- What is Dynamic PSP?
- What are the differences between Oracle PSP and Dynamic PSP?
- Why not use JSP?
- Why Oracle still supports PL/SQL when they integrated Java into Oracle RDBMS?
- How To Secure Dynamic PSP Development Interface?
- How to enable native PL/SQL compilation in 9i Release 2 on Windows?
- I am unable to login into Unit Commander using default account.
- What is WebDAV?
- How to avoid redirection from index.html to DPSP unit?
- Java class to convert xls to csv or from MS Excel to CSV file into PL/SQL and upload data from .xls file to Oracle
- Java class to convert from DBF (DB2) to CSV file within Oracle PL/SQL
How To Secure Dynamic PSP Development Interface?
There are several ways to secure the Dynamic PSP Development Interface on
Apache HTTP server:
I. Securing the communications between DPSP server and developers.
To secure communications between DPSP server and developers' seats you need
to setup SSL to encrypt the traffic between them and optionally authenticate
developers. By enabling SSL you will ensure that even if your traffic is
intercepted by third party, it will be encrypted using strong cryptography
and will not be compromised.
Enabling SSL on Apache involves several steps:
- Obtaining server certificate.
You can create self-signed server certificate or submit server certificate
for signing by a public certificate authority, like VeriSign, Thawte or
others. Creating self-signed certificate is the easiest way to enable SSL.
For details on creating/signing/installing server certificate, please
refer to mod_ssl documentation at http://www.modssl.org/docs/2.8 and
OpenSSL documentation at http://www.openssl.org/docs/
- Installing the certificate on the server.
This is fairly easy - you just need to copy signed certificate to the
location you specified with SSLCertificateFile directive.
- Restarting Apache with
-DSSL define or using startssl parameter to enable
SSL.
When these steps are complete, your server will be accessible via HTTPS and
all traffic between server and clients will be encrypted when using HTTPS.
II. Restricting access to the Development Interface
All examples below assume that the Dynamic PSP Development Interface DAD is
'DPSP' and mod_plsql handler is assigned to '/pls' location. All edits should
be made to httpd.conf file or a file that is included into it. For changes to
take effect, Apache server must be restarted.
There are several ways to restrict access to the DPSP Development Interface.
- Using
LocationMatch directive and setting host-based security with
Order , Allow and Deny directives:
# default Order Deny,Allow is in effect here
Deny from all
Allow from 192.168.0.10
Allow from 192.168.0.11
The above example will deny access to development interface DAD for
all IP addresses except 192.168.0.10 and 192.168.0.11.
For more information on Order , Allow and Deny directives consult with
mod_access documentation at http://httpd.apache.org/docs/mod/mod_access.html
- Using
LocationMatch directive and setting user-based security with
Auth* and Require directives:
AuthType Basic
AuthName "DPSP Development Interface"
AuthUserFile /your/path/to/user/file
AuthGroupFile /your/path/to/group/file
Require group developers
You will have to create a user file using htpasswd utility and add users
to it. Then you will create a group file and include all needed users
into developers group:
developers: devuser1 devuser2 devuser3
The above example will ask for password whenever the development interface
DAD is accessed and will only allow members of developers group to access it.
You may also combine methods 1) and 2) (for example, to allow access for
remove developers when their IP addresses are not known or rapidly change):
# allow access if either auth check passes (host-based will be checked
# first, so internal developers will not be asked any password)
Satisfy any
# host-based auth - Deny, Allow is in effect
Deny from all
Allow from 192.168.0.10
Allow from 192.168.0.11
# password-pased auth
AuthType Basic
AuthName "DPSP Development Interface"
AuthUserFile /your/path/to/user/file
AuthGroupFile /your/path/to/group/file
Require group developers
The above example will try to satisfy any of the two requirements. IP address
will be evaluated first and if it is one of allowed, evaluation will complete
here allowing access to the DAD, else user name and password will be requested
from the visitor.
- using mod_ssl for SSL certificate-based authentication:
-
create your own CA (certificate authority) certificate and provide
it to SSL engine via
SSLCACertificateFile directive. You may use any
commercially available Certificate Servers, like Microsoft or Netscape,
or you may use OpenSSL engine (provided with mod_ssl) to create your own
CA certificate.
-
create certificates for developers and sign them with your CA private
key, then distribute them to developers. Developers will need to install
their certificates into browser and configure it to present this
certificate to the site where development is done.
-
use
directive in conjunction with mod_ssl authentication
directives to restrict access to the development interface to only
those clients with valid certificates:
# allow access to other zones with no verification of client cert
SSLVerifyClient none
# enforce mod_ssl reconfiguration based on accessed location
# should verify client certificate validity against locally known CAs
SSLVerifyClient require
# allow only self-signed or your_ca-signed certificates
SSLVerifyDepth 1
# make your_ca.crt the only known CA certificate
SSLCACertificateFile conf/ssl.crt/your_ca.crt
# use fake basic auth and deny access if SSL is not used
SSLOptions +FakeBasicAuth +StrictRequire
# enforce SSL connection
SSLRequireSSL
# check for certain fields in client certificate
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Your Company" and \
%{SSL_CLIENT_S_DN_OU} eq "DPSP Developers"
The above example will allow access only for clients with client certificate
which is signed by your CA and have O (Organization) set to "Your Company"
and OU (Organizational Unit) set to "DPSP Developers".
For more information, please refer to mod_ssl documentation at
http://www.modssl.org/docs/2.8
|