Skip Headers

Oracle9iAS Portal Release Notes
Release 2 (9.0.2)

Part Number A96191-02
Go To Documentation Library
Home
Go To Table Of Contents
Contents

Go to previous page Go to next page

7
Security Issues and Workarounds

This section describes security-related issues and their workarounds for Oracle9iAS Portal.

7.1 Need for PUBLIC User Entry

When Oracle9iAS Portal is installed, a user is created under the default user creation base for the default subscriber:

cn=PUBLIC,cn=users,o=subscriber,dc=com

This entry represents any unauthenticated user, and is required for proper operation of the Portal and Single Sign-On (SSO) applications. This user account should not be removed. If this user account is missing, it causes significant performance degradation because of repeated attempts to locate the entry.

If configuring Oracle9iAS to use an existing Directory Information Tree (DIT), make sure that the default user search base includes a user named PUBLIC, for this purpose. This entry has the following definition:

dn: cn=PUBLIC,cn=users,o=oracle,dc=com
cn: PUBLIC
sn: PUBLIC
orclactivestartdate: 17/01/02
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: orclUser
objectclass: orclUserV2

Note the absence of the userPassword attribute. No userPassword attribute should be provided to disallow logging on as this user through Single Sign-On.

7.2 Need to Run OID Replication Server to Purge OID Change Log

In this release Oracle9iAS Portal relies on the Provisioning Integration Service provided by the Directory Integration Platform to be notified of user and/or group changes in the Oracle Internet Directory (OID). The changes are stored in the OID change log and are filtered by the Provisioning Integration Service before being delivered as change events to Oracle9iAS Portal.

Even if you are not deploying the OID server in replication mode, please make sure that the directory administrator starts up the replication server to periodically purge unnecessary change log entries.

To start the replication server use this command:

oidctl connect=<net_service_name> server=oidrepld instance=1 flags="-p 
<ldapserver_port_number>" start

For more information on starting and stopping the replication server refer to Chapter 3 - Preliminary Tasks and Information in the OID Administrator Guide.

If you do not periodically purge unnecessary change log entries, the OID change log can potentially grow to occupy the entire file system and this may cause unavailability of the OID service. The requirement to start the replication server to purge the change log is a temporary restriction and will be removed in a future release.

Note: The replication server only purges the change log entries if there is at least one subscription profile registered. A subscription profile for the Portal is registered if you have enabled DIP synchronization. For details on how to do this, refer to Setting up the Subscription Profile in Chapter 3 of the Oracle9iAS Portal Configuration Guide. If DIP synchronization is not enabled, and no other Oracle9iAS component you are using registers a synchronization profile and needs the change log, then you can just turn off change logging.

7.2.1 Disabling Change Log Generation

If OID is not replicated and Directory Integration Platform is not used for application synchronization or provisioning, the administrator can start the OID LDAP server in 'no changelog generation' mode by specifying the "-l FALSE" flag while starting the LDAP server.

7.3 Single Sign-On Server and Portal From Different Versions Cannot Interoperate

Due to the interdependency of the Single Sign-On (SSO) Server and Oracle9iAS Portal with Oracle Internet Directory (OID) in Oracle9iAS Release 2 (9.0.2), you must not associate Oracle9iAS Portal Release 9.0.2 with an SSO Server (Login Server) from Oracle9iAS Release 1 (1.0.2.2) or earlier. Similarly, you must not associate earlier releases of Oracle9iAS Portal with the current release of Oracle9iAS SSO Server.

To allow Oracle9iAS Portal and SSO instances to be associated together, they must both be upgraded to Oracle9iAS Release 2. The upgrade scripts will be made available in the first maintenance release of Oracle9iAS Release 2.

7.4 Support for Content Area-scoped Groups Has Been Removed

With the migration of group management to the Oracle Internet Directory (OID), the ability to scope groups by content area has been removed. When a 3.x version of Portal is upgraded all groups are migrated to OID, regardless of the site scoping.

7.5 Cleartext Passwords

If you opt to use the DBPreferenceStore implementation of the PreferenceStore interface in PDK-Java, the database connection information to the schema that you establish for this data will be stored in a data-sources.xml file. You should be warned that the password to the schema is visible as cleartext in this file.

There is a plan to obfuscate this information in a future release of the product, but for this release, please secure read access to this file so as not to compromise any sensitive information that you may choose to store in the PreferenceStore.

Similarly, when using externally defined Java Server Pages with the Java Portal Services (JPS) feature, the connection information to the application schema is stored in the data-sources.xml file. Access to the schema password for the application schema may allow for the creation of a Portal session for an asserted userid. It is critical to secure access to the data-sources.xml file if using the external JPSs that require this connection information.

7.6 Cannot Select a Value from an LOV

If the Delegated Administration Service (DAS) is using a different HTTP listener than the Portal, you may see Javascript security violation if using Internet Explorer. This is caused when the LOV being served by one host is trying to write a value back to the page being served from another host.

To allow the LOV to operate properly you need to set a common domain for the Javascript to allow for this transfer. The script is secjsdom.sql and it takes a domain name as the argument. See the section, Configuring Oracle9iAS Portal Security in the Oracle9iAS Security Guide for specific instructions on how to do this.

7.7 Need to Disable IP Checking if Accessing Mobile Pages

If you get an error when logging into Oracle9iAS Portal to access mobile-enabled pages on a wireless device, you may need to turn off IP-checking during the authentication sequence.

To do this, enter the SQL detailed earlier in Chapter 3 Disabling the IP Check of Cookie Validation.


Go to previous page Go to next page
Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Table Of Contents
Contents