Jerry Held

Download Report

Transcript Jerry Held 

Session id: 40112
Simplify and Strengthen Security
with Oracle Application Server
Allan L Haensgen
Senior Principal Instructor
Oracle Corporation
Security Risks in an Internet
Environment
•
•
•
•
•
•
•
Data tampering and fraud
Eavesdropping and data theft
Falsifying user identities
Password-related threats
Unauthorized access to data
Lack of accountability
Hacking
Addressing the Security
Challenges
• Deep data protection
– Multi-Layer protection through encryption,
extensive auditing, and access control
• Internet-scale security
– SSL
– Proxy authentication
– Java
• Secure hosting and data exchange
– Public key infrastructure
– Enterprise wide user security
Oracle Application Server Security
Architecture
Application Server Security
 The Oracle Application Server can be used
as a client to the database and therefore
you can employ the following security
features:
–
–
–
–
Enterprise user security
Authentication and digital certificates
Proxy authentication
Connecting from the middle tier to the database
Java Authentication and
Authorization Service
 Java Authentication and Authorization
Service (JAAS) provides key security
services to the Java programmer in the
following areas:
–
–
–
Authentication to identify users
Authorization to limit what users can do
Delegation to enable code to be run securely
Securing the Oracle HTTP
Server Itself
The Oracle HTTP Server supports the
following security schemes:
–
–
–
–
IP-based or domain name–based restriction
Basic authentication through the username and
password combination
Certificate distinguished name (DN)-based
authorization
Secure Sockets Layer (SSL) protocol
Oracle HTTP Server Security
Modules
–
–
–
mod_access is used for restriction.
mod_auth and mod_auth_anon are used for
authentication.
mod_ossl is used with SSL.
OHS
1
Translation
2
3
Access
Control
MIME
Type
4
Response
5
Logging
Host-Based Access Control
–
–
mod_access: IP- or domain-based access
control
You can use the allow and deny directives
within the <Directory> ... </Directory>
<Location> ... </Location> context of
your httpd.conf or .htaccess file:
allow from host host ...
deny from host host ...
Host-Based Access Control
–
The order directive specifies the order in which
the allow and deny commands are applied:
order ordering
–
1.
2.
The ordering argument can be one of the
following:
deny,allow
allow,deny
Host-Based Access Control
 The allow from or deny from
directive:
<Directory /docroot>
order deny,allow
deny from all
allow from 144.25.192.170
</Directory>
User Authentication
 Basic authentication is performed by the
following modules:
–
–
mod_auth
mod_auth_anon
 A resource can be a protected user or
group-based, or both.
 To access the resource, you also need to
have the permission as defined by the
Require directive.
Combining User- and
Host-Based Authentication
<Location />
AuthName "Who are you"
AuthType Basic
AuthUserFile /ias/Apache/Apache/auth/password
Require valid-user
order deny,allow
deny from all
allow from hq1.us.oracle.com
Satisfy all
</Location>
Establishing Secure Web
Sessions
 The SSL protocol is a standard for secure
data transmission over the Internet.
 SSL involves three mechanisms:
–
–
–
Encryption
Authentication
Data integrity
 SSL is implemented through mod_ossl.
How SSL Works
1
Public
2
Session 3
https
certificate
key
Browser
Request client
4
certificate (opt)
Oracle9iAS
Oracle Wallet Manager
 Oracle Wallet Manager is a stand-alone
Java application for:
–
–
–
–
–
Generating a public/private key pair and creating
a certificate request for submission to a CA.
Installing a certificate for the entity.
Configuring trusted certificates for the entity.
Uploading or downloading a wallet to or from an
LDAP directory such as Oracle Internet
Directory.
Importing wallets and exporting wallets.
Creating a Certificate Request
Exporting a Certificate Request
Oracle HTTP Server with SSL
Enabled
 Oracle HTTP Server is already SSL enabled
after the installation:
–
SSL is enabled in opmn.xml
<ohs>
<start-mode mode="ssl"/>
</ohs>
–
There is no specific command to start the Oracle
HTTP Server with SSL enabled:
$> cd $ORACLE_HOME/dcm/bin
$> dcmctl start -ct ohs
What is Single Sign-On?
 Oracle Application Server Single Sign-On
(SSO) is a service that enables:
–
–
Authentication to multiple applications in an
enterprise by entering a username and
password only once
Centralized administration of username and
password combinations for all users in an
enterprise
Single Sign-On
 SSO technology utilizes :
–
–
–
mod_osso: An HTTP module that provides
single sign-on authentication to Oracle9iAS
applications
Oracle Internet Directory: A Lightweight Directory
Access Protocol (LDAP) server using an
Oracle9i database as its information store.
Oracle Wallet Manger. A container utility that
stores and manages X.509 certificates and
trusted certificates
Single Sign-On
 Oracle9iAS SSO technology provides:
–
–
Public key infrastructure (PKI) support when
using Oracle Internet Directory
Multitier integration
Authenticating Partner Applications
Partner Application
Oracle
HTTP Server
1
7
7
3
2
6
4
5
SSO Server
Oracle Internet Directory
Administering Users With the
Delegated Administration
Service (DAS)
http://<hostname>:<port>/oiddas
Lightweight Directory
Access Protocol (LDAP)
 LDAP offers the following features:
–
–
–
–
Simplified ISO X.500 Directory Access Protocol
Lightweight, browser-friendly client
implementation
Protocol standard defined and maintained by the
Internet Engineering Task Force (IETF)
Need for interoperability is driving rapid adoption
in the IT community
Oracle Internet Directory (OID)
 OID is:
–
–
Compliant with LDAP, version 3
Implemented as an Oracle9i application
 OID includes:
–
–
–
–
–
Oracle Directory Server
Oracle Directory Replication Server
Oracle Directory Manager
Command-line tools
Delegated Administration Service (DAS)
OID Architectural Overview
OID
clients
LDAP
LDAP over SSL
OID
Oracle Net
connections
Directory
administration
Oracle
database
Benefits of OID
 OID provides:
–
–
–
–
–
Delegated Administration Service (DAS)
Failover in cluster configurations
Support for Oracle Real Application Clusters
Oracle Directory Integration platform, to
synchronize with other enterprise repositories
including third-party LDAP directories
Password policy management
Identity Management
 Centralizes and automates many
application user management functions
 Faster deployments
 Brings OID, SSO, DAS, and other security
components into one management system
QUESTIONS
ANSWERS