DPSP
Contacts About Us


Powered by Dynamic PSP
  1. What is Dynamic PSP?
  2. What are the differences between Oracle PSP and Dynamic PSP?
  3. Why not use JSP?
  4. Why Oracle still supports PL/SQL when they integrated Java into Oracle RDBMS?
  5. How To Secure Dynamic PSP Development Interface?
  6. How to enable native PL/SQL compilation in 9i Release 2 on Windows?
  7. I am unable to login into Unit Commander using default account.
  8. What is WebDAV?
  9. How to avoid redirection from index.html to DPSP unit?
  10. Java class to convert xls to csv or from MS Excel to CSV file into PL/SQL and upload data from .xls file to Oracle
  11. Java class to convert from DBF (DB2) to CSV file within Oracle PL/SQL

How To Secure Dynamic PSP Development Interface?

There are several ways to secure the Dynamic PSP Development Interface on Apache HTTP server:

I. Securing the communications between DPSP server and developers.

To secure communications between DPSP server and developers' seats you need to setup SSL to encrypt the traffic between them and optionally authenticate developers. By enabling SSL you will ensure that even if your traffic is intercepted by third party, it will be encrypted using strong cryptography and will not be compromised.

Enabling SSL on Apache involves several steps:

  1. Obtaining server certificate.
    You can create self-signed server certificate or submit server certificate for signing by a public certificate authority, like VeriSign, Thawte or others. Creating self-signed certificate is the easiest way to enable SSL. For details on creating/signing/installing server certificate, please refer to mod_ssl documentation at http://www.modssl.org/docs/2.8 and OpenSSL documentation at http://www.openssl.org/docs/
  2. Installing the certificate on the server.
    This is fairly easy - you just need to copy signed certificate to the location you specified with SSLCertificateFile directive.
  3. Restarting Apache with -DSSL define or using startssl parameter to enable SSL.

When these steps are complete, your server will be accessible via HTTPS and all traffic between server and clients will be encrypted when using HTTPS.

II. Restricting access to the Development Interface

All examples below assume that the Dynamic PSP Development Interface DAD is 'DPSP' and mod_plsql handler is assigned to '/pls' location. All edits should be made to httpd.conf file or a file that is included into it. For changes to take effect, Apache server must be restarted.

There are several ways to restrict access to the DPSP Development Interface.

  1. Using LocationMatch directive and setting host-based security with Order, Allow and Deny directives:

    
     # default Order Deny,Allow is in effect here
     Deny from all
     Allow from 192.168.0.10
     Allow from 192.168.0.11
    
    

    The above example will deny access to development interface DAD for all IP addresses except 192.168.0.10 and 192.168.0.11.

    For more information on Order, Allow and Deny directives consult with mod_access documentation at http://httpd.apache.org/docs/mod/mod_access.html

  2. Using LocationMatch directive and setting user-based security with Auth* and Require directives:

    
     AuthType Basic
     AuthName "DPSP Development Interface"
     AuthUserFile /your/path/to/user/file
     AuthGroupFile /your/path/to/group/file
     Require group developers
    
    

    You will have to create a user file using htpasswd utility and add users to it. Then you will create a group file and include all needed users into developers group:

       developers: devuser1 devuser2 devuser3
    
    The above example will ask for password whenever the development interface DAD is accessed and will only allow members of developers group to access it.

    You may also combine methods 1) and 2) (for example, to allow access for remove developers when their IP addresses are not known or rapidly change):

    
     # allow access if either auth check passes (host-based will be checked
     # first, so internal developers will not be asked any password)
     Satisfy any
    
     # host-based auth - Deny, Allow is in effect
     Deny from all
     Allow from 192.168.0.10
     Allow from 192.168.0.11
    
     # password-pased auth
     AuthType Basic
     AuthName "DPSP Development Interface"
     AuthUserFile /your/path/to/user/file
     AuthGroupFile /your/path/to/group/file
     Require group developers
    
    

    The above example will try to satisfy any of the two requirements. IP address will be evaluated first and if it is one of allowed, evaluation will complete here allowing access to the DAD, else user name and password will be requested from the visitor.

  3. using mod_ssl for SSL certificate-based authentication:
    1. create your own CA (certificate authority) certificate and provide it to SSL engine via SSLCACertificateFile directive. You may use any commercially available Certificate Servers, like Microsoft or Netscape, or you may use OpenSSL engine (provided with mod_ssl) to create your own CA certificate.
    2. create certificates for developers and sign them with your CA private key, then distribute them to developers. Developers will need to install their certificates into browser and configure it to present this certificate to the site where development is done.
    3. use directive in conjunction with mod_ssl authentication directives to restrict access to the development interface to only those clients with valid certificates:
      # allow access to other zones with no verification of client cert
      SSLVerifyClient none
      # enforce mod_ssl reconfiguration based on accessed location
      
       # should verify client certificate validity against locally known CAs
       SSLVerifyClient require
       # allow only self-signed or your_ca-signed certificates
       SSLVerifyDepth       1
       # make your_ca.crt the only known CA certificate
       SSLCACertificateFile conf/ssl.crt/your_ca.crt
       # use fake basic auth and deny access if SSL is not used
       SSLOptions           +FakeBasicAuth +StrictRequire
       # enforce SSL connection
       SSLRequireSSL
       # check for certain fields in client certificate
       SSLRequire    %{SSL_CLIENT_S_DN_O}  eq "Your Company" and \
                     %{SSL_CLIENT_S_DN_OU} eq "DPSP Developers"
      
      

    The above example will allow access only for clients with client certificate which is signed by your CA and have O (Organization) set to "Your Company" and OU (Organizational Unit) set to "DPSP Developers".

    For more information, please refer to mod_ssl documentation at http://www.modssl.org/docs/2.8


Back to the top of page
email us
Copyright © 2000-2017 by HitMedia LLC. All Rights Reserved.