| Oracle® HTTP Se
rver Administrator's Guide 10g Release 1 (10.1) Part Number B12255-01 |
|
|
View PDF |
| Oracle® HTTP Se
rver Administrator's Guide 10g Release 1 (10.1) Part Number B12255-01 |
|
|
View PDF |
This chapter provides an overview of Oracle HT TP Server security features and configuration information for setting up a secure Web site using them.
Topics discussed are:
| See Also:
For additional information about security, refer to Oracle Application Server 10g Security Guide provides an overview of Oracle Database security and its core functionality. |
Security can be organized into the three categories of authentication, authorization,
and confidentiality. Oracle HTTP Server provides support for all three of these categories. It is based on the Apache Web server, and
its security infrastructure is primarily provided by the Apache modules, mod_auth an
d mod_access, and the Oracle modules, mod_ossl. mod_auth provides authentication based on user name and password pairs, mod_access controls acce
ss to the server based on the characteristics of a request, such as hostname or IP address, mod_ossl provides confidenti
ality and authentication with X.509 client certificates over SSL.
Based on the Apache model, Oracle HTTP Server provides access control, authentication, and aut
horization methods that can be configured with access control directives in the httpd.conf file. When URL requests arrive at Oracle HTTP Server, they are processed in a sequence of steps determined by server defaults an
d configuration parameters. The steps for handling URL requests are implemented through a module or plug-in architecture that is comm
on to many Web listeners.
Figure 8-1 shows how URL re
quests are handled by the server. Each step in this process is handled by a server module depending on how the server is configured.
For example, if basic authentication is used, then the steps labeled "Authentication" and "Authorization" in Figure 8-1 represent the processing of the mod_auth module.
Text descr iption of the illustration ohsurlpr.gif
Oracle HTTP Server authorizes and authenticates users before allowing them to access, or modify resources on the server. Followi ng are two classes of users that access the server using Oracle HTTP Server, and their privileges.
mod_auth and mod_ossl. Such u
sers have access to URLs defined in http.conf file.
Oracle HTTP Server is configured to protect resources such as:
.g
if, files, and other static files that Oracle HTTP Server provides directly.mod_pe
rl, mod_dms generate responses that are returned to the client.Oracle HTTP Server provides user aut hentication and authorization at two stages:
Early in the request processing cycle, access control is applied, which can inhibit further processing based on the ho
st name, IP address, or other characteristics such as browser type. You use the deny, allow, and orde
r directives to set this type of access control. These restrictions are configured with Oracle HTTP Server configuration direc
tives and can be based on particular files, directories, or URL formats using the <Files><
/a>, <Directory>, and <Location&
gt; container directives as shown in the Example 8-1:
<Directory /internalonly/> order deny, allow deny from all < a name="1011029"> allow from 192.168.1 us.oracle.com </Directory>
In Example 8-1, the order directive determines t
he order in which Oracle HTTP Server reads the conditions of the deny and allow directives. The deny<
/code> directive ensures that all requests are denied access. Then, using the allow directive, requests originating from
any IP address in the 192.168.1.* range, or with the domain name us.oracle.com are allowed access to files in the direc
tory /internalonly/. It is common practice to specify both allow and deny in host-based authen
tication to make the access policy explicit.
If you want to match objects at the file syste
m level, then you must use <Directory> or <Files>. If you want to match objects at the URL leve
l, then you must use <Location>.
To set up access contr
ol for virtual hosts, place the AccessConfig directive inside a virtual host container in the server configuration file,
httpd.conf. When used in a virtual host container, the AccessConfig directive specifies an access control
policy contained in a file. Example 8-2 shows an excerpt from an httpd.conf file w
hich provides the syntax for using AccessConfig this way:
... <VirtualHost ip_address_of_host.some_domain.com> ... virtual host directives ... AccessConfig conf/access.conf </VirtualHost>
Using host-based access control schemes, you can control access to restricted areas based on where
HTTP requests originate. Oracle HTTP Server uses mod_access and mod_setenvif to perform host-based access control. mod_access provides access control based o
n client hostname, IP address, or other characteristics of the client request, and mod_setenvif provides the ability to
set environment variables based upon attributes of the request. When you enter configuration directives into the httpd.conf file that use these modules, the server fulfills or denies requests based on the address or name of the host, or based on the HTT
P request header contents.
You can use host-based access control to protect static HTML pag es, applications, or components.
Oracle HTTP Server supports four host-based access control schemes:
All of these allow you to specify the machines from which access to protected areas i s granted or denied. Your decision to choose one or more of the host-based access control schemes is determined by which scheme most efficiently protects your restricted content and applications, or which scheme is easiest to maintain.
Controlling access with IP addresses is a preferred method of host-based a ccess control. It does not require DNS lookups that consume time, system resources, and make your server vulnerable to DNS spoofing a ttacks.
<Directory /secure_only/> order deny,al low deny from all allow from 207.175.42.* </Directory>
In Example 8-3, requests orig
inating from all IP addresses except 207.175.42.* range are denied access to the /secure_only/ directory.
Domain name-based access control can be used with IP addr ess-based access control to solve the problem of IP addresses changing without warning. When you combine these methods, if an IP addr ess changes, then the secure areas of your site are still protected because the domain names you want to keep out will still be denie d access.
To combine domain name-based with IP address-based access control, use the syntax shown in Example 8-4:
<Directory / co_backgr/> order allow,deny allow from all # 141.217.24.* is the IP for malicious.cracker.com deny from malicious.cracker.com 141.217.24.* </ Directory>
In Example 8-4, all requests for directory /co_backgr/ are accepted except those that originate from the domain name malicious.
cracker.com or the IP address 141.217.24.* range. Although this is not a fool proof precaution against domain name or IP addre
ss spoofing, it protects your site from malicious.cracker.com even if they change their IP address.
You can control access based on subsets of networks, spe cified by IP address. The syntax is shown in Example 8-5:
<Directory /payroll/> order deny,allow deny from all allow from 10.1.0.0/255.255.0.0 </Directory>
In Example 8-5, access is allowed from a network/netmask pair. A netmask shows how an IP address is to be divided into network, subnet, and host identifiers. Netmasks enable you to refer to only the host ID portion of an IP address.
The netmask in Example&n bsp;8-5, 255.255.0.0, is the default netmask setting for a Class B address. The binary ones (decimal 255) mask the network ID and the binary zeroes (decimal 0) retain the host ID of a given IP address.
You can use arbitrary environment variables for access control, instead of using IP address
es or domain names. Use BrowserMatch and SetEnvIf directives for this type of access control.
|
Note: Typically, |
Use BrowserMatch when you want to base access on the type of browser used to send a request. Fo
r instance, if you want to allow access only to requests that come from a Netscape browser, then use the syntax shown in Example 8-6:
BrowserMatch ^Mozilla net scape_browser <Directory /mozilla-area/> order deny,allow deny from all allow from env=netscape_browser </Directory>
Use SetEnvIf when you want to base access on header information contained
in the HTTP request. For instance, if you want to deny access from any browsers using HTTP version 1.0 or earlier, then use the synt
ax shown in Example 8-7:
SetEnvIf Request _Protocol ^HTTP/1.1 http_11_ok <Directory /http1.1only/> order deny,allow deny from all allow from env=http_11_ok </Directory>
| See Also: "Scope of Directives" |
Basic authentication prompts for a user name and password before serving an HTTP request. When a brows
er requests a page from a protected area, Oracle HTTP Server responds with an unauthorized message (status code 401) containing a AuthName. When t
he browser receives this response, it prompts for a user name and password. After the user enters a user name and password combinatio
n, the browser sends this information back to the server in an Authorization header. In the authorization header message, the user na
me and password are encoded as a base 64 encoded string.
User authorization involves checki
ng the authenticated user against an access control list that is associated with a specific server resource such as a file or directo
ry. To configure user authorization, place the require directive in the httpd.conf file, usually within a v
irtual host container. User authorization is commonly used in combination with user authentication. After the server has authenticate
d a user's user name and password, then the server compares the user to an access control list associated with the requested server r
esource. If Oracle HTTP Server finds the user or the user's group on the list, then the resource is made available to that user.
User authentication is based on user names a
nd passwords that are checked against a list of known users and passwords. These user name and password pairs may be stored in a vari
ety of forms, such as a text file, database, or directory service. Then configuration directives are used in httpd.conf
to configure this type of user authentication on the server. mod_auth uses the AuthUserFile directive to se
t up basic authentication. It supports only files.
Any authentication scheme that you devis e requires that you use a combination of the configuration directives listed in Table 8-1.
Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet. It resides between Oracle HTTP Server on the a pplication layer and the TCP/IP layer, transparently handling encryption and decryption when a secure connection is made by a client.
One common use of SSL is to secure Web HTTP communication between a browser and a Web serv
er. This case does not preclude the use of non-secured HTTP. The secure version is simply HTTP over SSL (named HTTPS). The difference
s are that HTTPS uses the URL scheme https:// rather than http://, and its default communication port is 44
43.
mod_ossl is a plug-in to Oracle HTTP Server that enables the server to use
SSL. mod_ossl replaces mod_ssl in the Oracle HTTP Server distribution. Oracle no longer supports mod
_ssl.
| See Also:
"Using mod_ossl" for detai
led information regarding |
Oracle HTTP Serve r provides security services that enable you to protect your server from unwanted users and malicious attacks. These security service s ensure secure data exchanged between client and the server.
mod_ossl enables
secure connections between Oracle HTTP Server and a browser client by using an Oracle-provided encryption mechanism over SSL. It als
o provides data integrity and strong authentication for users and HTTP servers.
mod_ossl provides standard support for HTTPS protocol connections to Oracle Database. It enables secur
e connections between Oracle HTTP Server and a browser client by using an Oracle-provided encryption mechanism over SSL. It may also
be used for authentication over the Internet through the use of digital certificate technology. It supports SSL v. 3.0, and provides:
Table 8-2 identifies the differences between mod_ossl, and mod_ssl.
| Feature | mod_ossl | mod_ssl |
|---|---|---|
|
SSL versions supported |
3.0 |
2.0, 3.0, TLS 1.0 |
|
Certificate management |
Text file |
The following mod_ssl directives listed are not supported by
mod_ossl.
SSLRandomSeedSSLCertificateFileSSLCertificateChainFileSSLCACertificateFileSSLCACertificatePathSSLVerifyDepth
To configure SSL for your Oracle HTTP Server, enter the mod_ossl d
irectives you want to use in the httpd.conf file.
The following directive are described in subsequent sections:
Specifies if SSL accelerator is used. Currently only nFast card is supported.< /p>
| Category | Value |
|---|---|
|
Valid Values |
|
|
Syntax |
|
|
Default |
| <
/tr>
|
Context |
server configuration |
Sp ecifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a fil e is the concatenation of various PEM-encoded CRL files in order of p reference. This directive can be used alternatively or additionally to SSLCARevocationPath.
| Category | Value |
|---|---|
|
Syntax |
|
|
Example |
|
|
Defa ult |
None |
|
Context |
server configuration, virtual host |
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs com e from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked a nd the client cannot authenticate itself with your server.
| Category | ||
|---|---|---|
|
Syntax |
| |
|
Example |
| |
|
Default |
None | |
|
C ontext |
server configuration, virtual host |
| Category | Value |
|---|---|
|
Valid Values |
|
|
Example |
In this example, all ciphers are specified except low strength ciphers and those using the Diffie-Hellman key negotiation algorithm. |
|
Syntax |
|
|
Default |
None |
|
Context |
server configuration, virtual host, directory |
| Function | Tag | Meaning |
|---|---|---|
|
Key exchange |
|
|
|
Key exchange |
|
Diffie-Hellman key exchange with RSA key |
|
Authentication |
|
No authentication |
|
Authentication |
| |
|
Authentication |
|
Diffie-Hellman authentication |
|
Encryption |
|
No encryption |
|
Encryption |
|
|
|
En cryption |
|
Triple |
|
Encryption |
|
|
|
Data Integrity |
|
|
|
Data In tegrity |
|
|
|
Aliases |
|
All SSL version 3.0 ciphers |
|
Aliases |
|
All export ciphers |
|
Aliases |
|
All 40-bit export ciphers only |
|
Aliases |
|
All 56-bit export ciphers only |
|
Aliases |
|
All low strength ciphers (export and single |
|
Aliases |
|
All ciphers with 128-bit encryption |
| <
a name="1020935">
Aliases |
|
All ciphers using triple |
|
Aliases |
|
All ciphers using |
|
Aliases |
|
All ciphers using Diffie-Hellman key exchange |
|
Note: The
re are restrictions if export versions of browsers are used. Oracle module, |
Toggles the usage of the SSL Protocol Engine. This is usually used ins
ide a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is di
sabled for both the main server and all configured virtual hosts.
<VirtualHost_d afault_:4443> SSLEngine on ... </VirtualHost>
| Category | Value |
|---|---|
| Syntax | SSLEngine on|off |
| Default | SSLEngine off |
| Context | server configuration, virtual host |
Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard Oracle HTTP Server log file s pecified by the ErrorLog directive.)
Place this file at a
location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (/),
it is assumed to be relative to the ServerRoot. If the filename begins with a bar (|),
then the string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.
This directive should occur only once for each virtual server configuration.
| Category | Value |
|---|---|
|
Syntax |
|
|
Default |
None |
| < p class="TB">Context |
server configuration, virtual host | <
/tr>
Specifies the verbosity degree of the SSL engine log file.
Type of semaphore (lock) for SSL engine's mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes.
| Category | Value |
|---|---|
|
Valid Values |
|
|
Example |
|
|
Syntax |
|
|
Default |
<
td class="Informal">
|
|
Context |
server configuration |
Controls various runtime opt
ions on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (option
s are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-')
symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by
a minus are removed from the options currently in force.
| Category | V alue |
|---|---|
|
Valid Values |
|
|
Valid Values (for |
|
|
Syntax |
|
|
Default |
None |
|
Context |
server configuration, virtual host, directory |
Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access th
e wallet.
Specifies SSL protocol(s) for mod_ossl to use when establi
shing the server environment. Clients can only connect with one of the specified protocols.
Denies access unless an arbitrarily complex boolean expression is true. The expression must match the following syntax (given as a BNF grammar notation):
| Category | Value |
|---|---|
|
|
expr ::= "true" | "false" "!" expr expr "&&" expr expr "||" expr "(" expr ")" |
|
|
comp ::=word "==" word | word "eq" word word "!=" word |word "ne" word word "<" word |word "lt" word word "<=" word |word "le" word word ">" word |word "gt" word word ">=" word |word "ge" word word "=~" regex word "!~" regex wordlist ::= word wordlist "," word |
|
|
word ::= digit cstring variable function |
|
|
digit ::= [0-9]+ |
|
cstring ::= "..." |
|
|
variable ::= "%{varname}" Table& nbsp;8-5 and Table 8-6 list standard and SSL variables. These are valid values for varname. |
|
< /td> |
function ::= funcname "(" funcargs ")" |
|
Syntax |
|
|
Default |
None |
|
Context |
directory< /p> |
Table 8-5 lists the s
tandard variables for SSLRequire varname.
Table 8-6 lists the SSL variables for SSLRequire varname.
|
SSL Variables |
SSL Variables |
|
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
<
p class="TB">SSL_SESSION_ID |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Denies access to clients n ot using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.
| Category | Value |
|---|---|
|
Syntax |
|
|
Default |
None |
|
Context |
directory |
Specifies the global/interprocess session cache storage type. The cache provides an optional w ay to speed up parallel request processing.
Specifies the number of seconds before a SSL sess ion in the session cache expires.
| Category | Value |
|---|---|
|
Syn tax |
|
|
Default |
300 |
|
Context |
server configuration |
Specifies whether or not a client must present a certific ate when connecting.
| Category | Value |
|---|---|
|
Valid Values |
|
|
Syntax |
|
|
Default |
None |
|
Context |
server configuration, vi rtual host |
|
Note: The level |
Specifies the location of the wallet with its WRL.
Specifies the Wallet password needed to access the wallet
specified within the same context. You can choose either a cleartext wallet password or an obfusca
ted password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Or
acle recommends that you use the obfuscated password instead of a cleartext password.
Syntax
If no password is req uired do not set this directive.
Note: If a wallet created with the Auto Login feature of Or acle Wallet Manager is used, then do not set this directive because these wallets do not require passwords.
Default
None
Context
server configuration, vir tual host
|
Note:
For secure wallets, Oracl e recommends that you get a SSO wallet instead. Refer to the Oracle Application Server 10g Security Guide for information on SSO wallet. |
The following directives are for mod_proxy support only:
Specifies whether the proxy cache w ill be used. The proxy will use the same session as the SSL server uses.
| Category< /font> | Value |
|---|---|
|
Syntax |
|
|
Default |
|
|
Context |
server configuration, virtual host |
Specifies the proxy server's cipher suite.
| Category | < th class="Informal" align="left" valign="bottom" scope="col"> Value|
|---|---|
|
Syntax |
|
|
Default |
|
|
Context |
server configuration, virtual host |
Contro ls the proxy server's SSL protocol flavors.
| Category | Value< /font> |
|---|---|
|
Syntax |
|
|
Default |
|
|
Context |
server configuration, virtual host |
Specifies the locati on of the wallet containing the certificates to use when opening proxy connections.
| Categor y | Value |
|---|---|
|
Syntax |
|
|
Default |
|
|
Context |
server configuration, virtual host |
Specifies the proxy wallet password.
| Category | Value< /strong> |
|---|---|
|
Syntax |
|
| < p class="TB">Default |
|
|
Context |
server configuration, virtual host |
|
Note:
For secure wallets, Oracle recommends that you get a SSO wallet instead. Refer to the Oracle Applic ation Server 10g Security Guide for information on SSO wallet. |
This section provides instruction s on how you can use the directives mentioned earlier to set up configurations that enable you to use client certificates for authent icating clients. Following are some scenarios:
The server wallet has imported the CA certificate which signed all the client certificates.
For example, specify the following directives in the httpd.conf file:
SSLV erifyClient require
< a name="1021874">
To enable this, use the per-directory reconfiguration feature of mod_ossl. Sess
ion re-negotiation enables an SSL session to be re-negotiated with a client after the initial request and URL have been read. This is
only supported for requests that do not contain body data, such as GET requests.
|
For example, specify the following directives in the httpd.conf file:
<Location /secure/area>
SSLVerifyClient require </Location>
The iasobf utility enables you to generate an obfuscated wallet passw
ord from a cleartext password.
If you are using an Oracle Wallet that has been created with Auto Login enabled (an SSO wallet), then you do not need to use this
utility. However, if you must use a regular wallet with a password, then Oracle recommends that you use the password obfuscation too
l iasobf, which is located in ORACLE_HOME/Apache/Apache/bin, to generate an obfuscate
d wallet password from a cleartext password.
To generate an obfuscated wallet password, the command syntax is:
iasobf -p passwordThe obfuscated password is printed to the terminal. The arguments are optional. If you do not type them, the tool will prompt you for the password.
< /div>
On Windows systems: The corresponding tool for Windows environm ents is called
osslpassword, which can be used in the same way asiasobf.
Previous
Next
Copyright © 2003 Oracle Corporation< br> All Rights Reserved.
Home
Book List
Contents
Index
Master Index< /font>
Feedback
