Oracle® Ultra Search Administrator's Guide 11g Release 1 (11.1) Part Number B28330-01 |
|
|
View PDF |
This chapter describes the architecture and configuration of security for Oracle Ultra Search.
This chapter contains the following sections:
See Also:
Oracle Application Server Security Guide for an overview of Oracle Application Server security and its core functionality
Oracle Identity Management Concepts and Deployment Planning Guide for guidance on OracleAS Infrastructure security
This section describes the Oracle Ultra Search security model. It contains the following:
Security problems, such as unauthorized access to information, can lead to loss of productivity. Search engines like Oracle Ultra Search provide access to a vast variety of content repositories in a single gateway. Each of these repositories has its own security model that determines whether a particular user can access a particular document. Because Oracle Ultra Search provides access to data from multiple repositories, existing security information in each repository must be carefully supported to avoid unauthorized access.
This section describes the security architecture of Oracle Ultra Search. Security is implemented at the following levels:
User authentication
This is the identification of a user, through LDAP and Oracle Internet Directory, at Oracle Ultra Search front-end interfaces.
User entitlement
This determines whether a user can access information about a particular item in the results list. It is implemented by access control lists (ACLs). Oracle Ultra Search provides mapped-security to third-party repositories by retrieving the access control list for each document at the time of indexing and storing them in Oracle Ultra Search. To validate access privileges, Oracle Ultra Search does not require any connection with the repository.
Security of Oracle Ultra Search
The actual security in Oracle Ultra Search is handled by the dictionary data in the Oracle Ultra Search Database, the administrative user, and password data.
Starting with Oracle Database 10g, Oracle Ultra Search supports secure socket layer (SSL). This means that in addition to HTTP-based URLs, Oracle Ultra Search can also access HTTPS -based URLs (that is, HTTP over SSL).
See Also:
Configuring Oracle Ultra Search for SSL for detailed information on configuring Oracle Ultra Search with SSL.To grant an Oracle Ultra Search user administration privileges, you must assign the user to an administration group. Each user can belong to one or more groups. The following groups are created for each Oracle Ultra Search instance:
Instance administrators: Users in this group can only manage instances for which they have privileges.
Super-users: Users in this group can manage all instances, including creating instances, dropping instances, and granting privileges.
Oracle Ultra Search users are divided into two:
Single Sign-on users: These users are managed by the Oracle Internet Directory and are authenticated by OracleAS Single Sign-On. The Oracle Ultra Search administration tool identifies all Oracle Ultra Search instances to which the single sign-on user has access. This is available only if you have the Oracle Identity Management infrastructure installed.
Database users: These users (not single sign-on users) exist in the database on which Oracle Ultra Search runs.
New Oracle Ultra Search instances contain the following users:
WK_TEST
: This is the instance administrator user that hosts the default instance, called WK_INST
. In other words, WK_TEST
is the instance administrator for WK_INST
. For security purposes, WK_TEST
is locked after the installation. The administrator should login to the database as DBA role, unlock the WK_TEST
user account, and set the password to be WK_TEST
. (The password expires after the installation.) If you change the password to anything other than WK_TEST
, then you must also update the cached schema password using the administration tool Edit Instance page after you change the password in the database.
WKSYS
: This is a database super-user. WKSYS
can grant super-user privileges to other users, such as WK_TEST
. All Oracle Ultra Search database objects are installed in the WKSYS
schema.
Note:
TheWKUSER
role is required to host instances.All publicly crawled data is publicly accessible.
The following resources are protected by Oracle Ultra Search:
Crawled data that uses an access control list (ACL) is protected.
All passwords are protected.
User-defined data source parameters are protected.
There are three possible entry points to Oracle Ultra Search:
The Oracle Database: This contains all the data and metadata which is protected with row level security and all passwords are encrypted.
The Oracle Ultra Search administration tool: This does not contain crawled data. You must authenticate with Oracle Application Server Single Sign-On or database authentication.
The Oracle Ultra Search query tool: This contains crawled data. Unauthenticated users can see only public data. Authenticated users can see public data and ACL-protected information. Users must provide authentication to access private information.
Oracle Ultra Search uses the following to leverage security services:
Oracle Ultra Search uses secure socket layers (SSL), the standard protocol for managing the security of message transmission on the Internet. This is used for securing RMI connections, HTTPS crawling, and secure JDBC.
JAZN: Oracle Application Server Containers for J2EE (OC4J) which implements a Java authentication and authorization service (JAAS) provider called JAZN. This provides application developers with user authentication, authorization, and delegation services to integrate into their application environments.
Oracle Ultra Search uses OracleApplication Server Single Sign-On and Oracle Internet Directory to leverage the Oracle Identity Management infrastructure.
With OracleApplication Server Single Sign-On, you can log on to all the components, and the Oracle Ultra Search administrative interface allows user management operations on either database users or single sign-on users. Authenticated single sign-on users never see the Oracle Ultra Search logon screen. Instead, they can immediately choose an instance. The Oracle Ultra Search administration tool and the query tool use single sign-on.
Oracle Internet Directory is Oracle's native LDAP v3-compliant directory service, built as an application on top of the Oracle Database. Oracle Internet Directory hosts the Oracle common identity. All Oracle Ultra Search instances are registered with Oracle Internet Directory.
Oracle Ultra Search has native identity management therefore, in the absence of the Oracle Identity Management infrastructure, Oracle Ultra Search uses the native user management available with the Oracle Database.
Oracle Ultra Search is extensible (for example, the crawler agent is extensible), but this poses no extra security considerations.
This section describes the special security configuration within Oracle Ultra Search.
Storing clear text passwords in data-sources
.xml
poses a security risk. To avoid this use password indirection to specify the password. This lets you enter the password in system-jazn-data
.xml
, which is automatically encrypted, and point to it from data-sources.xml
.
Oracle Ultra Search supports secure searches and retrieves only the documents that satisfy the specified search criteria.
For secure searches, each indexed document is protected by an access control list (ACL), which is evaluated during the search. The query returns the documents only if you have the permission to read a protected document.
This section has the following topics:
Before you install Oracle Ultra Search, check the database version requirements:
Install or upgrade the Oracle Database to version 9.2.0.4 or higher.
If you have a 9.2.0.4 database, then use Repository Creation Assistant (RepCA) to convert a 9.2.0.4 database to a Metadata Repository.
Install OracleAS 10g Infrastructure (Oracle Identity Management only). During installation, ensure that you refer to the Metadata Repository created in Step 2.
Check whether the RDBMS_SERVER_DN
parameter is set correctly.
If this parameter is not set correctly, change the parameter RDBMS_SERVER_DN
for the 9.2.0.4 database. For example:
SQLPLUS>alter system set RDBMS_SERVER_DN = 'cn=iasdbM10, cn=OracleContext' scopt=spfile
Restart the database.
Install OracleAS 10g middle tier.
After ensuring that you have met the requirements listed in Pre-requirements of Enabling Secure Search in OracleAS 10g Release, enable the secure search by performing the following tasks:
To configure Oracle Internet Directory-SSL link, perform the following tasks:
To configure Oracle Internet Directory for SSL:
Generate a wallet for Oracle Internet Directory: You need to purchase a wallet for Oracle Internet Directory.
Set autologon for SSL: In the case of Windows operating system, start Oracle Wallet Manager in the machine that is running Oracle Internet Directory. In Linux platforms, type owm
at the command prompt. In the Oracle Wallet Manager window:
Click Wallet, Open, and then click Create New.
Specify the location of the wallet and enter the wallet password. Click Autologon to enable the autologon option and finally click Save to exit Oracle Wallet Manager.
Configure Oracle Internet Directory to listen on secure port using the wallet: In the case of Windows operating system, start Oracle Directory Manager. In Linux platforms, type oidadmin
at the command prompt to start the tool. In the tool window:
Expand the Server Management node and then the Directory Server node.
Right-click Directory Server and then click Create-like to create the configuration set.
Click SSL Settings.
Select SSL client and server authentication and SSL only.
Enter the URL of the wallet. For example:
file:/private/ias/lbalacha/m17/wallet/oidwallet
Start another Oracle Internet Directory instance. The following example displays how to start another Oracle Internet Directory instance:
oidctl server=oidldapd conf=2 instance=5 start
In the preceding example:
conf
is the configuration set number. This is the configuration set that you have created earlier.
instance
is the Oracle Internet Directory instance number. You can use any number.
You need to test whether the Oracle Internet Directory SSL instance startup is successful by using the following command:
ldapbind -p 363 -U 3 -W file:. -P welcome1
In the preceding command:
p
is the SSL port
U
is the authentication, both secure and non-secure
w
is the wallet location
P
is the wallet password
Note:
You will see a bind successful message if the Oracle Internet Directory SSL instance startup is successful.See Also:
The instructions given in Chapter 13, "Secure Socket Layer (SSL) and the Directory" in Oracle Internet Directory Administrator's GuideeTo configure the database for SSL:
Generate a wallet for the database: You need to purchase a wallet for Oracle Database.
Set autologon for SSL: In the case of Windows operating system, start Oracle Wallet Manager in the machine that is running Oracle Internet Directory. In Linux platforms, type owm
at the command prompt. In the Oracle Wallet Manager window:
Click Wallet, Open, and then click Create New.
Specify the location of the wallet and enter the wallet password. Click Autologon to enable the autologon option and finally click Save to exit Oracle Wallet Manager.
Use the database wallet to test whether you can connect to Oracle Internet Directory by using the following command:
ldapbind -p 636 -h isunaaa20 -U 3 -W file:. -P welcome1
In the preceding command:
p
is the SSL port
h
is the host name
U
is the authentication, both secure and non-secure
w
is the database wallet location
P
is the database wallet password
Update the ldap.ora
file: Change the SSL port entry in $
ORACLE_HOME
/network/admin/ldap.ora
. For example:
DIRECTORY_SERVERS=(isunaaa20.us.oracle.com:389:636
See Also:
The instructions in Chapter 15, "Managing Enterprise User Security" (Part II, Task 1 - Task 3), in the Oracle Database 9.2 release of the Oracle Advanced Security Administration GuideSecure search requires the /sys/apps/ultrasearch
folder to be in the XML DB repository. You must run a SQL script to create the /sys/apps/ultrasearch
folder in the XML DB repository. This folder stores all Oracle Ultra Search access control lists (ACL) in XML DB.
To create the /sys/apps/ultrasearch
folder, perform the following steps:
Move to the $
ORACLE_HOME
/ultrasearch/admin
directory.
Log in to the Oracle Ultra Search Database using SQL*Plus as user WKSYS
.
Run the SQL script, @wk0prepxdb.sql
.
After the wk0prepxdb.sql script
runs, you can run the following SQL statement to perform the validation:
SELECT any_path FROM resource_view WHERE any_path LIKE '%ultrasearch%';
The preceding SQL statement displays two rows:
/sys/apps/ultrasearch /sys/apps/ultrasearch_acl.xml
If this confirmation is not displayed, then this step has failed, and you cannot proceed.
The secure search functionality in Oracle Ultra Search is deactivated by default. You must explicitly activate this feature after completing all the previous steps.
To activate secure search functionality:
Log in to the Oracle Ultra Search Database using SQL*Plus as user WKSYS
.
Invoke the following PL/SQL API:
exec WK_ADM.SET_SECURE_MODE(1)
The argument, 1
, indicates that you are activating secure search.
You must create an Oracle Ultra Search instance. The newly created instance will be secure search enabled. However, existing instances will not be secure search enabled.
Note:
At any subsequent point in time, you can deactivate security by running theWK_ADM.SET_SECURE_MODE(0)
command. Any subsequently created instances will not support secure searches. However, existing secure search enabled instances are not modified. Therefore, if the Oracle Internet Directory link ceases to function, then you cannot perform searches on crawled documents that are secured.To activate secure search in the query application, perform the following steps:
Edit the OC4J jazn.xml
file to connect to Oracle Internet Directory as follows:
<jazn provider="LDAP" default-realm="us" location="ldap://localhost:3060"> <property name="ldap.user" value="orcladmin"/> <property name="ldap.password" value="!welcome"/> </jazn>
Edit the orion-application.xml
file to activate JAZN LDAP as follows:
Remove the comment from the line <jazn provider="LDAP"/> in $
ORACLE_ HOME
/j2ee/OC4J_ Portal/applications/UltrasearchQuery/META-INF/orion-application.xml
.
Remove the cached version by using the following command:
rm $ORACLE_HOME/j2ee/OC4J_ Portal/application- deployments/UltrasearchQuery/orion-application.xml
Edit the $
ORACLE_ HOME
/j2ee/OC4J_ Portal/applications/UltrasearchQuery/query/WEB-INF/web.xml
file to enable login functionality in usearch.jsp
as follows:
<servlet> <servlet-name>usearch</servlet-name> <jsp-file>usearch.jsp</jsp-file> <init-param> ----------------------- <param-name>login enabled</param-name> <param-value>true</param-value> (Note: Change false to true) </init-param>
Restart the OC4J_Portal
instance. You can either use the Oracle Enterprise Manager or opmnctl
to restart the instance.
Access the userarch.jsp
file to test the secure search.