Corporate PPT Template

1
(No Transcript)
2
Building Secure J2EE Applications With Oracle
Session id40119

• Cary BakkerPrincipal Consultant
• John Gammon
• Principal Consultant
• Adam Leftik
• Sr. Principal Consultant
• Oracle Corporation

3
Agenda

• Introduction
• Motivation for POC
• Requirements for solution
• Architectural decisions
• Security Fundamentals
• Security Concepts review
• SSL
• A How To on locking down the system
• Web Client to HTTP Server
• HTTP Server to App Server
• App Server to Database

4
Client Motivation

• Aerospace Operation Center (AOC) issues
• Separate Coalition Network
• n as many servers
• n setup time
• Difficult to share data
• Data cleansing process
• Untimely data
• Erroneous data
• Unavailable data

5
Solution Requirements

• Multi Level Security (MLS)
• US and Coalition all on single network
• Timely release of data
• Security given highest priority
• Flexible architecture

6
Solution Architecture Overview

• SSL Mutual Authentication for all network
  communication, lock down all layers
• Oracles MVC Framework flexibility for
  migration to service oriented architecture
  implementation
• Oracle Label Security key for MLS and timely
  release of information

7
Security Concepts Review

• Authentication
• Authorization
• Confidentiality
• Integrity

8
Secure Socket Layer Protocol (SSL)

• Client Sends list of cipher suites
• Server responds with the cipher suite
  specification and web servers digital certificate
  and requests client certificate
• Client verifies certificate
• Client generates pre-master secret and encrypts
  with servers public key and sends its client
  certificate and pre-master secret
• Server decrypts pre-master secret with private
  key and verifies client certificate
• Session key is calculated using pre-master secret
  by both parties independently
• Session key is used for symmetric key encryption
  for rest of the session

9
Certificate Verification

• Is this certificate in the CRL?
• Is the certificate within validity period?
• Is the Certificate Authority trusted (chain)?
• Does the issuing certificates public key
  validate issuers signature?
• (Optional) Does the web server DNS name match the
  subjects (server cert) DN? 9i also supports
  instance verification via instance name hostname

10
Secure Software Architecture
11
High-Level Flow
12
Oracle Http Server and Mod OSSL

• Provides authentication, confidentiality, and
  integrity for communication between web client
  and OHS using SSL
• Support for majority of cryptographically strong
  cipher algorithms
• SSL mutual authentication support (two-phase
  authentication)

13
Key OHS Directives

• LoadModule ossl_module modules/ApacheModuleOSSL.DL
  L
• SSLWallet file\conf\Apache\Apache\conf
• SSLWalletPassword mypassword
• SSLVerifyClient require
• SSLOptions FakeBasicAuth ExportCertData
  CompatEnvVars StrictRequire

14
Securing OC4J

• Mod OC4J for proxying requests to OC4J
• AJP over SSL support in 9.04
• IP Checks
• Security Filters
• JAZN provides authentication and authorization
  for middle-tier business logic

15
Mod OC4J Example

• propagate credentials to OC4J
• Oc4jExtractSSL on
• SetHandler oc4j-service-handler
• Order deny,allow
• Deny from all
• Allow from localhost
• Oc4jMount /myapp home
• Oc4jMount /myapp/ home

16
Accessing Certificates

• //Servlet sevice method.
• ServetRequest request null
• .
• java.security.cert.X509Certificate certs
  request.getAttribute(java.security.cert.
• X509Certificate.getClass().getName())
• Principal issuerPrincipal cert0.getIssuerDN()
  
• Principal subjPrincipal cert0.getSubjectDN()

17
Security Filter
18
JAZN

• Provides authorization for middle-tier resources
• Makes the J2EE container aware of the
  authentication and authorization
• Map J2EE Principals and Roles to enterprise data
  stores e.g. LDAP
• Support for declarative security model in J2EE
  e.g. method level permissions in EJB deployment
  descriptors

19
Database Users and Application Users

• Avoid the One Big Database User
• Leverage auditing
• Allows you to use other security features
• Oracle Label Security
• Secure application roles

20
Securing Database Access
21
Proxy Authentication

• JDBC OCI connection pool support (Subclass of
  OracleDataSource)
• A pool of lightweight database sessions created
  via app server database user which are
  authenticated via SSL mutual authentication
• Digital certificates propagated to database
  server to authenticate application users creating
  a heavyweight session
• SSL ensures Middle-Tier and Database trust each
  other
• Preserves application identities

22
Proxy Authentication Example

• CREATE USER APP_SERVER IDENTIFIED GLOBALLY AS
  CNAPP_SERVER, CUS
• CREATE USER JOHN_ROHLER IDENTIFIED GLOBALLY AS
  'CNJon Rohler, CUS'
• GRANT "CONNECT" TO APP_SERVER
• ALTER USER JOHN_ROHLER GRANT CONNECT THROUGH
  APP_SERVER
• GRANT "CONNECT" TO JOHN_ROHLER
• GRANT APPLICATION_ROLE TO JOHN_ROHLER

23
Proxy Authentication Example (cont)

• import oracle.jdbc.pool
• ..
• InitialContext ctx new InitialContext()
• OracleOCIConnectionPool ds
  (OracleOCIConnectionPool) initial.lookup("jdbc/Ora
  cleProxyDS")
• Properties props new Properties()
• props.put(OracleOCIConnectionPool.PROXY_CERTIFI
  CATE, UsersDERCertRef)
• Connection connection pool.getProxyConnection
  (OracleOCIConnectionPool. PROXYTYPE_CERTIFICATE,
  props)

24
Secure Application Roles

• Only allows privileges to schema objects from
  specific applications in specific contexts
• Reduce the possibility of inside intrusion by
  circumventing middle-tier
• Network based authorization

25
Secure Application Role Example

• CREATE OR REPLACE PACKAGE BODY MY_ROLE IS
• PROCEDURE check_access
• IS
• proxy_usr VARCHAR2 (4000)
• ip_address VARCHAR2 (16)
• BEGIN
• proxy_usr SYS_CONTEXT('userenv','proxy_user')
  
• ip_address SYS_CONTEXT('userenv','ip_address')
  
• IF proxy_usr APP_SERVER AND ip_address
  192.168.1.125 THEN
• DBMS_SESSION.SET_ROLE(MY_APPLICATION_ROLE')
• END IF
• END
• END
• /
• GRANT SELECT ON ACCOUNTS TO MY_APPPLICATION_ROLE
• GRANT EXECUTE ON MY_ROLE TO JOHN_ROHLER
• CREATE MY_APPLICATION_ROLE IDENTIFIED USING
  schema_owner_for_pl_sql_package.MY_ROLE
• GRANT "MY_APPLICATION_ROLE" TO JOHN_ROHLER

26
Integration With JDBC Example

• Connection conn null
• CallableStatement cs null
• try
• // get a proxy connection from jdbc oci
  connection pool
• conn getConnection()
• cs conn.prepareCall(begin
  schema_owner.my_role.check_access() end)
• cs.execute()
• // now use conn to issue a query against
  account table, query will fail if not connecting
  from middle tier
• catch (SQLException sqle)
• //handle the exception
• finally
• if (conn ! null)
• try conn.close() catch (SQLException
  sqle)
• if (cs ! null)
• trycs.close()catch(SQLException
  sqle)

27
Oracle Label Security Row Level Security

• Built on top of VPD
• General purpose row-level authorization
• Based on military classification metaphor
• Flexible Levels, Compartments, Groups

28
Oracle Label Example Create Policy and Levels

• EXEC SA_SYSDBA.CREATE_POLICY('MYPOLICY',
  
  'MYCOLUMN', 'READ_CONTROL, WRITE_CONTROL,
  CHECK_CONTROL, LABEL_DEFAULT')
• EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',9000,'
  C',
• 
  'CLASSIFIED')
• EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',2000,'
  HS',
• 'HIGHLY_SENSITIVE')
• EXEC SA_COMPONENTS.CREATE_LEVEL('MYPOLICY',1000,'
  S',
• 
  'SENSITIVE')

29
Oracle Label Example Apply Policy to Table

• EXEC sa_policy_admin.apply_table_policy(
• 'MYPOLICY',
• 'SCHEMAOWNER',
• 'MYTABLE')

30
Oracle Label Example Authorize User Labels

• BEGIN
• SA_USER_ADMIN.SET_USER_LABELS(
• POLICY_NAME'MYPOLICY',
• USER_NAME JOHN_ROHLER',
• MAX_READ_LABEL 'C,HS,S',
• MAX_WRITE_LABEL 'C',
• MIN_WRITE_LABEL C)
• END
• /

31
Oracle Label Example Apply Labels to Rows

• UPDATE SCHEMAOWNER.TABLE_NAME
• SET MYCOLUMNAME
• char_to_label('MYPOLICY','C')
• WHERE
• MYUNIQUEKEY 'SOMEUNIQUEVALUE'
• INSERT INTO ACCOUNTS (ACCOUNT_NUM) VALUES (1)
• INSERT INTO ACCOUNTS (ACCOUNT_NUM, LABEL_COLUMN)
• VALUES (2, char_to_label(MYPOLICY,C))
• SELECT FROM ACCOUNTS

32
Next Steps.

• To request a complimentary 1-on-1 consultation to
  begin a personalized assessment of the potential
  benefits of an Oracle solution based on your
  organizations environment, stop by the Oracle
  Consultations area in the Oracle DEMOgrounds
  section of the Exhibit Hall.
• For information on our services, visit the Oracle
  Consulting booth in the Oracle Services area in
  the Oracle DEMOgrounds section of the Exhibit
  Hall.

33
For more information

• TheServerSide.com J2EE Community
• Largest J2EE site in the world
• 305,000 registered members
• Enterprise Java News
• Design Patterns
• Free Books
• Product Reviews
• Articles and Video Interviews

34
Reminder please complete the OracleWorld
online session surveyThank you.