SQL Scripts home page.

    SQL Scripts Maximum Script Size in bytes

    Identify the maximum size of a SQL script used within the SQL Workshop.

    Enable Transactional SQL Commands

    Select Yes to enable transactional SQL commands for the entire Oracle Application Express instance. Enabling this feature permits SQL Command Processor users to issue multiple SQL commands within the same physical database transaction.

    When you select Yes, an Autocommit check box appears on the SQL Command Processor page. By default, this option is set to No.


  5. Click Apply Changes.

2.5.1.7 Enabling Database Monitoring

Setting Enable Database Monitoring to Yes enables monitoring within SQL Workshop. Before you can access the Database Monitoring page, an Instance administrator must enable database monitoring.

See Also:

"Monitoring the Database" in Oracle Application Express SQL Workshop Guide

To enable database monitoring:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Scroll down to Monitoring.

  5. For Enable Database Monitoring, select Yes.

  6. Click Apply Changes.

Note:

Only users having a database user account that has been granted a DBA role can access the Database Monitor page.

2.5.1.8 Enabling Application Activity Logging

Application Activity Logging controls how application activity is logged for all applications on this instance.

To configuring application activity logging:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Scroll down to Monitoring.

  5. For Application Activity Logging, select one of the following:

    • Use Application Settings (default) - Use the Logging attribute of each application to determine if activity is logged.

    • Never - Disable activity logging for all applications in the instance.

    • Always - Enable activity logging for all applications in the instance.

    • Initially Disabled for New Applications and Packaged Applications - New applications and packaged applications will initially have activity logging disabled.

  6. Click Apply Changes.

2.5.1.9 Enabling Application Tracing

Instance administrators can control whether developers or users can generate database trace files simply by specifying &p_trace=YES on the URL when displaying a page. The ability to generate a trace file is already controlled if the application has Debug enabled.

To control application tracing at the instance-level:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Scroll down to Monitoring.

  5. From Enable Application Tracing, select:

    • Yes - Any application which has Debug enabled can also generate a server-side database trace file for a page using &p_trace=YES on the URL. To learn more, see "Enabling SQL Tracing and Using TKPROF" in Oracle Application Express Application Builder User's Guide.

    • No - Tracing cannot be enabled for any application on the instance. If someone attempts to run an application with &p_trace=YES in the URL, the page renders but the request to generate the SQL trace file is silently ignored.

  6. Click Apply Changes.

See Also:

"Available Parameter Values" in Oracle Application Express API Reference to learn about the TRACING_ENABLED parameter

2.5.1.10 Enabling Service Requests

Controls the ability for workspace administrators to make service requests from Workspace Administration. Service Requests include the ability to request a new schema, request storage, or request termination of their workspace.

To enable service requests:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Scroll down to Workspace Administration.

  5. For Enable Service Requests, select Yes.

  6. Click Apply Changes.

2.5.1.11 Enabling Instance-level Support for File Upload in Team Development

To enable support for file upload in Team Development for an instance:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Feature Configuration.

  4. Under Team Development:

    1. Enable Team Development's File Repository - Specify whether to enable file upload in Team Development:

      • Yes - Select Yes for all new workspaces created in this instance to allow files to be uploaded into the Team Development file repository. Select No for all new workspaces created in this instance to not allow files to be uploaded into the Team Development file repository.

      • No - Select No to disable support for file attachments in Team Development.

      Tip:

      These settings do not affect existing workspaces.
    2. Maximum File Size (in MB) - Select the maximum file size for any file uploaded into the team development file repository. The default value is 15 MB.

  5. Click Apply Changes.

2.5.2 Configuring Security

This section describes how to configure instance security, including configuring login controls, controlling file upload capability, restricting access by IP address, requiring HTTPS, setting session timeout restrictions, and defining password policies.

2.5.2.1 Configuring Service-level Security Settings

This section describes how to configure service-level security settings:

2.5.2.1.1 Turning Off Cookies Used to Populate the Login Form

Instance administrators can control if a convenience cookie is sent to a user's computer whenever a developer or administrator logs in to a workspace from the Application Express Login page.

If Set Workspace Cookie option is set to Yes, Oracle Application Express sends a persistent cookie that:

  • Combines the last used workspace name and user name

  • Has a lifetime of six months

  • Is read to populate the Application Express Workspace Login form (but not the Oracle Application Express Administration Services Login form)

To turn off cookies used to populate the login form:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. For Set Workspace Cookie, select No.

  6. Click Apply Changes.

Note:

If your computer has received this cookie, you can physically remove it from its persistent location on disk using browser tools or system utilities. The cookie is named ORA_WWV_REMEMBER_UN. In older releases of Oracle Application Express, this cookie was named ORACLE_PLATFORM_REMEMBER_UN. It may exist for each Oracle Application Express service accessed having distinct hostname and path components.

2.5.2.1.2 Disabling Access to Oracle Application Express Administration Services

Instance administrators prevent a user from logging in to Oracle Application Express Administration Services. Disabling administrator login production environments prevents unauthorized users from accessing Application Express Administration Services and possibly compromising other user login credentials.

To disable user access to Oracle Application Express Administration Services:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. For Disable Administrator Login, select Yes.

    Selecting Yes and signing out prevents anyone from accessing Oracle Application Express Administration Services.

  6. Click Apply Changes.

2.5.2.1.3 Enabling Access to Oracle Application Express Administration Services

To enable user access to Oracle Application Express Administration Services if it has been disabled:

  1. Connect in SQL*Plus and connect to the database where Oracle Application Express is installed as SYS, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000;
    
  3. Run the following statements:

    BEGIN
      APEX_INSTANCE_ADMIN.SET_PARAMETER('DISABLE_ADMIN_LOGIN', 'N');
      commit;
    END;
    /
    

2.5.2.1.4 Disabling Workspace Login Access

Developers and Workspace administrators sign in to the Oracle Application Express development environment to access the Application Builder, SQL Workshop, Team Development, and Administration.

To restrict access to these applications, select Yes from Disable Workspace Login. This option effectively sets a Runtime-Only environment while still allowing Instance administrators to sign in to Instance Administration. Selecting Yes in production environments prevents developers from changing applications or data.

To disable user access to the Internal workspace:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. From Disable Workspace Login, select Yes.

    Selecting Yes prevents users from accessing the Internal workspace.

  6. Click Apply Changes.

2.5.2.1.5 Controlling Public File Upload

Use the Allow Public File Upload attribute to control whether unauthenticated users can upload files in applications that provide file upload controls.

To control file upload:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. From Allow Public File Upload, select one of the following:

    • Yes - Enables unauthenticated users to upload files in applications in the Internal workspace.

    • No - Prevents unauthenticated users from uploading files in applications in the Internal workspace.

  6. Click Apply Changes.

2.5.2.1.6 Restricting User Access by IP Address

Instance administrators can restrict user access to an Oracle Application Express instance by specifying a comma-delimited list of allowable IP addresses.

To restrict user access by IP address:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. For Disable Administrator Login, select No.

  6. In Restrict Access by IP Address, enter a comma-delimited list of allowable IP addresses. Use an asterisk (*) to specify a wildcard.

    You can enter IP addresses from one to four levels. For example:

    141, 141.* ...
    192.128.23.1 ...
    

    Note:

    When using wildcards, do not include additional numeric values after wildcard characters. For example, 138.*.41.2.
  7. Click Apply Changes.

2.5.2.1.7 Configuring a Proxy Server for an Instance

You can configure an entire Oracle Application Express instance to use a proxy for all outbound HTTP traffic. Setting a proxy at the instance-level supersedes any proxies defined at the application-level or in web service references. If a proxy is specified, regions of type URL, Web services, and report printing will use the proxy.

To configure a proxy for an Oracle Application Express instance:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. In Instance Proxy, enter the address of the proxy to be used for the entire instance.

  6. Click Apply Changes.

2.5.2.1.8 Selecting a Checksum Hash Function

The Checksum Hash Function attribute enables you to react to recent developments and switch between algorithms based on new research. Use the Checksum Hash Function attribute to select a hash function that Oracle Application Express uses to generate one way hash strings for checksums. This attribute is also the default value for the Security Bookmark Hash Function attribute in new applications. Applications use the Bookmark Hash Function when defining bookmark URLs.

Tip:

Changing the Checksum Hash Function does not change the Bookmark Hash Function currently defined for existing applications because this would invalidate all existing bookmarks saved by end users.Oracle strongly recommends going into existing applications, expiring existing bookmarks, and then updating the Bookmark Hash Function to the same value defined for Checksum Hash Function.

To select a checksum hash function:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. From Checksum Hash Function, select a a hash function that Application Express uses to generate one way hash strings for checksums.

    The SHA-2 algorithms are only supported on Oracle Database 12c or later. Most Secure automatically selects the most secure algorithm available. Therefore, Oracle recommends this setting. On Oracle Database 12c or later, this evaluates to SHA-2, 512 bit and on Oracle Database 11g, SHA-1 is the most secure algorithm. Since the MD5 algorithm is deprecated, Oracle does not recommend this setting.

  6. Click Apply Changes.

2.5.2.1.9 Configuring Rejoin Sessions for an Instance

By configuring the Rejoin Sessions attribute, Instance administrators can control if Oracle Application Express supports URLs that contain session IDs. When rejoin sessions is enabled, Oracle Application Express attempts to use the session cookie to join an existing session, when a URL does not contain a session ID.

Warning:

For security reasons, Oracles recommends that administrators disable support for session joining unless they implement workspace isolation by configuring the Allow Hostname attributes. See "Isolating a Workspace to Prevent Browser Attacks" and "Isolating All Workspaces in an Instance."

Note:

Enabling rejoin sessions may expose your application to possible security breaches, as it can enable attackers to take over existing end user sessions. To learn more, see "About Rejoin Sessions" in Oracle Application Express Application Builder User's Guide

To configure Rejoin Sessions:

  1. Sign in to Oracle Application Express Administration Services. See "Configuring Rejoin Sessions for an Instance."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. From Rejoin Sessions, select an option:

    • Disabled - If the URL does not contain a session ID, Oracle Application Express creates a new session.

    • Enabled for Public Sessions - If the URL goes to a public page and does not contain a session ID Oracle Application Express attempts to use the existing session cookie established for that application. Oracle Application Express only joins using the cookie when the session is not yet authenticated.

    • Enabled for All Sessions - If the URL does not contain a session ID, Oracle Application Express attempts to use the existing session cookie established for that application, providing one of the following conditions are met:

      • Session State Protection is enabled for the application and the URL includes a valid checksum. For public bookmarks, the most restrictive item level protection must be either Unrestricted or Checksum Required - Application Level.

      • The URL does not contain payload (a request parameter, clear cache or data value pairs). This setting requires that Embed In Frames is set to Allow from same origin or to Deny for the application.

      Enabled for Public Sessions requires that Embed in Frames is set to Allow from same origin or Deny. This is not tied to a condition about the URL payload, but also applies to session state protected URLs.

  6. Click Apply Changes.

See Also:

"Browser Security," "Configuring Rejoin Sessions in Component View," "Configuring Rejoin Sessions in Page Designer," and "About Rejoins Sessions" in Oracle Application Express Application Builder User's Guide

2.5.2.1.10 Configuring Unhandled Errors

Use this attribute to control how Oracle Application Express displays the results of unhandled errors. When Oracle Application Express encounters an unhandled error during processing, an error page displays to the end user of the application. From a security standpoint, it is often better to not display these messages and error codes to the end user and simply return a HTTP 400 (Bad Request) error code to the client browser.

To configure Unhandled Errors:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the Security section.

  5. From Unhandled Errors, select an option:

    • Show Error Page - This is the default behavior. For any error or exception which is not handled by the error processing of an application, an error page displays to the end user with the specific error and the error code.

    • Return HTTP 400 - Returns an HTTP 400 status to the end user's client browser when the Application Express engine encounters an unhandled error.

  6. Click Apply Changes.

2.5.2.2 Configuring HTTP Protocol Attributes

You can configure both your Oracle Application Express instance and all related applications to require HTTPS by configuring the Require HTTPS and Require Outbound HTTPS attributes.

Note:

Require HTTPS make Oracle Application Express unreachable by the HTTP protocol. Before enabling this setting, ensure that the HTTPS protocol is enabled and configured correctly on your server.

2.5.2.2.1 About SSL

Secure Socktets Layer (SSL) is a protocol for managing the security of data transmitted on the Internet. For web applications, SSL is implemented by using the HTTPS protocol. Oracle recommends running Oracle Application Express applications using SSL (HTTPS protocol) to prevent any sensitive data from being sent over an unencrypted (cleartext) communication channel.

2.5.2.2.2 Requiring HTTPS

To require HTTPS in Oracle Application Express:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate HTTP Protocol and configure the following:

    1. Require HTTPS. Options include:

      • Always - Enforces HTTPS for all applications (including the Oracle Application Express development and administration applications) to require HTTPS.

        If set to Always, the he Strict-Transport-Security Max Age attribute displays. Use this field to specify the time period in seconds during which the browser shall access the server with HTTPS only. To learn more, see field-level Help.

      • Development and Administration - Forces all internal applications within Oracle Application Express (that is, Application Builder, SQL Workshop, Instance Administration and so on) to require HTTPS.

      • Application specific - Makes HTTPS dependent on application-level settings.

    2. Require Outbound HTTPS - Select Yes to require all outbound traffic from an Application Express instance to use the HTTPS protocol.

    3. HTTP Response Headers - Enter additional HTTP response headers that Oracle Application Express should send on each request for all applications. Developers can specify additional headers at application-level. Each header has to start on a new line. Note that support for various headers differs between browsers. To learn more, see field-level Help.

  5. Click Apply Changes.

Note:

If you set Require HTTPS to Yes, you are only able to sign in to an Oracle Application Express workspace or Oracle Application Express Administration Services over HTTPS.

2.5.2.2.3 Reversing Require HTTPS

To reverse Require HTTPS:

  1. Connect in SQL*Plus or SQL Developer with the Application Express engine schema as the current schema, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000;
    
  3. Run the following statements:

    BEGIN
        APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_HTTPS', 'N');
        commit;
    end;
    /
    

2.5.2.2.4 Reversing Require Outbound HTTPS

To reverse Require Outbound HTTPS:

  1. Connect in SQL*Plus or SQL Developer with the Application Express engine schema as the current schema, for example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000;
    
  3. Run the following statements:

    BEGIN
        APEX_INSTANCE_ADMIN.SET_PARAMETER('REQUIRE_OUT_HTTPS', 'N');
        commit;
    end;
    /
    

2.5.2.2.5 Configuring Additional Response Headers

To configure additional response headers:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate HTTP Protocol.

  5. In HTTP Response Headers, enter additional HTTP response headers that Oracle Application Express should send on each request for all applications. Developers can specify additional headers at application-level. Each header has to start on a new line. Note that support for various headers differs between browsers.

    To learn more, see field-level Help.

  6. Click Apply Changes.

2.5.2.3 Controlling RESTful Services for an Instance

Use the Allow RESTful Access attribute to control whether developers can expose report regions as RESTful services. You can enable RESTful services for specific workspace or for an entire development instance.

To configure RESTful access for an instance:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate the RESTful Access section.

  5. From Allow RESTful Access, select one of the following:

    • Yes - Enables developers to expose report regions as RESTful services.

    • No - Prevents developers from exposing report regions as RESTful services.

  6. Click Apply Changes.

2.5.2.4 Enabling Real Application Security

If you are running Oracle Database 12c Release 1 (12.1.0.2) or later, you can enable Oracle Real Application Security. Oracle Real Application Security (RAS) is a database authorization framework that enables application developers and administrators to define, provision, and enforce application-level security policies at the database layer.

To enable Real Application Security:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Locate Real Application Security.

  5. For Allow Real Application Security.

    • Yes - Enables Oracle Database Real Application Security support for applications. If Real Application Security is configured in an application's authentication scheme, Oracle Application Express creates a Real Application Security session for a new Oracle Application Express session and automatically attaches to it.

    • No - Disables Oracle Database Real Application Security.

  6. Click Apply Changes.

2.5.2.5 Configuring Session Timeout

Use the attributes under Session Timeout to reduce exposure at the application level for abandoned computers with an open web browser.

To configure session timeout for an instance:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Under Session Timeout For Application Express, specify the following attributes:

    • Maximum Session Length in Seconds - Enter a positive integer to control how many seconds an application session is allowed to exist. This setting is superseded by the application-level setting. Leave the value null to revert to the default value of 8 hours (28800 seconds). Enter 0 to have the session exist indefinitely. This session duration may be superseded by the operation of the job that runs every hour which deletes sessions older than 12 hours.

    • Maximum Session Idle Time in Seconds - Enter a positive integer to control how many seconds a session may remain idle for Oracle Application Express applications. This setting is superseded by the application-level setting. Leave the value null to revert to the default value of 1 hour (3600 seconds). Set to 0 to prevent session idle time checks from being performed.

  5. Click Apply Changes.

2.5.2.6 Isolating All Workspaces in an Instance

This section describes how Instance administrators can isolate a workspace and prevent browser attacks.

2.5.2.6.1 About Isolating Workspaces to Prevent Browser Attacks

Isolating workspaces is an effective approach to preventing browser attacks. The only way to truly isolate a workspace is to enforce different domains in the URL by configuring the Allow Hostnames attribute. When the URLs of the attacker and the victim have different domains and hostnames, the browser's same-origin policy prevents attacks.

2.5.2.6.2 Configuring Instance-Level Workspace Isolation Attributes

To configure instance-level Workspace Isolation attributes:

  1. Access the Edit Workspace Information page for the workspace:

    1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

    2. Click Manage Instance.

    3. Under Instance Settings, click Security.

  2. Locate the Workspace Isolation section.

  3. Edit the appropriate attributes as described in Table 2-2.

    Tip:

    To learn more about an attribute, see field-level Help.

    Table 2-2 Workspace Isolation Attributes

    Attribute Description

    Allow Hostnames

    Enter a comma separated list of hostnames that can be used to access this instance. This attribute can be used to specify which DNS aliases of the web server can be used with applications. You can configure specific values that override this one at workspace level. If you enter one or more hostnames, the incoming HTTP request URL's hostname part must match one of the listed hostnames.

    Resource Consumer Group

    Specify the Database Resource Manager consumer group to be used for all page events on the instance. You can configure specific values that override this one at the workspace-level. At the beginning of every request, the Application Express engine switches the current consumer group of the current database session to the consumer group that is defined at workspace or instance level. This applies to both executing applications and any of the applications used within the Application Express development environment.

    The privilege to switch to this consumer group must be granted to either PUBLIC or the Application Express schema. This privilege is typically granted using the procedure DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP.

    Maximum Concurrent Workspace Requests

    Enter the maximum number of concurrent page events that Oracle Application Express supports for all applications. You can configure a specific value at the workspace-level. Instead of processing a page event, Oracle Application Express shows an error message when the limit is already reached.

    Oracle Application Express keeps track of workspace requests by querying the CLIENT_INFO column of GV$SESSION. This tracking will not work if developers overwrite CLIENT_INFO, for example, with a call to DBMS_APPLICATION_INFO.SET_CLIENT_INFO.

    Maximum Concurrent Session Requests

    Enter the maximum number of concurrent page events that Oracle Application Express supports for each session for applications in this instance. You can configure a specific value at the workspace-level. Instead of processing a new page event, Oracle Application Express shows an error message when the limit is already reached. Alternatively, you can use the Concurrent Session Requests Kill Timeout attribute to kill an active database session, to process the new page event.

    Oracle Application Express keeps track of session requests by querying the CLIENT_IDENTIFIER column of GV$SESSION. This tracking will not work if developers overwrite CLIENT_IDENTIFIER, for example, with a call to DBMS_SESSION.SET_IDENTIFIER.

    Concurrent Session Requests Kill Timeout

    If a new page event comes in that is outside the limits of Maximum Concurrent Session Requests, Oracle Application Express can execute alter system kill session on the oldest active database session which processes another page event for this Application Express session. The Concurrent Session Requests Kill Timeout attribute specifies the number of seconds a database process has to be active, before it can be killed. If you leave this attribute empty, Application Express will not kill any database sessions.

    Warning: Killing sessions can cause problems with the application server's database session pool.

    Maximum Size of Files in Workspace

    Enter the total size (in bytes) of all files that can be uploaded to a workspace. You can configure a specific value at the workspace-level.


  4. Click Apply Changes.

2.5.2.7 Defining Excluded Domains for Regions and Web Services

An Instance administrator can define a list of restricted domains for regions of type URL and Web services. If a Web service or region of type URL contains an excluded domain, an error displays informing the user that it is restricted.

To define a list of excluded domain from regions of type URL and Web services:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Under Domain Must Not Contain, enter a colon-delimited list of excluded domains, for example:

    mycompany.com:yourcompany.com:abccompany.com
    
  5. Click Apply Changes.

2.5.2.8 Configuring Authentication Controls

his section describes how instance administrators can configure authentication controls for an entire Oracle Application Express instance.

2.5.2.8.1 About Authentication Controls

Administrators can configure authentication controls for an entire instance or for each individual workspace. For example, if an instance administrator configures authentication controls in Oracle Application Express Administration Services that configuration applies to all Application Express accounts in all workspaces across an entire development instance.

If the instance administrator does not enable authentication controls across an entire instance, then each Workspace administrator can enable the following controls on a workspace-by-workspace basis:

  • User account expiration and locking

  • A maximum number of failed login attempts for user accounts

  • Account password lifetime (or number of days an end-user account password can be used before it expires for end-user accounts)

Tip:

This feature applies only to accounts created using the Application Express user creation and management. It provides additional authentication security for applications. See "Managing Users in a Workspace."

2.5.2.8.2 Configuring Security for Developer and End User Login

To configure security settings for developer and end user login:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Under General Settings, configure the following attributes:

    1. Delay after failed login attempts in Seconds - Enter a positive integer value for the delay in seconds between login attempts. Enter 0 to disable the countdown and enable immediate access. If the delay is greater than 0, Oracle Application Express always displays the countdown, even on the first login failure.

    2. Method for computing the Delay - Select a method for computing the delay for failed log ins. The computation methods are based on recent data in the Login Access Log. See item help for further details.

    3. Inbound Proxy Servers - Enter a comma-separated list of IP addresses for well known proxy servers, through which requests come in. Oracle Application Express uses this list to compute the actual client address from the HTTP Headers X-Forwarded-For and REMOTE_ADDR.

    4. Single Sign-On Logout URL - Enter the URL Application Express redirects to trigger a logout from the Single Sign-On server. Application Express automatically appends ?p_done_url=...login url....

  5. Click Apply Changes.

2.5.2.8.3 Configuring Security Settings for Workspace Administrator and Developer Accounts

To configure security controls for workspace administrator and developer accounts:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Under Development Environment Settings, configure the following attributes:

    1. Username Validation Expression - Enter a regular expression to validate the usernames of developers and administrators. Enter * to bypass the validation. The following example validates that the username is an email address:

      ^[[:alnum:]._%-]+@[[:alnum:].-]+\.[[:alpha:]]{2,4}$
      
    2. Require User Account Expiration and Locking - Select Yes to enable Application Express user account expiration and locking features across all workspaces in an instance. This selection prevents the same feature from being disabled at the workspace-level.

      Select No to relinquish control to each Workspace administrator.

    3. Maximum Login Failures Allowed - Enter a integer for the maximum number of consecutive unsuccessful authentication attempts allowed before a developer or administrator account is locked. If you do not specify a value in this field, the default value is 4.

      This setting applies to administrator and developer accounts. It does not apply to end user accounts.

      The value you enter is used as the default for the workspace-level Maximum Login Failures Allowed preference if the Workspace administrator does not specify a value. That preference is used for end-user accounts within the respective workspace.

    4. Account Password Lifetime (days) - Enter a number for the maximum number of days a developer or administrator account password may be used before the account expires. If you do not specify a value in this field, a default value is 45 days.

      This setting applies to accounts used to access the Application Express administration and development environment only. It does not apply to end user accounts.

      The value you enter is used as the default workspace-level End User Account Lifetime preference, if the Workspace administrator specifies no value. That preference is used for end-user accounts within the respective workspace.

  5. Click Apply Changes.

2.5.2.8.4 Editing Development Environment Authentication Scheme

To edit development environment authentication schemes:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Scroll down to Development Environment Authentication Schemes.

  5. Click the Edit icon adjacent to the authentication scheme you wish to edit.

  6. Edit the appropriate attributes. To learn more about an attribute, see field-level Help.

  7. To save you changes, click Apply Changes. To make the selected authentication scheme current, click Make Current Scheme.

Tip:

You can also change the authentication scheme using the APEX_BUILDER_AUTHENTICATION parameter in APEX_INSTANCE_ADMIN package. See "Available Parameter Values" in Oracle Application Express API Reference.

2.5.2.9 Creating Strong Password Policies

This section describes how instance administrators can create strong password policies for an Oracle Application Express instance.

2.5.2.9.1 About Strong Password Policies

Password policies can:

  • Apply to all users (including, Workspace administrators, developers, and end users) in an Oracle Application Express instance.

  • Include restrictions on characters, password length, specific words, and differences in consecutive passwords.

  • Apply to users signing in to Oracle Application Express Administration Services.

The Application Express instance administrator can select the password policy for service administrators. Options include:

  • Use policy specified in Workspace Password Policy - Applies the password rules specified the in Workspace Password Policy.

  • Use default strong password policy - Adds another layer of security to prevent hackers from determining an administrator's password. This password policy requires that service administrator passwords meet these restrictions:

    • Consist of at least six characters.

    • Contain at least one lowercase alphabetic character, one uppercase alphabetic character, one numeric digit, and one punctuation character.

    • Cannot include the username.

    • Cannot include the word Internal.

    • Cannot contain any words shown in the Must Not Contain Workspace Name field in this section.

Adds another layer of security to prevent hackers from determining an administrator's password.

2.5.2.9.2 Configuring Password Policies

To configure password policies:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Under Password Policy and specify the attributes described in Table 2-3.

    Table 2-3 Workspace Password Policy Attributes

    Attribute Description

    Password Hash Function

    Select a hash function that Application Express uses to generate one way hash strings for workspace user passwords. To learn, see field-level Help.

    Minimum Password Length

    Enter a number to set a minimum character length for passwords for workspace administrator, developer, and end user accounts.

    Minimum Password Differences

    Enter a positive integer or 0.

    When users change their password, the new password must differ from the old password by this number of characters. The old and new passwords are compared, character-by-character, for differences such that each difference in any position common to the old and new passwords counts toward the required minimum difference.

    This setting applies to accounts for workspace administrators, developers, and end users.

    Must Contain At Least One Alphabetic Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one alphabetic character as specified in the Alphabetic Characters field.

    Must Contain At Least One Numeric Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one Arabic numeric character (for example, 0,1,2,3,4,5,6,7,8,9).

    Must Contain At Least One Punctuation Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one punctuation character as specified in the Punctuation Characters field.

    Must Contain At Least One Upper Case Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one uppercase alphabetic character.

    Must Contain At Least One Lower Case Character

    Select Yes to require that workspace administrator, developer, and end user account passwords contain at least one lowercase alphabetic character.

    Must Not Contain Username

    Select Yes to prevent workspace administrator, developer, and end user account passwords from containing the username.

    Must Not Contain Workspace Name

    Select Yes to prevent workspace administrator, developer, and end user account passwords from containing the workspace name, regardless of case.

    Must Not Contain

    Enter words, separated by colons, that workspace administrator, developer, and end user account passwords must not contain. These words may not appear in the password in any combination of uppercase or lowercase.

    This feature improves security by preventing the creation of simple, easy-to-guess passwords based on words like hello, guest, welcome, and so on.

    Alphabetic Characters

    Enter new or edit the existing alphabetic characters. This is the set of characters used in password validations involving alphabetic characters.

    Punctuation Characters

    Enter new or edit existing punctuation characters. This is the set of characters used in password validations involving punctuation characters.


    Next, set up a password policy for Application Express service administrators.

  5. Scroll down to the Service Administrator Password Policy and specify one of the following:

    1. Use policy specified in Workspace Password Policy - Applies the password rules specified in Workspace Password Policy to service administrator passwords.

    2. Use default strong password policy - Adds another layer of security to prevent hackers from determining an administrator's password. This password policy requires that service administrator passwords:

      • Consist of at least six characters.

      • Contain at least one lowercase alphabetic character, one uppercase alphabetic character, one numeric digit, and one punctuation character.

      • Cannot include the username.

      • Cannot include the word Internal.

      • Cannot contain any words shown in the Must Not Contain Workspace Name field in this section.

  6. Click Apply Changes.

2.5.2.10 Restricting Access to Oracle Application Express by Database Access Descriptor (DAD)

This section describes how to restrict access to Oracle Application Express by Database Access Descriptor (DAD).

Tip:

The PL/SQL Request Validation Function directive is only available in Oracle Application Server 10g and Oracle HTTP Server 11g or later, and the embedded PL/SQL gateway in Oracle Database 11g or later. This directive is not available in Oracle HTTP Server Release 9.0.3.

2.5.2.10.1 About Enforcing Access Restrictions Per DAD

mod_plsql and the embedded PL/SQL gateway support a directive which enables you to name a PL/SQL function which is called for each HTTP request. You can use this functionality to restrict the procedures that can be called through the embedded PL/SQL gateway or mod_plsql. The function returns TRUE if the named procedure in the current request is allowed and FALSE if it is not allowed. You can also use this function to enforce access restrictions for Oracle Application Express on a per-Database Access Descriptor (DAD) basis.

During installation, the installer also creates a PL/SQL function in the Oracle Application Express product schema (APEX_050000). To restrict access, you can change and recompile this function. The source code for this function is not wrapped and can be found in the Oracle Application Express product core directory in the file named wwv_flow_epg_include_local.sql.

Oracle Application Express ships with a request validation function named wwv_flow_epg_include_modules.authorize. This function specifies access restrictions appropriate for the standard DAD configured for Oracle Application Express.

The wwv_flow_epg_include_mod_local function is called by Oracle Application Express's request validation function which itself is called by the embedded PL/SQL gateway or mod_plsql. The Oracle Application Express function first evaluates the request and based on the procedure name, approves it, rejects it, or passes it to the local function, wwv_flow_epg_include_mod_local, which can evaluate the request using its own rules.

When you create new DADs for use with Oracle Application Express, the request validation function directive should be specified. Specifically, the function wwv_flow_epg_include_modules.authorize should be named in the directive PlsqlRequestValidationFunction in the Database Access Descriptor entry in dads.conf.

If you have no additional restrictions beyond those implemented in the wwv_flow_epg_include_modules.authorize function, there is no need to take any action with respect to the source code for the wwv_flow_epg_include_mod_local function.

2.5.2.10.2 About the wwv_flow_epg_include_local Function

You can change and recompile the wwv_flow_epg_include_local function to restrict access. The source code for the wwv_flow_epg_include_local function is not wrapped and can be found in the Oracle Application Express product core directory in the file named wwv_flow_epg_include_local.sql. The source code is as follows:

CREATE OR REPLACE FUNCTION
wwv_flow_epg_include_mod_local(
    PROCEDURE_NAME IN VARCHAR2)
RETURN BOOLEAN
IS  
BEGIN  
    RETURN FALSE; -- remove this statement when  
you add procedure names to the "IN" list
    IF UPPER(procedure_name) IN (
          '') THEN  
        RETURN TRUE;  
    ELSE  
        RETURN FALSE;  
    END IF;  
END wwv_flow_epg_include_mod_local;
/

2.5.2.10.3 Specifying Allowed Named Procedures

To specify names of procedures that should be allowed, edit wwv_flow_epg_include_localas follows:

  1. Remove or comment out the RETURN FALSE statement that immediately follows the BEGIN statement:

    ...
    BEGIN  
        RETURN FALSE; -- remove this statement when 
    you add procedure names to the "IN" list
    ...
    
  2. Add names to the clause representing procedure names that should be allowed to be invoked in HTTP requests. For example to allow procedures PROC1 and PROC2 the IN list you would write IN ('PROC1', 'PROC2').

    After changing the source code of this function, alter the Oracle Application Express product schema (APEX_050000) and compile the function in that schema.

2.5.2.10.4 Altering the Product Schema

To alter the product schema, APEX_050000

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Alter the product schema (APEX_050000) by entering the following command:

    ALTER SESSION SET CURRENT_SCHEMA APEX_050000; 
    
  3. Compile the function wwv_flow_epg_include_local.sql.

2.5.2.11 Managing Authorized URLs

In Oracle Application Express developers can use a URL as an argument in Oracle Application Express procedures that redirect to the defined URL. Examples include APEX_UTIL.COUNT_CLICK (p_url parameter) and WWV_FLOW_CUSTOM_AUTH_STD.LOGOUT (p_next_url parameter).

This section describes how instance administrators can define a list of authorized URLs. When a URL is provided as an argument to these procedures, it is verified internally against this list.

2.5.2.11.1 Defining a List of Authorized URLs

To define a list of Authorized URLs:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Click the Authorized URLs tab.

  5. Click Create Authorized URL.

  6. On the Authorized URL page:

    1. Authorized URL - Enter an authorized URL that can be used as the parameter value to certain Application Express procedures.

      The entire authorized URL value is compared with the URL parameter value in Oracle Application Express procedures. If there is an exact match up to and including the entire length of the Authorized URL value, then the URL parameter value is permitted.

    2. Description - Enter a description of the URL.

    3. Click Create Authorized URL.

2.5.2.11.2 Editing a Defined Authorized URL

To edit an existing URL:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Click the Authorized URLs tab.

    A report of defined authorized URLs appears.

  5. Click the Edit icon adjacent to the URL.

  6. Edit the Authorized URL and Description fields.

  7. Click Apply Changes.

2.5.2.11.3 Deleting Defined Authorized URL

To delete an existing URL:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Security.

  4. Click the Authorized URLs tab.

    A report of defined authorized URLs appears.

  5. Click the Edit icon adjacent to the URL.

  6. Click Delete.

  7. Click OK to confirm your selection.

2.5.3 Configuring Instance Settings

This section describes configuring general settings for an Oracle Application Express development instance. Instance Settings impact general behavior of workspace provisioning, storage, email, wallet, report printing, Help, workspace change request size, and Application ID Ranges.

2.5.3.1 About Configuring Self Service Workspace Provisioning

The instance administrator determines the amount of automation when provisioning (or creating) a workspace. To determine how provisioning works, an Instance Administrator selects one of the following Provisioning Status options on the Instance Settings page:

  • Manual - In this mode, an instance administrator creates new workspaces and notifies the Workspace administrator of the login information.

  • Request - Users request workspaces directly in a self-service fashion. Users click a link on the login page to access a request form. After the workspace request has been granted, users are automatically emailed the appropriate login information.

  • Request with Email Verification - In this mode, users request workspaces directly by clicking a link on the Sign In page to access a request form. Each user receives an initial email containing a verification link. When the user clicks the verification link, the request is processed. The user can then access the workspace using the Sign In page.

Note:

To enable users to request a workspace using a link on the Sign In page, you must choose the provisioning status of Request or Request with Email Verification as described in the previous section. If the provisioning status is set to Manual, no link appears on the sign in page.

2.5.3.2 Disabling Email Provisioning

Use Email Provisioning to disable workspace provisioning when provisioning with Email Verification.

To disable email provisioning:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. From Email Provisioning, select Disabled.

    Selecting Disabled completely disables workspace provisioning when provisioning with Email Verification.

  5. In Message, enter a message that explains why email provisioning is disabled.

  6. Click Apply Changes.

2.5.3.3 Configuring Storage

Instance administrators can configure the following storage options: require a new schema when requesting a workspace, auto extend tablespaces, or delete uploaded files are a specified number of days.

2.5.3.3.1 Requiring a New Schema

To require a new schema when creating a workspace:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Storage.

  5. From Require New Schema, select one of the following:

    • Yes - Requires users to request a new schema when they request a new workspace.

    • No - Enables users to select an existing schema when they request a new workspace.

  6. Auto Extend Tablespaces, select Yes or No. See "Enabling Auto Extend Tablespaces."

  7. Click Apply Changes.

2.5.3.3.2 Enabling Auto Extend Tablespaces

If Auto Extend Tablespaces is enabled, tablespaces provisioned with Oracle Application Express are created with a data file that is one tenth the requested size. The data file automatically extends up to the requested size. For example, if a user requests a 100 MB workspace, the initial size of the data file is 10 MB and automatically extends up to a maximum size of 100 MB.

To enable Auto Extend Tablespaces:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Storage.

  5. To enable Auto Extend Tablespaces, select Yes.

  6. Click Apply Changes.

2.5.3.3.3 Enabling Bigfile Tablespaces

When a workspace is provisioned, Oracle Application Express creates the associated database user, tablespace, and data file. If Bigfile Tablespaces is enabled, tablespaces provisioned with Oracle Application Express are created as bigfile tablespaces. A bigfile tablespace is a tablespace with a single, but very large data file. Traditional smallfile tablespaces, in contrast, can contain multiple data files, but the files cannot be as large.

Tip:

Oracle does not recommend using bigfile tablespaces on platforms that do not support large file sizes and can limit tablespace capacity. Refer to your operating system specific documentation for information about maximum supported file sizes.

To enable bigfile tablespaces:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Storage.

  5. For Bigfile Tablespaces, select Yes.

  6. Click Apply Changes.

See Also:

"Available Parameter Values" in Oracle Application Express API Reference to learn about the BIGFILE_TABLESPACES_ENABLED parameter

2.5.3.3.4 Enabling Encrypted Tablespaces

If Encrypted Tablespaces is enabled, tablespaces provisioned with Oracle Application Express are created as encrypted tablespaces using the Oracle database feature Transparent Data Encryption (TDE). TDE encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database.

To be able to exploit this feature in Application Express, an encryption wallet must be created and with a master encryption key set. Additionally, the encryption wallet must be open before provisioning a new Application Express workspace.

To enable Encrypted Tablespaces:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Storage.

  5. For Encrypted Tablespaces, select Yes.

  6. Click Apply Changes.

See Also:

"Available Parameter Values" in Oracle Application Express API Reference to learn about the ENCRYPTED_TABLESPACES_ENABLED parameter

2.5.3.3.5 Deleting Uploaded Files

Use Delete Uploaded Files After (days) to specify the number of days after which Oracle Application Express automatically deletes uploaded files. Note this automatic deletion process applies to all workspaces in an Oracle Application Express instance. The types of files that are deleted include:

  • Application Export

  • CSS Export

  • Images Export

  • Page Export

  • Plug-in

  • Script Export

  • Spreadsheet / Text Data Import

  • Static Files Export

  • Themes

  • User Interface Defaults

  • Workspace Export

  • XML Data Import

To configure when export and import files are deleted:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Storage.

  5. In Delete Uploaded Files After (days), enter the number of days after which Oracle Application Express deletes uploaded files. Enter a positive, whole number. If this setting is null, then no files are automatically deleted.

  6. Click Apply Changes.

Tip:

To view a summary of deleted files, see the Automatic File Delete Log. See "Monitoring Activity Across a Development Instance"

2.5.3.4 Configuring Email

To enable Oracle Application Express to send mail, an instance administrator must configure email settings. This section describes how to configure email settings in a full development environment and a runtime environment.

Tip:

You can configure Oracle Application Express to automatically email users their login credentials when a new workspace request has been approved. See "About Specifying How Workspaces Are Created" and "Selecting a Provisioning Mode."

2.5.3.4.1 About Enabling Network Services

If you are running Oracle Application Express with Oracle Database 11g or later, you must enable outbound mail. Starting with Oracle Database 11g Release 1 (11.1), the ability to interact with network services is disabled by default.

By default, the ability to interact with network services is disabled in Oracle Database 11g or later. Therefore, if you are running Oracle Application Express with Oracle Database 11g or later, you must use the DBMS_NETWORK_ACL_ADMIN package to grant connect privileges to any host for the APEX_050000 database user. Failing to grant these privileges results in issues with:

  • Sending outbound mail in Oracle Application Express.

  • Using Web services in Oracle Application Express.

  • PDF/report printing.

See Also:

"Enabling Network Services in Oracle Database 11g or Later" for your configuration scenario in Oracle Application Express Installation Guide

2.5.3.4.2 Configuring Email in a Full Development Environment

To configure Oracle Application Express to send mail in a full development environment:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services".

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Under Email, enter the following:

    1. Application Express Instance URL - Enter the URL to the Oracle Application Express instance, inclusive of the DAD and trailing slash. For example:

      http://your_server/pls/apex/
      

      This setting is used for Oracle Application Express system-generated emails.

    2. Application Express Images URL - Enter the URL to the Oracle Application Express images directory, inclusive of the trailing slash.

      http://your_server/i/
      

      This setting is used for Oracle Application Express system-generated emails.

    3. SMTP Host Address - Defines the server address of the SMTP server. By default on installation, this is set to localhost. If you are using another server as an SMTP relay, change this parameter to that server's address.

    4. SMTP Host Port - Defines the port the SMTP server listens to for mail requests. The default setting is 25.

    5. SMTP Authentication Username - If you enter a username, Oracle Application Express authenticates against it when sending emails. Prior to Oracle Database 11g Release 2 (11.2.0.2), only the SMTP authentication scheme "LOGIN" is supported. On newer database versions, all authentication schemes of UTL_SMTP are supported.

    6. SMTP Authentication Password - If you enter a password, Oracle Application Express authenticates against it when sending emails. Prior to Oracle Database 11g Release 2, Release 11.2.0.2, only the SMTP authentication scheme "LOGIN" is supported. On newer database versions, all authentication schemes of UTL_SMTP are supported.

    7. Use SSL/TLS - Beginning with Oracle Database 11g Release 2 (11.2.0.2), Oracle Application Express supports secure SMTP connections. Options include:

      • Yes - A secure connection with SSL/TLS is made before SMTP communication.

      • After connection is established - Oracle Application Express sends the SMTP command STARTTLS immediately after the connection is opened.

      • No - A non-secure connection is opened.

    8. Default Email From Address - Defines the from address for tasks that generate email, such as approving a provision request or resetting a password.

    9. Maximum Emails per Workspace - Defines the number of email messages that can be sent with the APEX_MAIL API per workspace per 24 hour period.

  5. Click Apply Changes.

2.5.3.4.3 Configuring Email in a Runtime Environment

To configure Oracle Application Express to send mail in a runtime environment:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000
    
  3. Run the following statement:

    BEGIN
       APEX_INSTANCE_ADMIN.SET_PARAMETER(PARAMETER_NAME, PARAMETER_VALUE);
    END;
    

    For a description of email parameters, see "Configuring Email in a Full Development Environment."

See Also:

"SET_PARAMETER Procedure" in Oracle Application Express API Reference

2.5.3.4.4 Determining Email Settings in a Runtime Environment

To determine email settings in runtime environment:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000
    
  3. Run the following statement:

    SELECT 
    APEX_INSTANCE_ADMIN.GET_PARAMETER(PARAMETER_NAME)
    FROM DUAL;
    

    For a description of email parameters, see "Configuring Email in a Full Development Environment."

See Also:

"GET_PARAMETER Function" in Oracle Application Express API Reference

2.5.3.5 Configuring Wallet Information

This section describes how to configure wallet information for an Oracle Application Express instance.

2.5.3.5.1 About SSL and Wallet Creation

Secure Sockets Layer (SSL) is an industry standard protocol that uses RSA public key cryptography with symmetric key cryptography to provide authentication, encryption, and data integrity. When SSL is enabled, https displays in the URL.

A wallet is a password-protected container that stores authentication and signing credentials (including private keys, certificates, and trusted certificates) needed by SSL. You must create a wallet if you:

  • Call a SSL-enabled URL (for example, by invoking a Web service).

  • Create a region of type URL that is SSL-enabled.

  • Configure secure SMTP, by setting the Use SSL/TLS attribute to Yes.

  • Have applications with LDAP authentication schemes that are configured to use SSL with Authentication.

2.5.3.5.2 Overview of Creating a Wallet

To create a wallet:

  1. The database administrator must create a wallet on the Oracle Application Express database instance. See "Using Oracle Wallet Manager" in Oracle Database Advanced Security Administrator's Guide.

  2. The instance administrator configures the Wallet section of the Instance Settings page to specify the file system path to the wallet and the wallet password (if required).

See Also:

"Working with SSL Enabled Web Services" in Oracle Application Express Application Builder User's Guide and "Using Oracle Wallet Manager" in Oracle Database Enterprise User Security Administrator's Guide

2.5.3.5.3 Configuring a Wallet in a Full Development Environment

To specify wallet settings in a full development environment:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Wallet.

  5. In Wallet Path, enter the path on the file system where the wallet is located using the following format:

    file:directory-path
    

    See field-level Help for examples.

  6. If a password is required to open the wallet:

    1. In Wallet Password, enter a password.

    2. Select Check to confirm that you wish to change the wallet password.

  7. Click Apply Changes.

2.5.3.5.4 Configuring a Wallet in a Runtime Environment

To specify wallet settings in a runtime environment:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000
    
  3. Run the following statement:

    BEGIN 
        APEX_INSTANCE_ADMIN.SET_PARAMETER(PARAMETER_NAME, PARAMETER_VALUE);
    END;
    

    For a description of wallet parameters, see Table 2-4.

    Table 2-4 Wallet Parameters

    Parameter Name Description

    WALLET_PATH

    The path to the wallet on the file system, for example:

    file:/home/username/wallets
    

    WALLET_PWD

    The password associated with the wallet.


See Also:

"SET_PARAMETER Procedure" in Oracle Application Express API Reference

2.5.3.5.5 Determining Wallet Settings in a Runtime Environment

To determine wallet settings in a runtime environment:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000
    
  3. Run the following statement:

    SELECT 
    APEX_INSTANCE_ADMIN.GET_PARAMETER(PARAMETER_NAME) 
    FROM DUAL;
    

    For a description of wallet parameters, see Table 2-4, "Wallet Parameters".

See Also:

"GET_PARAMETER Function" in Oracle Application Express API Reference

2.5.3.6 Configuring Report Printing

This section describes how to configure report printing options for an Oracle Application Express instance.

2.5.3.6.1 About Configuring Report Printing

Oracle Application Express provides several features so that end users can download and print reports in various formats, including PDF. To set up this functionality, different users must configure the following printing settings:

  1. Site Level: Instance administrators must specify the level of functionality (Standard or Advanced) for an entire Oracle Application Express instance, as described in this section.

  2. Application Level: Workspace administrators and developers can define Report Queries and Report Layouts. Report Queries and Report Layouts are stored under Shared Components and are not tied to a specific page.

  3. Page/Region Level: Developers can edit the Report regions on specific pages to enable printing. This, in turn, enables end users to print regions as reports in various formats. See "Configuring Classic Report Region Print Attributes" in Oracle Application Express Application Builder User's Guide.

Tip:

If you are running Oracle Application Express with Oracle Database 11g Release 1 (11.1) or later, you must enable network services to use report printing. See "Enabling Network Services in Oracle Database 11g or Later" for your configuration scenario in Oracle Application Express Installation Guide.

2.5.3.6.2 Configuring Report Printing in a Full Development Environment

To configure the printing of reports in a full development environment:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Report Printing.

  5. For Printer Server, select one of the following:

    • Oracle REST Data Services - Select this option if you are using the Oracle REST Data Services release 2.0 or later. This option enables you to use the basic printing functionality, which includes creating report queries and printing report regions using the default templates provided in Application Express and using your own customized XSL-FO templates.

      Note:

      The Oracle REST Data Services option does not require an external print server, instead the report data and style sheet are downloaded to the listener, rendered into PDF format by the listener and then sent to the client. The PDF documents in this setup are not returned back into the database, thus the print APIs are not supported when using the Oracle REST Data Services-based configuration.
    • External (Apache FOP) - Select this option if you are using Apache FOP on an external J2EE server. This option enables you to use the basic printing functionality, which includes creating report queries and printing report regions using the default templates provided in Application Express and using your own customized XSL-FO templates.

    • Oracle BI Publisher - This option requires a valid license of Oracle BI Publisher (also known as Oracle XML Publisher). This option enables you to take report query results and convert them from XML to RTF format using Oracle BI Publisher. Select this option to upload your own customized RTF or XSL-FO templates for printing reports within Application Express.

      See Also:

      PDF Printing in Application Express to learn more about installing and configuring Oracle BI Publisher. Go to:
      http://www.oracle.com/technetwork/developer-tools/apex/application-express/configure-printing-093060.html
      
  6. The following options apply to External (Apache FOP) and Oracle BI Publisher:

    • Print Server Protocol - Select the protocol (HTTP or HTTPS) that the print server uses.

    • Print Server Host Address - Specify the host address of the print server engine. By default, this is set to localhost. Enter the appropriate host address if the print server is installed at another location.

    • Print Server Port - Define the port of the print server engine. The default setting is 8888.

    • Print Server Script - Defines the script that is the print server engine. The default setting is:

      /xmlpserver/convert
      
  7. In Print Timeout, enter the number of seconds. This option defines the transfer timeout for communicating with the print server in seconds.

  8. Click Apply Changes.

2.5.3.6.3 Configuring Report Printing Settings in a Runtime Environment

To configure report printing settings in a runtime environment:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000
    
  3. Run the following statement:

    BEGIN
        APEX_INSTANCE_ADMIN.SET_PARAMETER(PARAMETER_NAME, PARAMETER_VALUE);
    END;
    

    For a description of available parameters, see Table 2-5.

    Table 2-5 Report Printing Parameters in Runtime Environment

    Parameter Name Description

    PRINT_BIB_LICENSED

    Specify either standard support or advanced support. Advanced support requires an Oracle BI Publisher license. Valid values include:

    • STANDARD

    • ADVANCED

    • APEX_LISTENER

    PRINT_SVR_HOST

    Specifies the host address of the print server converting engine, for example, localhost. Enter the appropriate host address if the print server is installed at another location.

    PRINT_SVR_PORT

    Defines the port of the print server engine, for example 8888. Value must be a positive integer.

    PRINT_SVR_PROTOCOL

    Valid values include:

    • http

    • https

    PRINT_SVR_SCRIPT

    Defines the script that is the print server engine, for example:

    /xmlpserver/convert
    

See Also:

"SET_PARAMETER Procedure" in Oracle Application Express API Reference

2.5.3.6.4 Determining Report Printing Settings in a Runtime Environment

To determine report printing settings in a runtime environment:

  1. Start SQL*Plus and connect to the database where Oracle Application Express is installed as SYS. For example:

    • On Windows:

      SYSTEM_DRIVE:\ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
    • On UNIX and Linux:

      $ sqlplus /nolog
      SQL> CONNECT SYS as SYSDBA
      Enter password: SYS_password
      
      
  2. Run the following statement:

    ALTER SESSION SET CURRENT_SCHEMA = APEX_050000
    
  3. Run the following statement:

    SELECT 
    APEX_INSTANCE_ADMIN.GET_PARAMETER(PARAMETER_NAME)
    FROM DUAL;
    

    For a description of available parameters, see Table 2-5.

See Also:

"GET_PARAMETER Function" in Oracle Application Express API Reference

2.5.3.7 Configuring the Help Menu

Instance administrators can configure the target location of the Help menu that displays in the upper right corner of the Oracle Application Express development environment. By default, the Help menu points to the current Oracle Application Express online documentation library.

To configure the Help menu:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Help.

  5. In Help URL, edit the URL.

    The URL defined here displays when users click the Help link from within Oracle Application Express.

  6. Click Apply Changes.

See Also:

"About the Oracle Application Express Documentation" in Oracle Application Express Application Builder User's Guide

2.5.3.8 Configuring Workspace Size Options for Requests

Instance administrators can configure the workspace sizes available when users request:

  • A new workspace and schema

  • Additional space for an existing workspace

To configure workspace size options:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to New Workspace Request Size and Workspace Change Request Size. Specify the following:

    • Size in Megabytes - Edit the default numbers to change the size options.

    • Display - Select Yes for all the size options you want to appear in the select list for workspace size.

    • Default - Select the default value to appear in the storage field for workspace and change requests.

  5. Click Apply Changes.

2.5.3.9 Managing Application ID Range

Instance administrators can control the range for IDs of new database or Websheet applications. If you separate ID ranges in large multi-instance installations, you can easily move workspaces between the instances and keep their application IDs. To enable ID ranges, you must specify at least an ID Minimum.

To configure the application ID ranges:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Instance Settings.

  4. Scroll down to Application ID Range and specify the following:

    • ID Minimum - Enter the lower range for database and Websheet application IDs.

    • ID Maximum - Enter the maximum range for database and Websheet application IDs.

  5. Click Apply Changes.

2.5.4 Purging Inactive Workspaces

This section describes how an Instance administrator purges inactive workspaces.

See Also:

"Monitoring Activity Across a Development Instance" to view reports concerning purging workspaces

2.5.4.1 Why Purge Inactive Workspaces?

Inactive workspaces consume valuable storage space and degrade system performance. By enabling Workspace Purge Settings, you can configure Oracle Application Express to purge inactive workspaces.

If a workspace is designated as inactive, a notification email is sent to each workspace administrator explaining that the workspace will be purged in a specific number of days. The workspace administrator can prevent the workspace from being purged by following an embedded link and following the online instructions.

See Also:

"Configuring Email" and "Sending Email from an Application" in Oracle Application Express Application Builder User's Guide

2.5.4.2 Configuring Workspace Purge Settings

To configure workspace purge settings:

  1. Sign in to Oracle Application Express Administration Services. See "Accessing Oracle Application Express Administration Services."

  2. Click Manage Instance.

  3. Under Instance Settings, click Workspace Purge Settings.

  4. On the Workspace Purge Settings, configure the following:

    1. Enabled - Select Yes to enable the workspace purge process. Select No to disable the workspace purge process.

    2. Language - Select the language of the text of emails sent to workspace administrators of inactive workspaces. Note that only one language can be selected for each instance.

    3. Purge Administration Email Address - Enter the email address (or From address) from which emails are sent to workspace administrators.

    4. Send Summary Email To - Enter a list of email addresses separated by commas. Recipients will receive a daily email summary of the purge process.

    5. Days Until Purge - Enter the number of days before a workspace is physically purged. For example, entering 10 means a workspace will be purged 10 days after it is added to the inactive list.

    6. Reminder Days in Advance - Enter the number of days before the purge date to send a reminder email to workspace administrators. Reminder email criteria includes:

      • The workspace is on the inactive list.

      • There has been no activity in the workspace.

      • The workspace administrator has not chosen to follow the link in the email to prevent the workspace from being purged.

    7. Days Inactive - Enter the number of days of inactivity before a workspace is classified as inactive. Inactivity includes not logging into the workspace and the no runtime activity of any application in the workspace.

    8. Grace Period (Days) - Enter the number of days for the grace period. The grace period starts after workspace administrators click the link in the email to not have their workspace purged. If there is no activity during the grace period, the workspace is added back to the list of inactive workspaces.

    9. Maximum Execution Time (Hours) - Enter the number limiting the number of hours that the purge process may execute per run of the workspace purge job.

    10. Maximum Number of Workspaces - Enter the maximum number of workspaces to be purged per run of the workspace purge job.

    11. Maximum Number of Emails - Enter the maximum number of reminder emails and workspace inactive emails to be send per run of the workspace purge job.

  5. Click Apply Changes.