8 Managing Application Security

This chapter contains an overview of Oracle HTTP Server security features and provides configuration information for setting up a secure website.

This chapter includes the following sections:

8.1 About Oracle HTTP Server Security

Security can be organized into the three categories of authentication, authorization, and confidentiality. Oracle HTTP Server provides support for all three of these categories. It is based on the Apache HTTP Server, and its security infrastructure is primarily provided by the Apache modules, mod_auth_basic, mod_authn_file, mod_auth_user, and mod_authz_groupfile, and WebGate. The mod_auth_basic, mod_authn_file, mod_auth_user, and mod_authz_groupfile modules provide authentication based on user name and password pairs, while mod_authz_host controls access to the server based on the characteristics of a request, such as host name or IP address, mod_ossl provides confidentiality and authentication with X.509 client certificates over SSL.

Oracle HTTP Server provides access control, authentication, and authorization methods that can be configured with access control directives in the httpd.conf file. When URL requests arrive at Oracle HTTP Server, they are processed in a sequence of steps determined by server defaults and configuration parameters. The steps for handling URL requests are implemented through a module or plug-in architecture that is common to many Web listeners.

8.2 Classes of Users and Their Privileges

Oracle HTTP Server authorizes and authenticates users before allowing them to access, or modify resources on the server. The following are three classes of users that access the server using Oracle HTTP Server, and their privileges:

  • Users who access the server without providing any authentication. They have access to unprotected resources only.

  • Users who have been authenticated and potentially authorized by modules within Oracle HTTP Server. This includes users authenticated by Apache HTTP Server modules like mod_auth_basic, mod_authn_file, mod_auth_user, and mod_authz_groupfile modules and Oracle's mod_ossl. Such users have access to URLs defined in http.conf file.

  • Users who have been authenticated through Oracle Access Manager. These users have access to resources allowed by Single Sign-On.

8.3 Resources Protected

Oracle HTTP Server can be configured to protect all resources that it manages. You are responsible for configuring any protection that your resources require.

8.4 Authentication, Authorization and Access Control

Oracle HTTP Server provides user authentication and authorization at two stages:

  • Access Control (stage one): This is based on the details of the incoming HTTP request and its headers, such as IP addresses or host names.

  • User Authentication and Authorization (stage two): This is based on different criteria depending on the HTTP server configuration. The server can be configured to authenticate users with user name and password pairs that are checked against a list of known users and passwords. You can also configure the server to use single sign-on authentication for Web applications or X.509 client certificates over SSL.

8.4.1 Access Control

Access control refers to any means of controlling access to any resource.

See Also:

Refer to the Apache HTTP Server documentation for more information on how to configure access control to resources.

8.4.2 User Authentication and Authorization

Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have. Using Apache HTTP Server Modules to Authenticate Users

Access control refers to any means of controlling access to any resource.

See Also:

For more information on how to authenticate users, see the Apache HTTP Server documentation on "Authentication and Authorization" at:

http://httpd.apache.org/docs/2.2/howto/auth.html Using WebGate to Authenticate Users

WebGate enables single sign-on (SSO) for Oracle HTTP Server. WebGate examines incoming requests and determines whether the requested resource is protected, and if so, retrieves the session information for the user.

Through WebGate, Oracle HTTP Server becomes an SSO partner application enabled to use SSO to authenticate users, obtain their identity by using Oracle Single Sign-On, and to make user identities available to web applications accessed through Oracle HTTP Server.

By using WebGate, web applications can register URLs that require SSO authentication. WebGate detects which requests received by Oracle HTTP Server require SSO authentication, and redirects them to the SSO server. Once the SSO server authenticates the user, it passes the user's authenticated identity back to WebGate in a secure token. WebGate retrieves the user's identity from the token and propagates it to applications accessed through Oracle HTTP Server, including applications running in Oracle WebLogic Server and CGIs and static files handled by Oracle HTTP Server.

8.4.3 Support for FMW Audit Framework

Oracle HTTP Server supports authentication and authorization auditing by using the FMW Common Audit Framework. As part of enabling auditing, Oracle HTTP Server supports a directive called OraAuditEnable, which defaults to On. When it is enabled, audit events enabled in auditconfig.xml will be recorded in an audit log. By default, no audit events are enabled in auditconfig.xml.

When OraAuditEnable is set to Off, auditing is disabled regardless of the settings in auditconfig.xml.

Audit filters can be configured using Fusion Middleware Control or by editing auditconfig.xml directly.

See Also:

"Overview of Audit Features" in Securing Applications with Oracle Platform Security Services

8.5 Disable SSLv2 and SSLv3 Security Protocols

Because of security concerns, Oracle strongly recommends that you disable the SSLv3 security protocol from Oracle HTTP Server.

To disable SSL security protocols from Oracle HTTP Server:

  1. Locate the ssl.conf file in the staging directory and the runtime directory.

    You can find the ssl.conf files in the following locations:

    Staging directory: DOMAIN_HOME/config/fmwconfig/components/OHS/componentName

    Runtime directory: DOMAIN_HOME/config/fmwconfig/components/OHS/instances/componentName

  2. Edit the security declaration to use a non-SSL protocol.

    For example, to remove the SSLv3 security protocol:

    SSLProtocol -SSLv3

    or to add the TLS version 1.0 and 1.2 security protocols:

    SSLProtocol nzos_Version_1_1 nzos_Version_1_2

    or to add the TLS version 1.0, 1.1, and 1.2 security protocols:

    SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
  3. Save the files and restart Oracle HTTP Server.


  • If you are editing files manually, ensure you edit a currently configured value instead of adding another. It could be easy to add a global parameter when it will be overridden by a value in the VirtualHost.

  • Using the new nzos_Version_* syntax is now preferred. If you are using Oracle Fusion Middleware Control, this is how security will be configured.