Oracle Certificate

Document Sample
Oracle Certificate Powered By Docstoc
					Session id: 40112




Simplify and Strengthen Security
with Oracle Application Server

                       Allan L Haensgen
                    Senior Principal Instructor
                       Oracle Corporation
Security Risks in an Internet
Environment
 •   Data tampering and fraud
 •   Eavesdropping and data theft
 •   Falsifying user identities
 •   Password-related threats
 •   Unauthorized access to data
 •   Lack of accountability
 •   Hacking
Addressing the Security
Challenges
 • Deep data protection
    – Multi-Layer protection through encryption,
      extensive auditing, and access control
 • Internet-scale security
    – SSL
    – Proxy authentication
    – Java
 • Secure hosting and data exchange
    – Public key infrastructure
    – Enterprise wide user security
Oracle Application Server Security
Architecture
Application Server Security

 The Oracle Application Server can be used
  as a client to the database and therefore
  you can employ the following security
  features:
  –   Enterprise user security
  –   Authentication and digital certificates
  –   Proxy authentication
  –   Connecting from the middle tier to the database
Java Authentication and
Authorization Service
 Java Authentication and Authorization
  Service (JAAS) provides key security
  services to the Java programmer in the
  following areas:
  –   Authentication to identify users
  –   Authorization to limit what users can do
  –   Delegation to enable code to be run securely
Securing the Oracle HTTP
Server Itself
The Oracle HTTP Server supports the
  following security schemes:
  –   IP-based or domain name–based restriction
  –   Basic authentication through the username and
      password combination
  –   Certificate distinguished name (DN)-based
      authorization
  –   Secure Sockets Layer (SSL) protocol
 Oracle HTTP Server Security
 Modules
    –   mod_access is used for restriction.
    –   mod_auth and mod_auth_anon are used for
        authentication.
    –   mod_ossl is used with SSL.
                        OHS




        1        2        3        4        5

              Access    MIME
Translation                      Response   Logging
              Control   Type
Host-Based Access Control
 –   mod_access: IP- or domain-based access
     control
 –   You can use the allow and deny directives
     within the <Directory> ... </Directory>
     <Location> ... </Location> context of
     your httpd.conf or .htaccess file:
allow from host host ...

deny from host host ...
Host-Based Access Control
 –   The order directive specifies the order in which
     the allow and deny commands are applied:
order ordering


 –   The ordering argument can be one of the
     following:
1.    deny,allow
2.    allow,deny
Host-Based Access Control

 The allow from or deny from
  directive:

<Directory /docroot>
  order deny,allow
  deny from all
  allow from 144.25.192.170
</Directory>
User Authentication
 Basic authentication is performed by the
  following modules:
  –   mod_auth
  –   mod_auth_anon
 A resource can be a protected user or
  group-based, or both.
 To access the resource, you also need to
  have the permission as defined by the
  Require directive.
Combining User- and
Host-Based Authentication
<Location />
  AuthName "Who are you"
  AuthType Basic
  AuthUserFile /ias/Apache/Apache/auth/password
  Require valid-user
  order deny,allow
  deny from all
  allow from hq1.us.oracle.com
  Satisfy all
</Location>
Establishing Secure Web
Sessions
 The SSL protocol is a standard for secure
  data transmission over the Internet.
 SSL involves three mechanisms:
  –   Encryption
  –   Authentication
  –   Data integrity
 SSL is implemented through mod_ossl.
How SSL Works
                               https
                           1

                 Public        certificate
                           2
                Session 3      key


Browser
          Request client       certificate (opt)
                           4
                                              Oracle9iAS
Oracle Wallet Manager

 Oracle Wallet Manager is a stand-alone
  Java application for:
  –   Generating a public/private key pair and creating
      a certificate request for submission to a CA.
  –   Installing a certificate for the entity.
  –   Configuring trusted certificates for the entity.
  –   Uploading or downloading a wallet to or from an
      LDAP directory such as Oracle Internet
      Directory.
  –   Importing wallets and exporting wallets.
Creating a Certificate Request
Exporting a Certificate Request
Oracle HTTP Server with SSL
Enabled
 Oracle HTTP Server is already SSL enabled
  after the installation:
  –   SSL is enabled in opmn.xml
 <ohs>
    <start-mode mode="ssl"/>
 </ohs>

  –   There is no specific command to start the Oracle
      HTTP Server with SSL enabled:
 $> cd $ORACLE_HOME/dcm/bin
 $> dcmctl start -ct ohs
What is Single Sign-On?

 Oracle Application Server Single Sign-On
  (SSO) is a service that enables:
  –   Authentication to multiple applications in an
      enterprise by entering a username and
      password only once
  –   Centralized administration of username and
      password combinations for all users in an
      enterprise
Single Sign-On

 SSO technology utilizes :
  –   mod_osso: An HTTP module that provides
      single sign-on authentication to Oracle9iAS
      applications
  –   Oracle Internet Directory: A Lightweight Directory
      Access Protocol (LDAP) server using an
      Oracle9i database as its information store.
  –   Oracle Wallet Manger. A container utility that
      stores and manages X.509 certificates and
      trusted certificates
Single Sign-On

 Oracle9iAS SSO technology provides:
  –   Public key infrastructure (PKI) support when
      using Oracle Internet Directory
  –   Multitier integration
Authenticating Partner Applications
                                         Partner Application
                             1                 Oracle
                                            HTTP Server
                             7
        7

                  3
                         2           6
                  4



                         5
            SSO Server           Oracle Internet Directory
Administering Users With the
Delegated Administration
Service (DAS)
http://<hostname>:<port>/oiddas
Lightweight Directory
Access Protocol (LDAP)

 LDAP offers the following features:
  –   Simplified ISO X.500 Directory Access Protocol
  –   Lightweight, browser-friendly client
      implementation
  –   Protocol standard defined and maintained by the
      Internet Engineering Task Force (IETF)
  –   Need for interoperability is driving rapid adoption
      in the IT community
Oracle Internet Directory (OID)

 OID is:
  –   Compliant with LDAP, version 3
  –   Implemented as an Oracle9i application
 OID includes:
  –   Oracle Directory Server
  –   Oracle Directory Replication Server
  –   Oracle Directory Manager
  –   Command-line tools
  –   Delegated Administration Service (DAS)
OID Architectural Overview
           OID
          clients


                                       LDAP

             LDAP over SSL       OID


                                Oracle Net
     Directory
                               connections
   administration

                     Oracle
                    database
Benefits of OID

 OID provides:
  –   Delegated Administration Service (DAS)
  –   Failover in cluster configurations
  –   Support for Oracle Real Application Clusters
  –   Oracle Directory Integration platform, to
      synchronize with other enterprise repositories
      including third-party LDAP directories
  –   Password policy management
Identity Management

 Centralizes and automates many
  application user management functions
 Faster deployments
 Brings OID, SSO, DAS, and other security
  components into one management system
QUESTIONS
 AN SWE RS

				
DOCUMENT INFO
Description: Oracle Certificate document sample