Security Architecture

Previous page
Table of content
Next page

In the previous section, Java Authentication and Authorization Service (JAAS), a set of Java packages that enable services to authenticate and enforce access controls upon users, was discussed briefly . This is far from the only security method available to you when developing applications to be deployed in Oracle Application Server 10 g . Oracle has provided a robust framework that gives you the ability to develop applications that are highly secure. There are a number of different technologies, all with differing capabilities and complexity. Oracle has grouped these different technologies under the term Identity Management.

Oracle Identity Management is an integrated set of services for managing users and their privileges. It provides a complete security life cycle for both end users and network entities, including devices, processes, applications, web services, or anything else that needs to interact in a networked environment. By grouping the various security components under an easily managed infrastructure, Oracle makes it easy for security administrators to create an environment that enhances application security while speeding up application deployments. This saves both time and money as it eliminates the error-prone process of attempting to maintain various credentials on different machines, while improving accuracy and security. Although it was released as part of Oracle Application Server 10 g , all Oracle products (Oracle Database, Application Server, Collaboration Suite, and E-Business Suite) have been designed to use Oracle Identity Management out of the box. It provides a highly scalable environment, native support for Oracle products, and a single point of administration, greatly reducing the overhead needed to deploy and maintain applications within an organization. It also supports integration with third-party identity management solutions so that the need for integration points, those places in the organization where security information must be synchronized between disparate systems, can be eliminated. Oracle Identity Management will support the following standards in the future:

  • SAML Security Assertions Meta Language; specifies interoperation between security services.

  • SPML Service Provisioning Meta Language; an XML standard that defines the protocol between service components and provisioned services agents .

  • DSML Directory Services Markup Language; allows developers to express LDAP functions and retrieve data in XML.

  • XKMS XML Key Management Specification; a specification that significantly extends the public key infrastructure (PKI) model by using XML to provide new levels of ease and interoperability when implementing secure applications.

  • WS-Security standards Web-Services security; enables applications to construct secure Simple Object Access Protocol (SOAP) message exchanges.

  • Liberty Alliance standards Open standards for federated network identity management and identity-based services. For more information, go to http://www.projectliberty.org/.

The g in Oracle Application Server 10 g and Oracle Database 10 g stands for grid and it reflects Oracle s commitment to the emerging technology of grid computing. Grid computing is defined in general terms as an effort to develop an environment in which individual users can access computers, databases, and experimental facilities simply and transparently, without having to consider where those facilities are located. For our purposes, Oracle defines grid computing as a software architecture designed to effectively pool together large amounts of low cost modular storage and servers to create a virtual computing resource across which work can be transparently distributed to use capacity very efficiently , at low cost, and with very high availability. Without some sort of centralized way of maintaining users and privileges across an architecture like this (one that will, most likely, contain heterogeneous hardware, networking, and operating systems), the effort to create and maintain users (called provisioning in Oracle s documentation) would become time and resource prohibitive in all but the most simplest of environments. Oracle Identity Management is a manageable, secure, and centralized infrastructure that can be utilized on all Oracle components in an Oracle Grid.

Some of the key features of Identity Management include:

  • Integration with Microsoft Windows Oracle provides three features to integrate information about users with an existing Windows environment. They include:

    • Windows Directory Connector This connector provides the ability to map and synchronize users defined in the Windows environment with those defined in Oracle s Identity Management environment.

    • Windows Authentication This plug-in allows security administrators to maintain passwords in a single location. Microsoft s Active Directory passes authentication information onto the Oracle Identity Management system. The plug-in also has bidirectional features, allowing Windows passwords to be updated from the Oracle Identity Management environment.

    • Native Authentication This technology allows users to use their Windows logins as their authentication to access applications served up by Application Server 10 g . Oracle Single Sign-On receives Kerberos tokens as its authentication method.

  • Multilevel authentication This allows the security administrator to assign different authentication levels to different applications.

  • Deployment options The Application Server 10 g security components can use all of the networking technologies commonly implemented within organizations to support their needs, including the use of proxy servers, load balancers, and firewalls segmented into multiple DMZs.

The major components that constitute Oracle Identity Management are

  • Oracle Internet Directory (OID) An application deployed on an Oracle 9 i (or higher) database, OID is a Lightweight Directory Access Protocol (LDAP) V3 directory service that is considered to be the de facto Internet standard for directory services. OID has the benefits of scalability and high availability, as it uses an Oracle database to store its information. It provides various layers of access control including entry level, attribute level, and prescriptive access control. In Application Server 10 g , Oracle has enhanced password policy enforcement in OID, which includes the ability to prevent users from using previous passwords as their current passwords, forcing users to change their passwords upon initial login and IP-based account lockout.

  • Oracle Directory Synchronization This service allows OID to synchronize data with other repositories. It is not limited to other LDAP servers, however; it can synchronize data from text files, relational databases, network operating system (NOS) directories (such as Novell s NetWare, Banyan s VINES, or IBM s LAN Server) and includes a preconfigured solution to synchronize with Microsoft Active Directory.

  • Oracle Delegated Administration Services (DAS) A component of OID that provides administration of directory information by users and application administrators. The Self Service Console, a web-based application that allows security administrators to create and modify users and privileges is built into the DAS framework. Figure 2-12 shows the Self-Service Console.

    click to expand
    Figure 2-12: The Self-Service Console

  • Oracle Application Server Single Sign-On This service provides a single sign-on (SSO) for users to sign in once and be authenticated to multiple web applications, including Oracle Portal, Oracle E-Business Suite, and other non-Oracle applications. It can be configured to run standalone or with your existing infrastructure. It uses all modern Internet standards including HTTP/HTTPS, cookies, and X.509 certificate for user tokens. SSO has been enhanced in Application Server 10 g to include multilevel authentication and Windows native authentication, both discussed earlier.

  • Oracle Application Server Certificate Authority This service generates and publishes X.509 v3 PKI certificates. X.509 is an international standard, which defines the prevailing technology for digital certificates and other security measures. X.509 defines two types of digital certificates: a public key certificate, which asserts identity, and an attribute certificate, which asserts privilege. Through the Application Server Certificate Authority, a security administrator can easily request certificates through a web interface.


Previous page
Table of content
Next page
Oracle Application Server 10g Web Development
Oracle Application Server 10g Web Development (Oracle Press)
ISBN: 0072255110
EAN: 2147483647
Year: 2004
Pages: 192
Authors: Chris Ostrowski, Bradley Brown
BUY ON AMAZON
Introduction to 80x86 Assembly Language and Computer Architecture
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Cisco IOS Cookbook (Cookbooks (OReilly))
101 Microsoft Visual Basic .NET Applications
File System Forensic Analysis
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy