Chapter 4. Security and Identity Management

In recent years, the increased accessibility of corporate data and business information via the Internet has been accompanied by corresponding security threats. Every system is vulnerable to hackers. Some of these hackers are criminals; some are pranksters. Either way, they can wreak havoc with corporate software and data.

Careful security planning and implementation is a key part of systems management. You need to control access to your corporate applications and protect both applications and their underlying data from harm caused by both malicious outsiders and careless insiders. Securing the Oracle Application Server environment is a multipronged effort, requiring that you consider security in all parts of your overall Oracle component infrastructure: the Oracle Application Server, the database, and any E-Business Suite applications deployed in your environment. In implementing a secure solution, you also need to take non-Oracle components into account. For example, you should analyze the security of your web browsers, assess underlying operating system vulnerabilities, determine whether your configuration requires a firewall, and investigate the need for virtual private networks (VPNs).

This chapter focuses on how to implement Oracle Application Server as part of a secure infrastructure. We describe components of the Oracle Application Server security framework that provide both the security and the identity management needed for centralized user management and support for complex password management policies. We conclude the chapter by briefly describing approaches and architectures for secure deployment.

Oracle Application Server Security Objectives

Oracle Application Server is designed to provide both basic and advanced security services while adhering to security standards. Oracle Application Server provides the following security services:

Authentication

Verifies the identity of users and systems requesting applications, resources, and data (see the sidebar, “Identity Management”).

Authorization

Provides system-level determination and granting of the proper level of privileges to users or systems, thus possibly limiting their ability to use applications or resources or to manipulate data.

Access control

Grants access to applications, data, and other resources consistent with security policies based on the authentication of the user, the authorization she has, and the type of access being requested.

Accountability and intrusion detection

Ensures that activities contrary to policies are detected and recorded.

Data protection

Protects data from access by unauthorized users via such mechanisms as encryption and integrity checks.

In managing Oracle Application Server, your security goal should be to deploy the product in such a way that it can pass an independent security assessment. In such a secure deployment, you also need to consider coding practices, eliminate single points of failure in the security mechanism, set minimal privileges as a default, and enable intrusion detection to limit damage from security breaches. Those are extensive security topics that go well beyond the scope of this chapter. See the Appendix, however, for additional sources of security information.

Get Oracle Application Server 10g Essentials now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.