| Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.2) Part Number B25494-10 |
|
|
View PDF |
| Oracle® Collaboration Suite Security Guide 10g Release 1 (10.1.2) Part Number B25494-10 |
|
|
View PDF |
This chapter discusses security in Oracle Collaboration Suite Applications. It contains the following topics:
Oracle Collaboration Suite enables administrators to delegate administration responsibilities to other users. For example, the administrator may choose to assign responsibilities to users, as follows:
Oracle Calendar
SYSOP: Start, stop, and manage the Oracle Calendar server
Users: Manage groups and holidays on a calendar node
|
See Also: Oracle Calendar Administrator's Guide and Oracle Calendar Reference Manual for more information |
Oracle Content Services
Application Administrator: Manage users, quota, libraries, categories, content, and records at the Site and Container level
System Administrator: Manage the Oracle Content Services domain by starting and stopping nodes, services, and servers, tuning the system to ensure reliability and performance, creating, modifying, and deleting sites, as well as registering custom workflows
Oracle Mail
System Administrator: Change process settings and start and stop servers
Domain Administrator: Maintain users and user quota within a specific domain
Oracle Real-Time Collaboration
Business Monitor: Monitor or analyze the administrative details of a conference, for example, conference start or end times, attendee join or exit time etc. It also gives you access to a variety of reports, such as Usage, Feedback, Quality of Service and Security.
Business Administrator: Start up or shut down Oracle Real-Time Collaboration processes, access log files, configure a new or existing Oracle Real-Time Collaboration host, and manage sites
|
Note: Each of these roles could be granted Oracle Real-Time Collaboration system wide or for a specific site. |
|
See Also: "Oracle Real-Time Collaboration Administration Features" in Chapter 1 of Oracle Real-Time Collaboration Administrator's Guide for more information |
Using Oracle Collaboration Suite, you can access your content, such as files, e-mail messages, Web conference, and appointments, through a variety of clients, including browsers, native clients, and wireless devices. Oracle Collaboration Suite uses Oracle Application Server to deliver content to Web and mobile devices. Oracle Application Server uses Secure Sockets Layer (SSL) to secure network traffic between the Web server and the client. SSL, in turn, uses Public Key Infrastructure (PKI) certificates to enable, both network encryption between the client and the server and server authentication. In server authentication, a certificate is provided for a specific server by a Certificate Authority (CA) that the browser trusts.
SSL can be preconfigured for Oracle Collaboration Suite but with a self-signed certificate. When a browser accesses Oracle Collaboration Suite that is using the self-signed certificate, the browser displays a message that the certificate is not trusted. It is important that you obtain a real certificate from a well-known CA such as Verisign.
You need only one certificate for all the Applications tier servers because of the virtual server capabilities of Oracle Application Server. This certificate enables you to secure all Web applications, such as Oracle Calendar, Oracle Mail, Oracle Content Services, and OracleAS Portal.
Using a Wireless Access Protocol (WAP) device to access Oracle Collaboration Suite is a special scenario. A WAP device implements a standard known as Wireless Transport Layer Security (WTLS). A WTLS-compliant WAP gateway must be used to provide the conversion between WTLS and SSL. When this conversion takes place, there is a small period of time for which the content you are reading will exist in the unencrypted format in the memory of the WAP gateway at your service provider. If this is a major concern, then you can implement your own WAP gateway and dial-up infrastructure. The majority of PDA browsers now implement SSL.
This section contains the following topics:
Oracle Internet Directory can manage the public keys of users. An advantage of using PKI is the ability to implement client authentication. You authenticate yourself to servers through user names and passwords.
In the case of PKI, clients can use certificates for authentication. Most browsers have wallets to store client SSL certificates. By enabling certificate-based authentication with the OracleAS Single Sign-On server, you will not have to type or remember user names and passwords but will be authenticated to the server and other Web applications using local certificates.
To perform administration tasks for all Applications tier components by using the Application Server Control for Oracle Collaboration Suite or the Grid Control, administrators use an HTML form. Unless Oracle HTTP Server and Oracle Enterprise Manager are configured for SSL, unencrypted passwords are transmitted over the network.
By default, Java Database Connectivity (JDBC) does not encrypt network connections between Applications tier components and Oracle Database. Sites can opt to use Oracle Advanced Security to encrypt these connections.
You can choose whether or not to use SSL to connect to Oracle Internet Directory. If you do not choose to use SSL, then unencrypted passwords may be sent over network connections between Applications tier processes and Oracle Internet Directory.
|
See Also: Oracle Internet Directory Administrator's Guide for information about configuring SSL for use with Oracle Internet Directory |
Security is a primary concern for any application used to manage sensitive, personal information. A number of options are available to an administrator seeking to enhance or customize the security of an Oracle Calendar server installation. In addition to increasing the security of the operating environment and implementing good maintenance and monitoring practices, Oracle Calendar server administrators have access to a configurable, extensible Authentication, Compression, and Encryption (ACE) framework.
This section describes the structure and configuration of the authentication, compression, and encryption methods. Additional security considerations for installations using a directory server are detailed, as well as a number of other measures that may be employed to further protect calendar data. This section contains the following topics:
The ACE framework was developed by Oracle to allow administrators to ensure the security and integrity of all data passing between Oracle Calendar servers, and between server and client.
Data passes between the server and clients, and between multiple servers if nodes are distributed across more than one host. If an external directory is used, data also passes between the Oracle Calendar server and the directory server. The ACE framework applies to communication between the Oracle Calendar servers, as well as between the Oracle Calendar servers and clients. Refer to Directory Server Security for a separate discussion of the security options for passing data between the Oracle Calendar servers and their supporting directory servers.
Secure connections may involve the use of compression (to reduce the network bandwidth required for communications) and/or encryption (to enhance the security of network communications). Both compression and encryption increase the amount of CPU time required to prepare the communication for transmission. The impact on performance varies with the methods. In general, the better the compression or the more secure the encryption, the greater the impact on performance. This section contains the following topics:
Secure connections to calendar clients and other calendar servers are controlled by a configurable set of authentication, compression, and encryption methods. These methods are determined at the time the connection is requested. The ACE methods are both configurable and extensible. Refer to Available Plug-Ins and Configuration for the relevant configuration parameters, and Extending the ACE Framework for details on extending the available set of methods.
|
Note: Only Oracle Calendar desktop clients 5.0 and higher, Oracle CorporateSync 3.0 and higher, Oracle Calendar Web clients 3.1 and higher, and Oracle Connector for Outlook support the ACE framework. Other clients, including Oracle CorporateSync for Mac 2.1.x, require the use of thecs-basic authentication method. If you plan to use Oracle CorporateSync 2.1.x for the Mac, you must add cs-basic to the list of supported authentication mechanisms specified by the [AUTHENTICATION] supported parameter. |
The Oracle Calendar server negotiates with a client as follows:
The client starts up and connects to the server.
The client queries the server for the supported and default authentication, compression, and encryption methods.
The server returns a list of the supported and default authentication, compression, and encryption methods.
If the client cannot support one of the default methods, the server and client negotiate using the list of supported methods sent to the client in Step 3 to agree on a method that both support. Note that one of the supported methods for both compression and encryption can be none, making both compression and encryption optional.
The server authenticates the user using the negotiated authentication method.
The client and server communicate using the agreed upon methods for the duration of the user session.
|
Note: If the client and server cannot agree on authentication, compression, and encryption methods, the negotiation fails and the server does not accept requests from the client. |
The server negotiates with another calendar server as follows:
Server A receives a request from Server B.
Server A sends Server B a list of the supported and default authentication, compression, and encryption methods.
If Server B cannot support one of the default methods, Server A and Server B negotiate using the lists of supported methods sent in Step 2 to agree on a method that both support. Note that one of the supported methods for both compression and encryption can be none, making both compression and encryption optional.
Server A authenticates Server B using the negotiated authentication method.
Servers A and B communicate using the agreed upon methods for the duration of the connection.
Recall that communication between two calendar servers is through the uniengd. In this case, the uniengd on Server B asks the unisncd on Server B for a connection to a uniengd on Server A. The methods are in effect until the requesting uniengd on Server B returns the connection to the unisncd.
|
Note: If the two servers cannot agree on authentication, compression and encryption methods, the negotiation fails and Server A does not accept requests from Server B. |
Oracle Calendar provides support for a number of different authentication, compression and encryption methods. This section discusses the plug-ins that are included in a typical Calendar installation. Moreover, they do not require any additional encryption software on the desktop client workstation.
The methods packaged with the Oracle Calendar server are:
Authentication
Standard Authentication (cs-standard)
A secure authentication method where the user's password is encrypted with a secure encryption method using 3DES, and has a unique session key. The transmission between the client and the server is verified for integrity with a cyclic redundancy check to prevent a replay attack.
SyncML MD5 1.01 Authentication (challenge:SYNCMLMD5_V101)
This authentication plug-in is used by SyncML version 1.01 devices when performing challenge-response based authentication.
SyncML MD5 1.1 Authentication (challenge:SYNCMLMD5_V110)
This authentication plug-in is used by SyncML version 1.1 devices when performing challenge-response based authentication.
Compression
Run Length Encoding Compression (cs-simple)
This plug-in will compress all data transferred between the Oracle Calendar client and server using a run length encoding compression algorithm.
Encryption
Affine Cipher (cs-acipher1)
This plug-in will encrypt all data transferred between the client and server using an affine cipher algorithm.
Light Encryption (cs-light)
This plug-in will encrypt all data transferred between the client and server using a light and fast encryption algorithm.
Oracle AES (oracle:AES)
For information about AES Encryption, refer to Advanced Encryption Standard.
Oracle DES (oracle:DES)
For information about DES Encryption, refer to DES Encryption.
To enable the ACE framework and ensure secure server-to-client or server-to-server connections in a node network, set the [ACE] frameworkenable parameter in the %ORACLE_HOME/ocal/misc/unison.ini ($ORACLE_HOME\ocal\misc\unison.ini) file to TRUE.
Table 2-1 lists the parameters used to configure the authentication, compression, and encryption methods used for communication within a calendar network (server to client, server to server). Refer to Extending the ACE Framework for information on extending the sets of supported methods. Refer to Chapter 3 of the Oracle Calendar Reference Manual, for details of these parameters.
Table 2-1 ACE Configuration Parameters
This section describes the use of the ACE plug-ins, and details the mechanism for extending the set of plug-ins available in the server.
To extend the set of plug-ins available through the ACE framework, first, if the plug-in is not already installed, install the plug-in on your system, and then integrate it into the server. The installation of third-party plug-ins is the responsibility of the system administrator. Refer to the appropriate documentation for details. To integrate the plug-in into the Oracle Calendar server, you will need to add the appropriate keywords to one or more places in the unison.ini file.
For all methods except those that support sub-mechanisms, derive the keyword from the name of the plug-in in the following manner. Remove the substring "aut_", "cmp_", or "enc_" and all characters that precede it. Remove the filename extension and the period that precedes it. The remaining string is the keyword to add to the unison.ini file.
In the case of plug-ins, which support sub-mechanisms, the keyword has the format <plug-in_name>:<sub-mechanism_name>. Derive <plug-in_name> as described earlier in this section.
|
See Also: Table 2-2 for more information on submechanism names and a full list of supported plug-in names and libraries |
Plug-In Libraries
Each plug-in is a shared library under UNIX, or a DLL under Windows. The name of the plug-in contains a substring that indicates the type of the plug-in. The following table lists shared library and DLL names for all supported methods of authentication, compression and encryption:
Table 2-2 ACE Configuration Plug-Ins
| Substring | Plug-In name | Shared Library or DLL name |
|---|---|---|
aut_ |
Authentication:
|
libaut_cs-standard.so (Linux/Solaris)
|
aut_ |
Authentication: challenge:SYNCMLMD5_V101
|
libaut_challenge.so (Linux/Solaris)
|
aut_ |
Authentication: gssapi:kerberos5 |
libaut_gssapi.so (Linux/Solaris)
|
aut_ |
Authentication: web:CAL
|
libaut_web.so (Linux/Solaris)
|
cmp_ |
Compression:
|
libcmp_cs-simple.so (Linux/Solaris)
|
enc_ |
Encryption:
|
libenc_cs-acipher1.so (Linux/Solaris)
|
enc_ |
Encryption:
|
libenc_cs-light.so (Linux/Solaris)
|
enc_ |
Encryption:
|
libenc_oracle.so (Linux/Solaris)
|
|
Note: Thecs-basic authentication plug-in is not a true plug-in in that it is not a shared library. It pre-dates the ACE framework as the authentication method built into the server. The cs-basic authentication plug-in must be enabled manually if older clients are to be used, including Oracle CorporateSync 2.1.x for Mac. |
Once you have determined the keyword, you must add it to the appropriate list of supported methods in the unison.ini file. Add authentication methods to the [AUTHENTICATION] supported parameter, compression methods to the [COMPRESSION] supported parameter, and encryption methods to the [ENCRYPTION] supported parameter. If you want the new method to be the default, also set the appropriate default and/or servicedefault parameters in the appropriate [AUTHENTICATION], [COMPRESSION] or [ENCRYPTION] section of the $ORACLE_HOME/ocal/misc/unison.ini (%ORACLE_HOME\ocal\misc\unison.ini) file. For more details on these parameters, refer to Chapter 3 of the Oracle Calendar Reference Manual.
ACE Configuration Example
Howard administers his organization's installation of Oracle Collaboration Suite. Having done some research, he realizes that some changes must be made to the Oracle Calendar server in order to comply with his organization's security policy.
The only acceptable methods of authentication are either Standard Authentication (cs-standard) or SyncML MD5 1.1 Authentication (challenge:SYNCMLMD5_V110), and moreover, the default should be the former. In order to enforce this policy, Howard edits the [AUTHENTICATION] section of the Oracle Calendar server's unison.ini file with the following parameter modifications:
[AUTHENTICATION]supported = {cs-standard, challenge:SYNCMLMD5_V110}default = cs-standard
In terms of compression, Howard chooses to allow users to decide whether or not they wish to compress the data sent between the Oracle Calendar server and Oracle Calendar clients using cs-simple. As a default, compression is not required. In order to enforce this policy, Howard edits the [COMPRESSION] section of the Oracle Calendar server's unison.ini file with the following parameter modifications:
[COMPRESSION]
supported = {cs-simple, none}
default = none
Lastly, Howard would like all data to be encrypted using the cs-acipher1 plug-in. In order to enforce this policy, Howard edits the [ENCRYPTION] section of the Oracle Calendar server's unison.ini file with the following parameter modifications:
[ENCRYPTION]
supported = {cs-acipher1}
default = cs-acipher1
Setting Different ACE Configuration Settings for Each OCAS Plug-In
Each Oracle Calendar Application System (OCAS) plug-in (Web, Web services, and Sync) has a specific configuration file. Each plug-in configuration file can be used to set different ACE configurations. The following example demonstrates how to set different ACE configuration settings for each OCAS plug-in.
Consider the following scenario:
Oracle Calendar Web client needs to use the web:CAL authentication scheme.
Oracle Calendar Web services needs to use the cs_standard authentication scheme.
Oracle Mobile Data Sync needs to use the enc_cs-light encryption scheme.
The configuration settings are as follows:
Modify the following parameters in the OCAS configuration file (ocas.conf):
[ACE_PLUGINS_CLIENT] web_attribute_type=userid web_attribute_name=REMOTE_USER web_CAL_sharedkey=123456789 aut_web_loglevel = 3 [ACE] Authentication=default Compression=default Encryption=default
Modify the following parameters in the Oracle Calendar Web client configuration file (ocwc.conf):
[ACE] Authentication=web:CAL Compression=default Encryption=default s
Modify the following parameters in the Oracle Calendar Web services configuration file (ocws.conf):
[ACE] Authentication= cs_simple Compression=default Encryption=default
Modify the following parameters in the Oracle Mobile Data Sync configuration file (ocst.conf):
[ACE] Authentication=default Compression=default Encryption=enc_cs-light
The standalone Oracle Calendar Web client comes with its own login page that allows calendar users to provide their user information and password to access the Oracle Calendar server. For most deployments, this infrastructure is sufficient. However, some customer deployments need to integrate the Oracle Calendar Web client into a solution that includes many other services. When a number of heterogeneous systems are grouped into one solution, it is usually a good practice to offload the security and authentication of users to a service that will harmonize and abstract the various underlying security schemes.
This section describes how to integrate the Oracle Calendar Web client with a third-party authentication framework. It contains the following topics:
|
Note: The example in this section demonstrates how to configure Apache to secure the Oracle Calendar Web client directory using the Apache distributed configuration files architecture (.htaccess files). You can follow the same procedure for any third-party authentication framework. |
The following requirements must be met to configure the Oracle Calendar Web client to integrate with a third-party authentication framework:
Oracle Calendar Web client 9.0.4.X and above
Apache 1.3.X and above
Oracle Calendar server 9.0.4.X and above
Administrator access to the Apache, Oracle Calendar Web client and Oracle Calendar server directories and applications
|
Caution: Oracle recommends that both the Oracle Calendar Web client and the Oracle Calendar server be deployed and tested using the Oracle Calendar Web client login page. After you verify that all systems work as expected, you can change the configuration settings. |
To configure the Oracle Calendar server:
Edit the $ORACLE_HOME/ocal/misc/unison.ini (for Microsoft Windows: %ORACLE_HOME\ocal\misc\unison.ini) file.
The list of supported authentication methods is specified in the [AUTHENTICATION] supported parameter. To add the Web authentication plug-in, represented by the string web:CAL for standalone Calendar server deployments, and by web:OTMT for Oracle Collaboration Suite deployments, include the appropriate string within the list of supported methods, as follows:
[AUTHENTICATION]
supported = {cs-standard, web:OTMT, challenge:SYNCMLMD5_V101, challenge:SYNCMLMD5_V110, web:CAL}
default = cs-standard
servicedefault = cs-standard
Add and configure the following parameters in the [ACE_PLUGINS_SERVER] section:
[ACE_PLUGINS_SERVER] cs-standard_coexistence = TRUE web_CAL_sharedkey=123456789
|
Note: Theweb_CAL_sharedkey parameter is a string composed of ASCII characters. |
Save the unison.ini file.
Restart Oracle Calendar server.
|
See Also: "Configuration Parameters" in Chapter 3 of Oracle Calendar Reference Manual for information about the Oracle Calendar server configurable parameters in theunison.ini file |
To configure the Oracle Calendar Web client:
Open the $ORACLE_HOME/ocas/conf/ocwc.conf (for Microsoft Windows: %ORACLE_HOME\ocas\conf\ocwc.conf) file for editing.
Enable the Web authentication plug-in by changing the value of the [ACE] Authentication parameter to web:CAL. Set this parameter as follows:
[ACE] Authentication = web:CAL
|
Note: web:CAL authentication can only be specified in Oracle Calendar standalone deployments. If you are using Oracle Calendar with an Oracle Collaboration Suite deployment, set the Authentication parameter to web:OTMT. |
Open the $ORACLE_HOME/ocas/conf/ocas.conf (for Microsoft Windows: %ORACLE_HOME\ocas\conf\ocas.conf) file for editing.
Modify the [ACE_PLUGINS_CLIENT] section, as follows:
#----------------------------------------------------------- # This section is used to provide ACE configuration settings # required by the ACE plugins. #----------------------------------------------------------- [ACE_PLUGINS_CLIENT] web_attribute_type=userid web_attribute_name=REMOTE_USER web_CAL_sharedkey=123456789 aut_web_loglevel = 3
|
Note: You need to ensure that the value of theweb_CAL_sharedkey parameter matches that specified in the unison.ini file. |
|
See Also: "OCAS.CONF" and "OCWC.CONF" in Chapter 4 of Oracle Calendar Reference Manual for information about theocas.conf and ocwc.conf configuration parameters, respectively |
To configure the Apache distributed configuration files architecture, perform the following steps:
For UNIX-based platforms, modify the following lines in the $ORACLE_HOME/ocas/conf/ocal.conf file:
<Directory "%ORACLE_HOME%/ocas/bin/">
SetHandler fastcgi-script
AllowOverride All
Options None
Order allow,deny
Allow from all
<IfModule mod_ossl.c>
SSLOptions +StdEnvVars
</IfModule>
On Microsoft Windows, modify the following lines in the %ORACLE_HOME\ocas\conf\ocal.conf file:
<Directory "%ORACLE_HOME%\ocas\bin\">
SetHandler fastcgi-script
AllowOverride All
Options None
Order allow,deny
Allow from all
<IfModule mod_ossl.c>
SSLOptions +StdEnvVars
</IfModule>
Set up your users and the login password they will need to use when accessing the protected directory, as follows:
Change to the Apache/bin (for Microsoft Windows: Apache\bin) directory.
On UNIX-based platforms, type the following command to encode the user ID and password:
./htpasswd -c $ANY_DIRECTORY/htpasswd $ANY_USERID
The equivalent command on Microsoft Windows is:
htpasswd -c %ANY_DIRECTORY%\htpasswd %ANY_USERID%
Where
$ANY_DIRECTORY is a directory where the htpasswd file will be written to and $ANY_USERID is the user ID an Oracle Calendar user would use to log in to the Oracle Calendar Web client using the login page. For Microsoft Windows, htpasswd must be included in the PATH variable or should be in the current directory
|
Note: The$ANY_USERID must be the same as the Calendar user ID for this example to work. |
You will be prompted to enter a password for $ANY_USERID. Type any password. This password does not need to be your calendar password.
On UNIX-based platforms, create a file called .htaccess in the $ORACLE_HOME/ocas/bin directory with the following content:
AuthUserFile "$ANY_DIRECTORY/htpasswd" AuthName "My Company custom login" AuthType Basic require valid-user
On Microsoft Windows, create a file called .htaccess in the %ORACLE_HOME%\ocas\bin directory with the following content:
AuthUserFile "%ANY_DIRECTORY%\htpasswd" AuthName "My Company custom login" AuthType Basic require valid-user
|
Note: Make sure that theAuthUserFile parameter points to the location where you created your htpasswd file. |
Restart Apache and the Oracle Calendar Web client.
When you type the following URL, you should be prompted for a user ID and password:
http://myhost/ocas-bin/ocas.fcgi?sub=web
If the login is successful, you will automatically be redirected to the Oracle Calendar Web client without having to go through the Calendar Web client login page.
Figure 2-2 illustrates the components involved while integrating the Oracle Calendar Web client with a third-party authentication framework.
The working of the components is described, as follows:
Initially, Apache sets the REMOTE_USER environment variable in the FastCgi request environment.
The Oracle Calendar Web client uses the configuration file and identifies the REMOTE_USER environment variable (web_attribute_name=REMOTE_USER).
The Oracle Calendar Web client retrieves the REMOTE_USER environment variable and passes it to the Oracle Calendar server through the secure link.
In addition to the REMOTE_USER variable, the Oracle Calendar Web client also informs the Oracle Calendar server about the nature of the value that is sent to it (web_attribute_type=userid).
The Oracle Calendar server verifies the password (web_CAL_sharedkey=123456789) provided by the Oracle Calendar Web client. After the Oracle Calendar server verifies the credentials, the user is allowed to log in.
Using the Custom Solution
To avoid using the Oracle Calendar Web client login page and provide your custom secure solution, you must keep in mind the following:
The Oracle Calendar Web client will always look for an environment variable to get the user credentials. Your secure solution must set that environment variable.
You can always change the name of the value to be retrieved from the environment variables. For example, web_attribute_name=SOME_CUSTOM_ENV.
You can also instruct the Oracle Calendar Web client to run a script that performs some operation to set the environment variable, as follows:
[ACE_PLUGINS_CLIENT] web_attribute_type=custom web_attribute_name=REMOTE_USER web_CAL_sharedkey=123456789 aut_web_loglevel = 3 web_custom_script=/home/custom/script.sh
For Microsoft Windows platform: the script should set the environment variables, as follows:
[ACE_PLUGINS_CLIENT]
web_attribute_type=custom
web_attribute_name=REMOTE_USER
web_CAL_sharedkey=123456789
aut_web_loglevel = 3
web_custom_script=Drive_Letter\home\custom\script.bat
Where script.sh|bat could perform some operation to set the REMOTE_USER variable. The script can be useful if the user credential used to authenticate against your custom solution is not exactly the same as the one used to log in to the Oracle Calendar server. The script can be used to control the environment variable value to fit what the Oracle Calendar server would expect.
In the case of errors, check the following:
Double-check the ocas_log file for errors.
Refer to the auth_web.log file in the $ORACLE_HOME/ocas/bin (for MIcrosoft Windows: %ORACLE_HOME%\ocas\bin) directory for information about what could be wrong with the web:CAL authentication.
Refer to the Oracle Calendar server log files or Apache log files for more information.
Within the ACE framework, Oracle offers the option of configuring the Oracle Calendar server to use Kerberos 5 as an authentication method. This section contains the following topics:
Kerberos was developed by MIT as a means of performing secure authentications across an insecure network. In this type of environment, a Kerberos server is used as a central authority for authentications. A user gets a ticket from the Kerberos server that represents their identity, and then uses this ticket to request access from services that also authenticate using Kerberos. When the service verifies that the ticket is valid, the user is granted access to the service.
The Oracle Calendar server uses the aut_gssapi ACE plug-in to interface with Kerberos. This interface then allows users to log into the Oracle Calendar server with a valid Kerberos ticket. Because the user's user ID is taken from the Kerberos ticket, there is no need, on the client side, to provide a user name or password.
There are two parts to configuring an Oracle Calendar server to use Kerboros 5:
This section explains the steps that must be carried out on the Kerberos 5 server in order to use Oracle Calendar as a service. Although descriptions of the requirements are provided herein, the detailed technical steps are not. For detailed information relating to Kerboros 5 configuration, refer to MIT's Kerberos V5 System Administrator's Guide at the following URL:
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.1/doc/krb5-admin/index.html
The Kerberos server must be configured to recognize the Oracle Calendar server as a Kerberos-enabled service. This can be achieved in four steps:
Define a principal name:
In order to be recognized by the Kerberos server, the Oracle Calendar server service must have a principal name defined. The principal name can be any string of characters that you wish to use to identify the service. Although the principal name can be any value, Oracle recommends using uniengd, as it is the default value that the Oracle Calendar server assumes when the service principal is not specified.
|
Note: If multiple instances of Oracle Calendar server exist on the same host, it is recommended to give each instance its own distinct principal name. |
Define a principal instance:
The principal instance must be defined using the fully qualified domain name of the machine hosting Oracle Calendar server.
Export the service principal's credentials:
Export the service principal's credentials into a keytab file that the Oracle Calendar server will be able to read. The keytab file must be readable by the owner of the Calendar uniengd process, and for best security should not be readable by any other users.
Specify the location of the service principal's exported keytab file:
Specify the full path of the persistent encrypted ticket (defined by the default_keytab_name parameter) in the Kerberos 5 workstation's krb5.conf file.
Once the Kerberos 5 setup is complete, the Oracle Calendar server must be configured to allow the use of Kerberos 5 as an authentication method. This is accomplished in five parts, with various steps outlined below:
Associate the plug-in with the principal name:
Open the $ORACLE_HOME/ocal/misc/unison.ini (for Microsoft Windows: %ORACLE_HOME%\ocal\misc\unison.ini) configuration file.
On the last line of the file, add the following section, if it does not already exist, otherwise proceed to the next step:
[ACE_PLUGINS]
Directly under [ACE_PLUGINS] section, add the following line:
gssapi_serviceprincipal=<kerberos principal name>
Where <kerberos principal name> represents the principle name defined in Step 1 in Preparing for Kerberos 5 Authentication.
|
Note: Ifuniengd was used as the Kerberos principal name on the Kerberos server, then this parameter does not need to be added. If the parameter is not specified, the Oracle Calendar server assumes that it is the default: uniengd. |
Save the file.
Add Kerberos as a supported authentication mechanism:
Open the unison.ini configuration file.
Within the [AUTHENTICATION] section of the file, add the following string to the supported parameter list:
gssapi:kerberos5
|
Note: If you wish to define Kerberos 5 as the default authentication method, the[AUTHENTICATION] default parameter must also be set to gssapi:kerberos5 . |
Save the file
Set your environment variables:
OCAL_ADDITIONAL_LIBPATH should include the path to the Kerberos 5 libraries.
|
Note: For Oracle Calendar server deployments on Microsoft Windows, the host computer must be restarted so that this environment variable takes effect. |
KRB5_CONFIG is the location of the krb5.conf file, including the file name. This environment variable does not need to be set if the krb5.conf has been installed in the default location: /etc/krb5.conf (for Microsoft Windows: C:\winnt\krb5.ini).
|
Note: These environment variables must always be set prior to starting the Oracle Calendar server. |
If Calendar has been deployed with Oracle Collaboration Suite, a modification must be made to the opmn.xml file in order to apply these configuration changes. If your Calendar server is a standalone deployment, skip this step, and go to Step 5.
Open the $ORACLE_HOME/opmn/conf/opmn.xml (for Microsft Windows: %ORACLE_HOME%\opmn\conf\opmn.xml) file.
Locate the <ias-component id="CalendarServer"> section of the file.
Within the <environment> sub-section of the <ias-component id="CalendarServer"> section add the following variable ID:
<variable id="KRB5_CONFIG" value="<pathtoKRB5.conf>"/>
Where <pathtoKRB5.conf> is the location of the krb5.conf file, including the file name. For example, if your krb5.conf file is located in the /etc (for Microsoft Windows: C:\winnt\) directory, the <environment> subsection should have the following entry:
<variable id="KRB5_CONFIG" value="/etc/krb5.conf/">
For Microsoft Windows:
<variable id="KRB5_CONFIG" value="C:\winnt\krb5.ini\">
|
Note: krb5.conf is the Kerberos configuration file on Unix operating systems. On Microsoft Windows, the Kerberos configuration file is krb5.ini. |
Save the opmn.xml file.
Force a reload of the opmn.xml file by running the following command from the $ORACLE_HOME/opmn/bin (for Microsoft Windows: %ORACLE_HOME%\opmn\bin) directory:
% opmnctl reload
Register the changes to Distributed Configuration Management using the following command:
dcmctl updateconfig -ct opmn
Restart the Oracle Calendar server. For information on restarting the Oracle Calendar server, refer to Chapter 4 of the Oracle Calendar Administrator's Guide.
When implementing Kerberos with supported third-party directory servers, some additional configuration steps are required. These steps are not required when Calendar is deployed with Oracle Collaboration Suite, or in standalone installations with an internal directory.
Open the $ORACLE_HOME/ocal/misc/unison.ini (for Microsoft Windows: %ORACLE_HOME%\ocal\misc\unison.ini) configuration file.
Add the following parameter to the [DAS] section of the unison.ini file:
dir_usewritednforadmin=TRUE
Add the following parameters with the appropriate values to the [LDAP] section of the unison.ini file:
writedn=<writedn> writednpassword=<encryptedwritednpassword>
|
See Also: Chapter 3 of the Oracle Calendar Reference Manual for more information about thewritedn and writednpassword parameters |
Save the file.
Secure Sockets Layer (SSL) encryption is used by default for all connections to Oracle Internet Directory to protect the data that flows between the Oracle Calendar server and the directory server, and prevent passwords from being sent across the wire in clear text.
The Oracle Mobile Data Sync server offers direct two-way synchronization with the Oracle Calendar server over any standard Hypertext Transfer Protocol (HTTP) connection, opening up the calendar infrastructure to any SyncML-compliant device or application with Internet access. If secure synchronization of data is a high priority for your organization, then use devices that support SSL synchronization. The list of devices on the Oracle Technology Network site (http://www.oracle.com/technology/index.html) specifies which devices support SSL synchronization. Oracle Mobile Data Sync supports SSL connections that are properly configured on the appropriate port during Oracle Collaboration Suite installation and configuration. The combination of using SSL with SyncML basic authentication should be sufficient for most deployments. However, for added security, the Oracle Mobile Data Sync server can be configured to support SyncML MD5 authentication. Note that not all SyncML-compliant mobile devices properly support MD5.
The following section identifies the post-installation steps required to enable MD5 authentication. It contains the following topics:
Enabling the Dynamic Verifier in Oracle Internet Directory for Passwords
Enabling the Dynamic Verifier in Oracle Internet Directory for PINs
Ensuring that the Dynamic Verifier Is Enabled Correctly for Passwords
Ensuring that the Dynamic Verifier Is Enabled Correctly for PINs
|
Note: The instructions provided explain how to enable MD5 authentication for both the single sign-on password and the Wireless PIN. The Oracle Mobile Data Sync server and the Oracle Calendar server can be configured to allow authentication with either the single sign-on password or the Wireless PIN, regardless of whether or not MD5 is being used. In 10g Release 1 (10.1.1), the Wireless PIN is the default. If applications are configured for PIN, then only the steps given for PINs need be performed and vice-versa for passwords. |
To enable the dynamic verifier in Oracle Internet Directory for passwords, perform the following steps:
Create a file containing the following information:
dn:cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext,<basedn> changetype: modify replace: orclpwdencryptionenable orclpwdencryptionenable: 1
Where
<basedn> is the value provided during install. For example, during test installs, the value is "dc=ca,dc=oracle,dc=com".
Run the following command where the port is usually 389:
more filename.ldif | ldapmodify -h <OID host> -p <OID port> -D cn=orcladmin -w <password>
Where
filename.ldif is the file that was created in Step 1.
To enable the dynamic verifier in Oracle Internet Directory for PINs, perform the following steps:
Create a file containing the following information:
dn:cn=DefaultSharedPinProfileEntry,cn=Common,cn=Products,cn=OracleContext changetype: modify add:orclpwdverifierparams;orclpasswordverifier orclpwdverifierparams;orclpasswordverifier: crypto:3DES
Run the following command where the port is usually 389:
more filename.ldif | ldapmodify -h <OID host> -p <OID port> -D cn=orcladmin -w <password>
Where
filename.ldif is the file that was created in Step 1.
To ensure that the dynamic verifier has been enabled correctly for passwords, perform the following steps:
Run the following command to check for the password dynamic verifier:
ldapsearch -h <OID host> -p <OID port> -D cn=orcladmin -w <password> -b "cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext,<basedn>" -s base "objectclass=*"
Search for the orclpwdencryptionenable attribute and ensure that it is set to 1.
To ensure that the dynamic verifier has been enabled correctly for PINs, perform the following steps:
Run the following command to check for the PIN dynamic verifier:
ldapsearch -h <OID host> -p <OID port> -D cn=orcladmin -w <password> -b "cn=DefaultSharedPinProfileEntry,cn=Common,cn=Products,cn=OracleContext" -s base "objectclass=*"
Search for the orclpwdverifierparams;orclpasswordverifier attribute and ensure that 3DES is listed.
You must reset your single sign-on password from the main preference page and the Wireless PIN from the Mobile Preferences page after the dynamic verifier has been enabled. Failure to do so will result in authentication errors.
|
Note: You need not change the single sign-on password and Wireless PIN while resetting them. |
To enable MD5 on the Oracle Calendar server, perform the following steps:
In the $ORACLE_HOME/ocal/misc/unison.ini (for Microsoft Windows: %ORACLE_HOME%\ocal\misc\unison.ini) file, add the following line under the [ENG] section:
syncml_allowmd5auth = TRUE
By default, the Oracle Mobile Data Sync server authenticates using the Wireless PIN. To change the option, set the syncml_authcredlabel parameter to PSW. The password to use for basic and MD5 authentication can be further customized by setting the syncml_basicauthcredlabel or syncml_md5authcredlabel to PSW or PIN, respectively, thus overriding the value set in syncml_authcredlabel.
Restart the Oracle Calendar server.
To enable MD5 on the Oracle Mobile Data Sync server, perform the following steps:
In the $ORACLE_HOME/ocas/conf/ocst.conf (for Microsoft Windows: %ORACLE_HOME%\ocas\conf\ocst.conf) file, change the requiremd5 parameter from False to True under the [ocst] section.
Restart the Oracle Mobile Data Sync server.
The following safeguards can be used to enhance the security of calendar data:
Oracle recommends that the Oracle Calendar server, if financial resources permit, be placed on a dedicated computer. In addition, turn off any TCP and UDP services on the host, which are not critical to the Oracle Calendar server (e.g., FTP, NFS server and client, or X server).
Users and administrators should take advantage of the other directory administration tools provided for password management. For Oracle Calendar server SYSOP passwords, the following are the policy or procedure recommendations:
Passwords should never be empty (or blank). This is especially important for the SYSOP or node administrator password.
Passwords should never be words, names, or personal information which would be easy for others to guess.
Passwords should be at least 8 characters long, and contain a combination of letters and numbers.
Avoid using the same password to access the Oracle Calendar server and other mission-critical systems (although this may not be possible if these applications all use the same directory server).
Use the unioidconf or unipasswd utilities in the $ORACLE_HOME/ocal/bin (for Microsoft Windows: %ORACLE_HOME%\ocal\bin) directory to change the SYSOP password. For more information on changing SYSOP passwords, refer to Chapter 4 of the Oracle Calendar Administrator's Guide.
The Oracle Calendar server supports passwords of up to 63 characters. Users who set their passwords to more than 15 characters may not be able to sign-in using older Oracle Calendar clients which only support password lengths of 15 characters.
Other configuration parameters to consider are ssignin and ssigninrestrictions in the [LIMITS] section which control whether a user can use the desktop clients' automatic sign on feature. Parameter invalidlogin_enable in the [ENG] section can be used to enable the invalid sign on counting mechanism. This parameter should only be used when Calendar has been deployed in standalone mode. The [ENG] allowpasswordchange_user parameter can be used to stop users from changing their password. For more details on these parameters, refer to Chapter 3 of the Oracle Calendar Reference Manual.
Even if the server is dedicated to the Oracle Calendar server, there are still additional security safeguards to consider.
If you have security servers within your organization, consider sending audit trail information from the Oracle Calendar server to your central security server. Turn on auditing for the server and conduct spot audits of the commands issued by the calendar user. The server protects a great deal of aggregate data, so ensure that your backups are protected from theft. Consider separate ownership of the root or administrator (auditing account) and the calendar (server management) accounts. This would allow root or administrator to detect potential abuses by the calendar owner.
It is more secure to run mission-critical applications within firewall-protected intranets. Make sure that the dial-up connections to your intranet are protected. This can be improved by using one-time password technology (e.g. SecurID). As with many TCP/IP protocols, promiscuous listening (where the attacker monitors network traffic) is a threat in any broadcast network. A number of steps can be performed to reduce the risk of this threat:
Physically protect hubs and routers. Use switched hubs when possible, especially on the server itself. Some hubs will block unauthorized, or unregistered MAC (or Ethernet addresses) on the LAN.
Consider router filtering between untrusted internal networks.
Use commercial firewalls to allow more complex TCP/IP filtering rules.
The server generates a number of useful audit trails. It is important to become familiar with these audit trails, and to check them regularly. Many commands will create log files on error conditions. Routinely check for the existence of new log files, and review their contents. Monitor the $ORACLE_HOME/ocal/log/act.log (for Microsoft Windows: %ORACLE_HOME%\ocal\log\act.log) for log on attempt abuses. Enable the act.log by setting the [ENG] activity parameter to TRUE in the $ORACLE_HOME/ocal/misc/unison.ini (for Microsoft Windows: %ORACLE_HOME%\ocal\misc\unison.ini) file. For more information on this parameter, refer to Chapter 3 of the Oracle Calendar Reference Manual. You can detect log on attempt abuses from the originating IP addresses. After the application is initially installed, record the file dates, file sizes, and checksums of all the binaries (the unicksum utility generates a checksum for a file). Periodically check that none of the binaries have been edited by comparing the current file dates, file sizes, and checksums with those recorded. Review <temp> directories for any suspicious files as they can be used as work areas.
Calendar data is very important and should be backed up regularly. Refer to Chapter 14 in Oracle Calendar Administrator's Guide for more information.
Denial of service attacks usually attempt to exhaust or destroy any resource required by a system to deprive users of the services they would normally expect. The most common kind of denial of service attack is simply to send more traffic to the network address of an application than the application can handle.
This section focuses on the class of denial of service attacks that take place while the Oracle Calendar server is running, and for which the attacker has not obtained direct access to the system on which the Oracle Calendar server is running.
The Oracle Calendar server can be configured to warn and protect against such attacks, by configuring parameters in the [ENG] section of the $ORACLE_HOME/ocal/misc/unison.ini (for Microsoft Windows: %ORACLE_HOME%\ocal\misc\unison.ini) file. The following is a list of configurable parameters, including brief descriptions, which can be used to warn and protect against denial of service attacks:
dos_maxsessionsperaddr - Control the number of client connections from a specific IP address.
dos_maxsessionsperaddrblacklist - Restrict connections to the Oracle Calendar server based on IP address.
dos_maxsessionsperaddrredline - Specify the maximum number of client connections from one IP address before logging begins.
dos_maxsessionsperaddrwhitelist - Specify a list of IP addresses that are exempted from being blocked.
dos_timeoutdatareceived - Timeout value for non-header data.
dos_timeouthandshake - Timeout value for handshake data.
|
See Also: Chapter 3 of the Oracle Calendar Reference Manual for more information on these parameters |
The server supports a very rich set of user-controlled access privileges (or rights). It is important to train end users on how these capabilities can be managed, so that users' information is protected from unauthorized access.
Try to limit assigning designate rights. You should only give designate rights to trusted individuals.
The default designate rights should be no designate rights. Set the viewing rights to no privileges, and add privileges as needed.
There are a number of overall limits, set by the server administrator, that can be set for all users.
Disabling attachments ([LIMITS] allowattachments) can prevent users from propagating proprietary information improperly. Setting maximum attachment size ([LIMITS] maxattachmentsize) can help prevent denial of service attacks caused by very large files that cause a server to run out of disk space. For more details on these parameters and others, refer to Chapter 3 of the Oracle Calendar Reference Manual.
It is recommended that you always use Secure Sockets Layer (SSL) encryption to access the Oracle Calendar Administrator, in order to protect sensitive information. Always use the https:// URL prefix instead of http:// to ensure secure access.
The Oracle HTTP server (OHS) allows clients and servers to authenticate over SSL using X.509v3 certificates. The certificates are stored in an Oracle Wallet, a container in which certificates and trusted certificates are stored and managed.
When communicating with the Web Conferencing server, the Oracle Calendar server uses a secure HTTP connection (HTTPS) to OHS. To establish an HTTPS connection, a wallet is used with a default certificate which ensures that the information passed between the two servers is encrypted. The location of the wallet is defined by the [CONFERENCING] walletfile parameter in the unison.ini configuration file. The password of the wallet is defined by the [CONFERENCING] walletpassword parameter.
It is possible to replace the default certificates in the wallet with ones from another certificate authority.
The parameter [CONFERENCING] url defines the URL used by the Oracle Calendar server to access the Web Conferencing server. By default Secure Sockets Layer (SSL) encryption is used and therefore the "https://" URL prefix is used rather than the "http://" to ensure secure access. The password and ID used to authenticate to the Web Conferencing server are defined by the parameters [CONFERENCING] siteid and siteauthkey.
For more information on the Real-Time Collaboration Web Conferencing parameters, refer to Chapter 3 of the Oracle Calendar Reference Manual.
Oracle Collaboration Suite 10g Content Services (Oracle Content Services) provides the basic security infrastructure required by any shared, network-accessible system, including authentication and authorization. This section describes the architecture and configuration of security in Oracle Content Services. It contains the following topics:
Authentication is a process in which a user provides some proof of identity (called a credential, which is often constructed from a user's password by means of a hashing or encryption algorithm) before that user can attempt to access objects in the system. Oracle Content Services uses Oracle Internet Directory, Oracle's LDAP-compliant directory service, for authentication.
Users provide their user name and password to the client software. These are passed to the Oracle Content Services protocol servers, which, in turn, pass them to Oracle Content Services for authentication. Then, Oracle Content Services passes the user name and password to Oracle Internet Directory. Oracle Internet Directory determines whether the user name and password are valid for the user.
This section describes the security considerations for protocol servers and contains the following topics:
|
Note: The defined behavior of some industry-standard protocols is not inherently secure. Oracle has no control over the defined behavior of these protocols, and these security issues do not represent defects in Oracle software. |
The File Transfer Protocol (FTP) sends unencrypted user passwords across the network, which means that if one of these passwords is intercepted, then it could provide access to all systems controlled by Oracle Internet Directory for that user. To provide more security, users should create an FTP password (rather than the default Oracle Internet Directory password) to authenticate against FTP.
The FTP password is stored in Oracle Internet Directory and is different from and in addition to the regular Oracle Internet Directory password. Each user can have only one FTP password in one Oracle Content Services domain. FTP requires users to log in with an FTP password rather than an Oracle Internet Directory password.
Users can set their FTP password on the User Preferences page in Oracle Content Services. Users can also use the Oracle Internet Directory Self-Service Console to set their FTP password, by setting the content password entry that appears in the Application Passwords section of the Change Password page.
As an alternative, users can use FTPS. FTPS is FTP with the added option of Secure Socket Layer (SSL) security. FTPS does not require an FTP password.
By default, FTP and FTPS are disabled.
|
See Also: Oracle Content Services Administrator's Guide for detailed information about how to enable FTP and FTPS |
The HTTP/WebDAV protocol allows digest (hashed challenge/response), Single Sign-On (from the browser only), and persistent cookie (if the domain and then the user enables the feature) authentication. Whether HTTP/WebDAV uses SSL depends on the configuration of Oracle HTTP Server and on whether Oracle Content Services has been configured for SSL.
Oracle Drive is a desktop client that uses the WebDAV protocol to access Oracle Content Services. After it is installed, Oracle Drive appears as a mapped drive in Windows Explorer. Oracle Drive also provides file synchronization capabilities between your local computer and Oracle Content Services.
The FTP and HTTP/WebDAV protocols do not encrypt the network channel by default. This means that files transferred using these protocols are susceptible to interception. If you are unwilling to accept this behavior, then you should disable these protocols or configure them to use SSL (HTTP/WebDAV only).
Because user quota is managed asynchronously through the Quota Agent, it is possible for a malicious user to upload a very large file for filling up disk space. To prevent such attacks, you can limit the size of any single file uploaded to Oracle Content Services by setting the IFS.DOMAIN.MEDIA.CONTENTTRANSFER.ContentLimit domain property. If you try to upload a file beyond the specified limit, then the upload fails. This limit does not apply to administrators.When this property is set to 0, the default value, the content limit is disabled. You will be able to upload any file whose size is within the last calculated available quota, as of the beginning of the upload.
|
See Also: Oracle Content Services Administrator's Guide for more information about theIFS.DOMAIN.MEDIA.CONTENTTRANSFER.ContentLimit domain property |
The client session timeout period is the number of minutes of idle time after which a Web user interface session expires. By default, the client session timeout for Oracle Content Services is set to 30 minutes. To change this value, perform the following steps:
Access the Oracle Collaboration Suite Control and navigate to the Collaboration Suite Home page.
Select OC4J_Content and click Stop.
Click OC4J_Content to navigate to the OC4J_Content Home page.
Click Applications, then click content in the Deployed Applications table.
On the Applications: content page, click content in the Web Modules table.
On the Web Module: content page, in the Administration section click General under the Properties heading.
In the Session Configuration section, change the value for Session Timeout (minutes).
Click Apply, then click OK on the Confirmation page.
Return to the Collaboration Suite Home page, select OC4J_Content, and click Start.
If you have enabled Oracle Records Management, then you can also set the client session timeout period for Oracle Records Management. Repeat these steps for OC4J_RM to change the client session timeout period for Oracle Records Management.
Perform the following steps only if you configured Oracle Content Services prior to configuring HTTPS:
Access the Application Server Control for Collaboration Suite.
Sign in as the ias_admin user.
In the Collaboration Suite Home Page, click Content Services.
Click Domain Properties.
Edit IFS.DOMAIN.APPLICATION.ApplicationPort to point to the HTTP Server SSL Port.
Set IFS.DOMAIN.APPLICATION.ApplicationUseHttps to TRUE.
Restart all OPMN processes:
ORACLE_HOME/opmn/bin/opmnctl stopproc ias-component=Content ORACLE_HOME/opmn/bin/opmnctl starproc ias-component=Content
On Microsoft Windows, run the following command:
ORACLE_HOME\opmn\bin\opmnctl stopproc ias-component=Content ORACLE_HOME\opmn\bin\opmnctl starproc ias-component=Content
You can configure Oracle Content Services to use SSL. Before you do this, you must configure Oracle HTTP Server to use SSL.
You can also use SSL to connect to Oracle Internet Directory. Before you do this, Oracle Internet Directory must be configured for SSL.