Expose your Intranet Portal to the Outside World in a Secured Manner

advertisement
Expose your Intranet Portal to the
Outside World in a Secured Manner
(aka. A Secured Inside/Outside Portal)
An Oracle White Paper
Expose your Intranet Portal to the Outside World in
a Secure Manner.
INTRODUCTION
With the introduction of web based technologies, the nature of
business and the way employees interact with an organization has
significantly changed. More and more users are accessing the
applications required to do their jobs via a telecommuting paradigm.
As such, the manner and number location from which employees use
these applications has also increased.
While ubiquitous access to corporate data and applications has
significant benefit for employees who are remote from the corporate
network, it does introduce some significant security concerns. The
granting of access rights to a given employee may be valid, based on
their role within the organization, however if there is no ability to
constrain how/where that user may accesses the information, how is it
possible to prevent the information being, either accidentally or
maliciously, exposed to an inappropriate audience. For example,
while it is reasonable that an employee access their personal HR data
within a secure environment, such as their office, viewing the same
information in a public forum, such as a cyber café, raises the
possibility of having the information read by those for whom it was not
intended. (Such as, simply being read over the user’s shoulder or, as is
unfortunately becoming more common, the use of a Trojan
screen/keyboard reader).
This can be as much of an issue for employees who are working in a
professional capacity within the secured network of a customer or
partner organization. Consultants for example, spend significant
portions of their working week out of the office at client offices. The
temptation to save time by accessing corporate applications (such as
timesheet reporting) is probably extremely high, yet exposes those very
applications to employees of the client organization.
In these scenarios, the use of a VPN is often not practical as it would
not be appropriate to install the client software locally on the machine
in question (especially in the case of the Cyber Café). The benefit of a
Virtual private Network is that is effective places the user on the
corporate network, and hence enables access to the same resources
which would be available to the user internally. Hence while useful for
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 2
a home office, may exacerbate the security issue. As such, for the
scenarios given, it is likely that the remote employees will use the
organizations external website (public) as the entry point to access their
Corporate Portal and associated web applications.
Cyber-Café
Home Office
VPN access
Remote Employees
(eg. Professional Services)
Public
Network
Corporate Network
Figure 1: Ubiquitous Access to the Web introduces the possibility of compromised data.
The issue for Portal administrators is therefore, how, given that access
permissions are based on an Access Control List (ACL) and the user’s
unique identity, is it possible to grant the user access to a page, yet limit
it to only to the secured intranet environment.
This whitepaper will introduce an extension to the OracleAS Portal 10g
(R2) security mechanisms, which allows for the definition of a nonsecured access path, and the subsequent ability to block secured
requests if they originate via that access path. The default extensions
shipped with OracleAS Portal 10g (R2) will cover the following three
requested security extensions.
•
Prevent the viewing of specific Portal pages, if the request
originated from outside of the Corporate Network.
•
Prevent the editing/customization of specific pages, if the user
requesting the page is outside of the Corporate Network.
•
Globally remove the ability for End Users to edit/customize
any accessible any page in the system, if the edit request
originated from outside of the Corporate Network.
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 3
INSIDE/OUTSIDE TOPOLOGY
The approach taken to secure ages from external access is an extension
to the standard OracleAS Portal 10g “Inside/OutSide” configuration as
described in the Oracle Application Server Configuration guide (see
Figure 2). In this configuration the two user communities are
separated through the use of two distinct middle tier installations, each
with it’s own Webcache and Application server. Both Middle-tiers
however are associated with the same Portal repository, allowing for
the same portal and access rights to be used across both the “internal”
and “external” sites.
Note: it is recommended that the two sites do not share the
same URL. This not only simplifies the network configuration
but also enforces different CacheKeys within the Webcache.
By the use of an “Invalidation-Only” cluster content is not shared
between the various cache nodes of the cluster, hence a request that
originated from with-in the secured network will only be cached on the
“Inside” while, conversely, a page request from the external network
will remain in the external cache. The separation of the application
servers to service two different communities further enhances the
security of the site by allowing the deployment of executable code to be
limited on the publicly accessible application server.
https://portal.outside.com
External Firewall
External Users
Reverse Proxy
'
External Application
Server
(Portal Middle-Tier)
On “Unsecured”
Network
Internal Firewall
http://portal.inside.com
“Invalidation-Only”
Cluster
External
Webcache
&
Internal Users
ORA_EXT_REQ
CGI variable
added to
request
Internal
Webcache
Internal Application
Server
(Portal Middle-Tier)
On “Secure” Network
8
Portal Metadata Repository
9
Check for ORA_EXT_REQ in Request
Figure 2: Extended "Inside/Outside" Topology
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 4
While the use of disparate mid-tiers allows for the separation of
content for the two logical communities it does not enforce which
community is which (simply that they are exposing independent
content). If an individual user may access the Portal from either site it
is necessary to physically differentiate the path used for the user’s page
request. In order to determine which community is “Outside” the
middle-tier servicing the page request is “flagged” as an external
service. Hence requests received via this server may be assumed to have
originated from the external “public” network.
The approach used to “flag” the external requests is via the addition of
a Common Gateway Interface (CGI) variable to the request as it
executes on the server that has be designated as “outside”. As the page
request is forwarded to the OracleAS Portal 10g repository for
verification of access privileges, the addition of the CGI variable
(ORA_EXT_REQ) to the request allows the security authorization
code to differentiate between the origins of a page request. That is, a
request from an internal server would not carry the ORA_EXT_REQ
variable.
In order to utilize the path information to further secure pages, an
Access Control List (ACL) modifier package is installed into the Portal
Repository to check for the existence of the CGI variable before
performing the standard permissions checks. This ACL modifier
package will be discussed later in this paper.
Note: The ORA_EXT_REQ variable has no specific value to
control the ability to access a page externally. The modifier
package simply checks for the existence of the variable, not the
value contained within it. As such, if the external server was
compromised and a malicious user was able to set this value, they
would succeed only in decreasing the amount of content available
to them.
Configuration Steps
The high level steps for configuring the prescribed “Inside/Outside”
topology are as follows;
1. Install the Product Metadata Repository on the internal Database
server (either in a custom database or using the Seed Meta-Data
Repository which is installed with the infrastructure install)
2. Install Portal & Wireless Mid-tier on the external mid-tier server,
associate this installation with the Metadata repository configured in
step 1, however DO NOT configure the portal during this
installation process (Note: uncheck to configure portal check-box)
3. Setup an Invalidation-only Web Cache Cluster between the two
mid-tiers configured above. (Refer to the Oracle® Application Server
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 5
Web Cache Administrator's Guide for steps on Configuring
“Administration and Invalidation-Only” Clusters)
4. Using the “Advance Server Properties” page from within the Oracle
Application Server Console edit the Oracle HTTP server and
mod_plsql configuration on the External mid-tier to flag this server
as unsecured (ie that which services the external requests)
Farm > Application Server Instance > HTTP_Server > Admininstration >
Advanced Server Properties
a) Edit the httpd.conf configuration file. Add a line as follows in
the main section:
SetEnv ORA_EXT_REQ
(this is the environment variable which denotes an externally
initiated request).
b) Edit the dads.conf mod_plsql configuration file, add a line
under the configuration entry for the Portal DAD as follows:
PlsqlCGIEnvironmentList ORA_EXT_REQ
c) Restart the HTTP Server:
5. Register both the Internal and external Portal URLs as separate
Partner Applications in the Oracle SSO environment
6. Setup Portal to Send Invalidation Requests to Internal Middle Tier
WebCache invalidation port.
Note: These steps are described in detail within the “Configuring a
Dedicated Intranet and Extranet for OracleAS Portal” chapter of the Oracle®
Application Server Enterprise Deployment Guide. Please refer to this
document for further information on how to configure the Enterprise
“Inside/Outside” topology.
Authorization Modification
In the basic installation of OracleAS Portal 10g, the determination of a
user’s ability to view or edit a page, is based on the definition of an
ACL policy, which references the page and the user (and/or any roles
to which they belong). In other words the user’s privileges are defined
by her as a “named” individual identity, rather than based on a specific
business rule (such as from whence the request originated).
To allow for extensions to this security model the OracleAS Portal 10g
authorization routines have been extended by the introduction of an
“Authorization Modifier Package”. This package is executed prior to
the standard ACL check, and enables additional rules to be evaluated
before interrogating the ACL itself. If the “Authorization Modifier”
succeeds (returns true) then the authorization check falls through to the
default ACL based mechanism in order to determine if the user has the
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 6
appropriate access rights. Conversely, if the “Authorization Modifier”
denies access (returns false) the ACL is not even interrogated, and the
behavior is to act as if the user did not have appropriate privileges for
the operation, even if the ACL would have allowed it.
By default, the installed “Authorization Modification Package” always
returns true, and hence the functionality is effectively disabled. Thus
the determination of access privileges is based solely on the evaluation
of the security ACL’s.
To ‘switch on’ the Authorization modifier it is necessary to replace the
default package body with one that implements the desired business
rule.
“Secure Network Aware” Authorization Modifiers
OracleAS Portal 10g is shipped with three predefined Modifier
packages which allow for the implementation of a “Secure Network
Aware” Portal environment. That is, one which is able to implement
security policies based not only on an ACL, but also on the origin of
the Portal page request.
Script File
Description
cfgamyes.pkb
The default ConFiGuration Authorization Modifier
disables ALL page Editing or Customization
functionality for requests which originate outside of
the secured network
cfgampev.pkb
The ConFiGuration Authorization Modifier for
Page Edit and View, allows for the securing of
individual pages outside of the Secured Network.
That is, the ability to prevent the viewing or editing
of specific pages when the request originated from
outside the secure network environment.
cfgamno.pkb
Returns the Authorization modifier to the default
disabled state.
Table 1: Authorization modifiers supplied
The Modifier packages may be found in the
$ORACLE_HOME/portal/admin/plsql/wwc directory of the
10.1.4 Metadata Repository Upgrade Assistant (MRUA)
To implement the desired function;
1. Connect via SQL*Plus to Database containing the OracleAS
Portal 10g Metadata Repository.
2. Login as the Portal schema
3. Execute the appropriate package body script file to over-write
the current Authorization Modifier installed.
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 7
Default Authorization Modifier
This implementation of the Authorization Modifier package uses the
existence of the ORA_EXT_REQ CGI environment variable
described above to recognize that the request has been received on a
server that has been designated as publicly accessible, and hence should
be considered outside of the “Secure Network” environment.
Once compiled into the Authorization packages, any request from
“outside” of the network which involves an Edit request is
automatically disabled. That is, all “customize” and “Edit” links are
removed from the page and direct edit URL references are disallowed.
The effect of the default modifier can be seen in Figure 3 below.
A Local Network request with Edit Privileges Allowed
http://ptlsrv-inside.au.oracle.com:7777/portal/page?_pageid=33,35139&_dad=portal&_schema=PORTAL
An External Network request with all Edit Privileges Blocked
Ability to edit page is globally
blocked for ALL users.
Both Edit & Customize removed
from the page.
http://ptlsrv-outside.au.oracle.com:7777/portal/page?_pageid=33,35139&_dad=portal&_schema=PORTAL
Figure 3: The effect of applying the Default Modifier on a user’s ability to
Edit/Customize the portal externally.
Page View and Edit Authorization Modifier
Securing Specific Pages
The more specific Authorization Modifier (cfgampev) also uses the
CGI variable to determine an external request. It however uses it in
conjunction with defined page meta-data, in the form of a custom page
attribute, to localize the desired inside/outside security to a subset of
pages within the portal.
Hence the ability to have externally available view and/or edit
privileges on a specific page is determined on whether one or both
named attributes are defined in the page in question.
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 8
Preventing External Viewing of a Specific Page
The ability to view a page externally is determined by the
'isViewRestricted'’ named custom attribute. Once defined as part of
the page description (through the use of a custom page template - see
below) the setting of this attribute will determine dynamically if the
page is to be viewable, or not. That is, when set to 'On' external
viewing of the page is prevented, while a value of 'Off' (the default)
indicates it is to be available externally. From the perspective of the
end user, the activation of this rule has the effect of removing any links
which reference the page as well as preventing any direct URLs to it
(such as via a browser bookmark). An example of the effect of the
“View Restricted” modifier may be seen in Figure 4.
A Local Network request to view a secured page
http://ptlsrv-inside.au.oracle.com:7777/portal/page?_pageid=33,35139&_dad=portal&_schema=PORTAL
A “Network Secured Page” is NOT
exposed, if the request originates
from outside of the Local Network!
An External Network request by the same user
http://ptlsrv-outside.au.oracle.com:7777/portal/page?_pageid=33,35139&_dad=portal&_schema=PORTAL
Figure 4: The effect of the "ViewRestricted" modifier is to remove evidence of the
secured page from external requests
Preventing External Edits and Customization for a Specific Page
In a similar manner, the use of another named attribute,
'isEditRestricted' will dictate whether a specific page may be edited
from outside of the “secured network”.
Note: This is different to the “Default Modifier” which globally
turns off the ability to perform any edit function on any page
within the Portal.
When the value of this attribute is set to ‘On’ the ability to
edit/customize the page is revoked, while setting it to 'Off' indicates
edits from “outside” are to be allowed. As can be seen from figure 5,
the effect of setting this attribute is to not only remove the page level
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 9
edit links, but also revoke the edit/customize capability of the Portlets
embedded within the page.
A Local Network request to view a secured page
http://ptlsrv-inside.au.oracle.com:7777/portal//page?_pageid=33,35142&_dad=portal&_schema=PORTAL
http://ptlsrv-outside.au.oracle.com:7777/portal//page?_pageid=33,35142&_dad=portal&_schema=PORTAL
An External Network request by the same user
The ability to edit a specific “Network
Secured Page” may be revoked if the
page request originated from outside
of the Local Network
Figure 5: The effect of the "EditRestricted" modifier is to remove the ability to
Edit/Customize the secured page externally
Defining Required Page Attributes for use with
Authorization Modifiers
While the attributes described above are not currently part of the
standard page meta-data, the extensible page model allows us to add
them in the form of “Custom Attributes” to our page definition. By
the creation of a custom page type to be used as the basis of the
“inside/outside” secureable pages it is a simple process to allow a page
designer to define declaratively whether the page is to be internally
secured or accessable both from with-in and with-out the secured
network. The following section documents the steps required to create
the appropriate page type used to secure a page via the “Authorization
Modifier” functions decribed above.
1.
From within the “Portal Navigator”, drill into the “Shared
Objects” node to define both the custom Attribute and Page types.
It is recommended that these be defined as “Shared Objects”
rather than scoped to a specific Page Group, as it allows for their
reuse across multiple Page Groups.
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 10
Figure 6 : Portal Navigator "Shared Objects" node
2.
Selecting the Attribute link, define a custom attribute with the
or
specific
name
of
either
“isViewRestricted”
“isEditRestricted” depending on the functionality desired. Take
special care to match the case structure of the name, as the
Authorization modifier rule is CASE sensitive.
Set the data-type of the attribute to BOOLEAN.
Note: In order to simplify the use of custom meta-data the
Oracle Portal 10.1.4 “Create Attribute” page no longer allows
for the separate definition of the attribute’s name. Instead
this is generated from the user supplied display name
(truncating any spaces). As such, it is easiest to create the
attribute with an initial display name matching the required
attribute name (in this case “isViewRestricted”) thus creating
an attribute of the same name.
Having created the initial attribute definition, edit the Display
name to reflect the function of the attribute. (See figure 7)
Figure 7 : Custom Attribute Definition
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 11
3.
Once the required custom attribute is defined it needs to be made
part of the meta-data of the page.
a. Create a “Custom Page Type” to define a “Network Securable
Page” based on the Standard Base Page type.
Note: As with the creation of the Custom Attribute Oracle
Portal 10.1.4 initially generates the Type name from the user
supplied display name (truncating any spaces). As the physical
type name is not used by the Authorization modifier, it should
be set to something that is meaningful, as it will be exposed in
the Page Design UI.
b. Edit the new Page Type and define the attributes associated
with it by selecting the Attributes tab.
c. Within the “Shuttle Picker” highlight the new custom attributes
and move them to the right hand side. Click the Apply button,
which will associate the attributes with the new page type and
expose their Properties in the Page Type Attributes tab.
d. Set the default value of the attribute to either “ON” or “OFF”
depending on your security requirements.
e. Check the “Required” Check Box in order for the Attribute
(and display name) to be exposed in the Page Type and
subsequently Page Designer user interfaces.
Figure 8: Define Custom Page type on which to build "Network Securable" pages
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 12
Figure 9: Associate the “network security” attributes with the custom Page Type.
4. Configure the Page Group to expose the new Page Type.
Note: Given the Network Securable page is based on the Standard
Base type you may wish to remove the standard type and expose
the new “secured” version in it’s place
Figure 10: Defining the Page Types to be available within page group
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 13
Defining a Network Secured page
Having defined the “Network Secured” page type and associated it
with the page group, it is a simple task for the Page Designer to select
the appropriate page type and check which network security rule are to
be enforced. That is, whether the page they are designing should be
constrained to the Local network, or be exposed to a less secure
environment.
Figure 11 : Page designers can now declaratively define if their page should be “Network Securable”
Restrictions on Authorization Modifiers
The techniques described in this white paper rely on the fact that the
page request in question would, under normal circumstances, be
defined by a security policy, and as such; access control would be
applied. Consequently there are a number of caveats that should be
taken into account for this functionality to perform as expected.
1. The Page in question must be a “Secured Page” and may
not be defined as a PUBLIC page.
Based on the fact that public pages are available to all users,
regardless of whether they have authenticated or not, they are
not scrutinized for access control, and hence the authorization
code, and subsequent modifier, is not called prior to displaying
the page.
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 14
Therefore it is a minimum requirement that “VIEW” privilege
be granted to the “AUTHENTICATED_USERS” group for
the page.
2. User cannot be defined as a “SITE Owner”.
Site Owners are assumed to have MANAGE privilege over any
page in the Site owned by them. As such, they effectively have
“super-user” privileges and there is no requirement to perform
an authorization check. In this case the authorization code is
again not called prior to displaying the page.
3. User should not have Global Edit Privileges
As with the user being defined as the “SITE Owner”, the
granting of the Global “EDIT ANY PAGE” privilege indicates
that the user in question should have the right to edit any page
in the system, regardless of the ACL’s defined. As such, the
page level authorization is ignored and the Authorization
Modifier not executed.
4. Page Security Should be defined at the “Page Level”
In many cases it is more convenient to define the access control
privilege at the Page Group Level and allow the individual page
to inherit the privilege. In the case of the Authorization
Modifier this would then restrict all pages in the Page group
rather than only those pages requiring the external restriction.
Conclusion
As the web makes ubiquitous access to corporate data possible and as
more employees take advantage of the flexibility of “tele-commuting”;
the onus is on systems administrators to secure their environment, such
that information is not inadvertently exposed to those for whom it was
not intended. Increasingly, it has become necessary to treat as possibly
hostile, any request that has not originated from within the physical
confines of the local network. As such, these external requests should
be limited to the minimum possible functionality.
This white paper has introduced the concept and techniques for
implementing a secured “Inside/Outside” topology for OracleAS
Portal 10g which allows a users access privileges to be determined not
only by their identity but also by the path used to access the Portal.
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 15
Appendix
Object level functions allowed by the default Authorization Modifier.
Object
Privilege
ADCALEND
EXECUTE
ADCHART
EXECUTE
ADFORM
EXECUTE
ADFORMPR
EXECUTE
ANY_APPLICATION
EXECUTE
ANY_ITEM
VIEW
ANY_LOG
VIEW
ANY_PAGE
VIEW
ANY_PORTLET
ACCESS
ANY_SCHEMA
VIEW
ANY_SITE
VIEW
ANY_STYLE
VIEW
APPLICATION
EXECUTE
AREPORT
EXECUTE
CHART
EXECUTE
DATACELL
DATAPTL
DOCUMENT
VIEW
EXECUTE
VIEW
DRIVER
EXECUTE
DYNAMIC
EXECUTE
FOP
EXECUTE
FOT
EXECUTE
HIERARCH
EXECUTE
IMGCHART
EXECUTE
ITEM
VIEW
LINK
EXECUTE
LOV
EXECUTE
MDF
EXECUTE
Allowed?
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 16
MDFORM
EXECUTE
MENU
EXECUTE
PAGE
VIEW
PORTLET
ACCESS
PORTLET_NON_LOCAL
ACCESS
QBEFORM
EXECUTE
REPORT
EXECUTE
RWCAL
EXECUTE
RWCPC
EXECUTE
RWPRN
EXECUTE
RWREP
EXECUTE
RWSVR
EXECUTE
SCHEMA
VIEW
SITE
VIEW
UIFORM
EXECUTE
URLPTL
EXECUTE
XMLPTL
EXECUTE
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
9
Expose your Intranet Portal to the Outside World in a Secured Manner - Page 17
Expose your Intranet Portal to the Outside World in a Secure Manner
Author: Barry Hiern
Contributing Authors: Paul Encarnación, Sunil Marya, Peter Lubbers
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
www.oracle.com
This document is provided for information purposes only and the contents hereof are subject to change
without notice.
This document is not warranted to be error-free, nor subject to any other warranties or conditions,
whether expressed orally or implied in law, including implied warranties and conditions of
merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to
this document and no contractual obligations are formed either directly or indirectly by this document.
This document may not be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without our prior written permission.
Oracle, JD Edwards, and PeopleSoft are registered trademarks of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective owners.
Download