iSQL*Plus logo

Previous Page
Previous

Next Page
Next

Table Of Contents
Contents

Index
Index

Security

Overview

There are two main areas to consider for security and user authentication when using iSQL*Plus:

In this release of iSQL*Plus, security for the connection between the web browser and the Oracle HTTP Server is provided by standard HTTPS, which is fully supported by Oracle. It enables secure listener connections with an Oracle-provided encryption mechanism via the Secure Sockets Layer (SSL). It can be implemented when installing the Oracle HTTP Server by installing the mod_ssl module. For detailed information about implementing HTTPS security in Oracle, see the Oracle Advanced Security Administrator's Guide.

The Oracle Net connection between the iSQL*Plus Server and Oracle9i provides the same security as in previous client server architectures. For more information about Oracle Net connection security, see the Oracle Net Services Administrator's Guide and the Oracle Advanced Security Administrator's Guide.

Privileges

There are three modes of access to iSQL*Plus:

Enabling User Security

You may want to limit the users who can access iSQL*Plus. Oracle HTTP Server authentication is required for SYSDBA and SYSOPER connections, but is not required otherwise. You can edit the isqlplus.conf file to enable Oracle HTTP Server authentication for user connections by changing the following lines:

<Location /isqlplus>
  SetHandler fastcgi-script
  Order deny,allow
  Allow from all
</Location>

to:

<Location /isqlplus>
  SetHandler fastcgi-script
  Order deny,allow
  AuthType Basic
  AuthName 'iSQL*Plus'
# The following line for UNIX, comment out the Windows line.
  AuthUserFile $ORACLE_HOME/sqlplus/admin/iplus.pw 
# The following line for Windows, comment out the UNIX line.
  AuthUserFile %ORACLE_HOME%\sqlplus\admin\iplus.pw
  Require valid-user
</Location>

You may find that the lines already exist in the isqlplus.conf file and you only need to remove the comments. iplus.pw is suggested as the file to contain the Oracle HTTP Server authentication usernames and passwords for user connections. Now, whenever a user connection is requested, users are not only required to enter their Oracle9i username and password, but they are also prompted to enter an Oracle HTTP Server authentication username and password.

Enabling Restricted Database Access

You may want to limit the databases that users can access in iSQL*Plus to a restricted list. When restricted database access has been enabled, a dropdown list of available databases is displayed in place of the Connection Identifier text field. This allows greater security for iSQL*Plus Servers in hosted environments.

You can edit the isqlplus.conf file to enforce restricted database access by changing the following line:

FastCgiServer ... -initial-env "iSQLPlusConnectIdList=SID1, SID2,..."

where SID1, SID2,, ... is a comma separated list of Oracle Net connection identifiers specifying permitted databases. For example:

FastCgiServer ... -initial-env "iSQLPlusConnectIdList=ABC1, PROD2, DEV3"

No quotes or embedded whitespace is allowed in a connection identifier and connection identifiers are case insensitive. Each connection identifier should be identical to an alias in the tnsnames.ora file.

There are several initialization parameters that are set in one statement in the isqlplus.conf file. You should leave existing elements intact.

Once set, all connections made through the Login screen, all Dynamic Reports and any connections attempted with the CONNECT command are refused unless the connection is to one of the databases in the restricted list.

Similarly, if SET INSTANCE is used, the connection identifier defined must match an entry in iSQLPlusConnectIdList or the connection is refused.

If no connection identifier is given, or if the one given does not match an entry in iSQLPlusConnectIdList, the database connection is refused and the following error occurs:

SP2-0884: Connection to database database_name is not allowed

If iSQLPlusConnectIdList is set, the Connection Identifier: text field on the Login screen is replaced by a dropdown list containing the restricted list of connection identifiers defined by iSQLPlusConnectIdList, and in the order defined in iSQLPlusConnectIdList.

Adding Entries to an Oracle HTTP Server Authentication File

To connect with SYSDBA or SYSOPER privileges, or to generate the iSQL*Plus Server Statistics report, your username and password must be added to the iSQL*Plus authentication file for the Oracle HTTP Server. For example, on installation in Windows, the authentication file is created with no user entries at %ORACLE_HOME%\sqlplus\admin\iplusdba.pw. The username and password used in the authentication file are independent of the Oracle9i username and password.

If you have enabled Oracle HTTP Server authentication for user connections, you need to create a separate authentication file to contain username/password entries for user level connections. See "Enabling User Security" for information about enabling user level Oracle HTTP Server authentication.

To create a new entry in an Oracle HTTP Server authentication file on Windows.

  1. Log in to the machine running the Oracle HTTP Server as the Oracle HTTP Server administrator.

  2. Open a terminal.

  3. Run the htpasswd utility to add users to the authentication file. htpasswd is usually located in %ORACLE_HOME%\Apache\Apache\bin. For SYSDBA or SYSOPER users, use the form:

    htpasswd %ORACLE_HOME%\sqlplus\admin\iplusdba.pw username
    

    For user connections, where iplus.pw has been created as an empty authentication file, use the form:

    htpasswd %ORACLE_HOME%\sqlplus\admin\iplus.pw username
    

    In both cases you are prompted for the associated password. For further information about htpasswd, see the Oracle HTTP Server documentation.

To create a new entry in an Oracle HTTP Server authentication file on UNIX.

  1. Log in to the machine running the Oracle HTTP Server as the Oracle HTTP Server administrator.

  2. Open a terminal.

  3. Run the htpasswd utility to add users to the authentication file. htpasswd is usually located in $ORACLE_HOME/Apache/Apache/bin. For SYSDBA or SYSOPER users, use the form:

    htpasswd $ORACLE_HOME/sqlplus/admin/iplusdba.pw username
    

    For user connections, where iplus.pw has been created as an empty authentication file, use the form:

    htpasswd $ORACLE_HOME/sqlplus/admin/iplus.pw username
    

    In both cases you are prompted for the associated password.

For further information about htpasswd, see the Oracle HTTP Server documentation.

Usage Notes

The following notes may assist you in understanding and configuring iSQL*Plus:

Previous Page
Previous

Next Page
Next

Table Of Contents
Contents

Index
Index