APPS - midtier security options
|
1151
2003-DEC-09 17:41:27
|
|
User
|
|
|
Registered On: Mar 2006
Total Posts: 143
|
|
APPS - midtier (middletier) security options
Administering Server Security
Release 11i is deployed in a multi-tier configuration with one
Database Server and many possible middle-tier Application Servers.
The Application Servers include Apache JSP/Servlet, Forms,
Discoverer and also some client programs such as Application
Desktop Integrator. Any program which makes a SQLNET connection
to the apps database needs to be trusted at some level. The
requirement is to ensure that such SQLNET connections are coming
from trusted machines and/or trusted programs.
The Server Security feature of Application Object Library supports
authentication of application server machines and code modules in
order to access the database. When Server Security is activated,
Application Servers are required to supply server IDs (like passwords)
and/or code IDs to access a database server. Server IDs identify
the machine from which the connection is originating. Code IDs
identify the module and patch level from which the connection is
originating. Code IDs are included in applications code by
development. The database server can be set to allow access only
from specific machines and/or by code at a desired patch level.
The application server security feature is not initially
activated. You may activate it after applying patch 1785034
(Server Security feature only) or patch 1779336 (Server Security
and latest application server connection code).
Application Server Security can be OFF or on one of two active
states:
OFF - Server security is not checked. Any application
server machine can access the database. Code IDs
are not checked. Use this option on
test systems or if you have full control over the
software on all machines which can physically access
your database.
ON - Some level of trust is required to access the
database. Either the application server must be
registered with the database or the code must pass a
module and version ID known to be trusted. Use
this option only if you wish to maintain
compatibility with application servers that you
cannot yet patch to the code level required for best
security.
SECURE - Full trust is required for access to the database.
Only registered application server machines may
connect. Only trusted code modules may connect.
This mode requires the latest application server
connection code delivered in patch 1779336, along
with latest versions of any client server programs.
Do not enable this mode until these have been applied.
Test case:
1. Apply patch# 1779336
2. Create DBC file:
jre oracle.apps.fnd.security.AdminAppServer apps/apps ADD \
SECURE_PATH="$FND_TOP/secure" \
GWYUID=applsyspub/pub \
FNDNAM=APPS \
APPS_JDBC_DRIVER_TYPE=THIN \
GUEST_USER_PWD=guest/guest \
DB_HOST=backendbox \
DB_PORT=1521 \
DB_NAME=sidname
midtierbox.applmgr->cat backendbox_sidname.dbc
#DB Settings
#Thu Dec 06 11:30:02 PST 2001
APPL_SERVER_ID=9477C1BD94X85D15E034080020C6XC9328071224883825618064237811877120
APPS_JDBC_DRIVER_TYPE=THIN
GUEST_USER_PWD=guest/guest
DB_HOST=backendbox
DB_NAME=sidname
FNDNAM=APPS
GWYUID=applsyspub/pub
DB_PORT=1521
3. Enable SECURE authentication
jre oracle.apps.fnd.security.AdminAppServer apps/apps \
AUTHENTICATION SECURE DBC=/u01/app/applmgr/11.5/fnd/11.5.0/secure/backendbox_sidname.dbc
midtierbox.applmgr->cat backendbox_sidname.dbc
#DB Settings
#Thu Dec 06 11:30:02 PST 2001
APPL_SERVER_ID=9477C1BD94X85D15E034080020C6XC9328071224883825618064237811877120
APPS_JDBC_DRIVER_TYPE=THIN
GUEST_USER_PWD=guest/guest
DB_HOST=backendbox
DB_NAME=sidname
FNDNAM=APPS
GWYUID=applsyspub/pub
DB_PORT=1521
midtierbox.applmgr->
SQL> l
1* select * from fnd_apservers
SQL> /
SERVER_ID SERVER_ADDRESS DESCRIPTION CREATED_BY CREATION_ LAST_UPN
---------------------------------------------------------------- ---------------- -------------------- ---------- --------- --------
936FC05439X61DB5E034080020X3743040762879291634330219203134968991 198.206.187.118 0 23-NOV-01 0
9477C1BD94X85D15E034080020C6XC9328071224883825618064237811877120 198.206.187.178 0 06-DEC-01 0
SECURE * Authentication Value 0 06-DEC-01 0
3. Disable authentication
jre oracle.apps.fnd.security.AdminAppServer apps/apps \
AUTHENTICATION OFF DBC=/u01/app/applmgr/11.5/fnd/11.5.0/secure/backendbox_sidname.dbc
SQL> select * from fnd_application_servers;
SERVER_ID SERVER_ADDRESS DESCRIPTION CREATED_BY CREATION_ LAST_UPN
---------------------------------------------------------------- ---------------- -------------------- ---------- --------- --------
936FC05439X61DB5E034080020X3743040762879291634330219203134968991 198.206.187.118 0 23-NOV-01 0
9477C1BD94X85D15E034080020C6XC9328071224883825618064237811877120 198.206.187.178 0 06-DEC-01 0
OFF * Authentication Value 0 06-DEC-01 0
4. Enable Basic(ON) authentication
jre oracle.apps.fnd.security.AdminAppServer apps/apps \
AUTHENTICATION ON DBC=/u01/app/applmgr/11.5/fnd/11.5.0/secure/backendbox_sidname.dbc
SQL> col SERVER_ADDRESS format a16
SQL> col DESCRIPTION format a20
SQL> set lines 300
SQL> set trims on
SQL> select * from fnd_application_servers;
SERVER_ID SERVER_ADDRESS DESCRIPTION CREATED_BY CREATION_ LAST_UPN
---------------------------------------------------------------- ---------------- -------------------- ---------- --------- --------
936FC05439X61DB5E034080020X3743040762879291634330219203134968991 198.206.187.118 0 23-NOV-01 0
9477C1BD94X85D15E034080020C6XC9328071224883825618064237811877120 198.206.187.178 0 06-DEC-01 0
ON * Authentication Value 0 06-DEC-01 0
SQL>
REFERENCE:
Patch 1779336
|
1152
2003-DEC-09 17:41:42
|
|
User
|
|
|
Registered On: Mar 2006
Total Posts: 143
|
|
.