Oracle® HTTP Server Administrator’s Guide 10g Release 1 (10.1) Part No.
Oracle HTTP Server Administrator’s Guide, 10g Release 1 (10.1) Part No. B12255-01 Copyright © 2003 Oracle Corporation. All rights reserved.
Contents Send Us Your Comments ................................................................................................................... xi Preface.......................................................................................................................................................... xiii Intended Audience .............................................................................................................................. Documentation Accessibility ......................
Understanding Modules.................................................................................................................... Classes of Directives........................................................................................................................... Scope of Directives ............................................................................................................................. Container Directives...............................................................
Running Oracle HTTP Server as Root ....................................................................................... Additional Security Considerations .......................................................................................... Handling Server Processes................................................................................................................ ServerType...................................................................................................................
Specifying Log Level.......................................................................................................................... Specifying Log Files ........................................................................................................................... Access Log ..................................................................................................................................... CustomLog .....................................................................
mod_headers...................................................................................................................................... mod_imap........................................................................................................................................... mod_include ...................................................................................................................................... mod_info...............................................................
Rewrite Rules Hints.................................................................................................................... Redirection Examples................................................................................................................. mod_setenvif...................................................................................................................................... mod_so ........................................................................................
Sending Proxy Sensitive Requests to Oracle HTTP Server Behind a Firewall .................... Oracle HTTP Server Version Number....................................................................................... Apache v2.0 Support with Oracle Database, 10g Release 1 (10.1) ......................................... Applying Apache Security patches to Oracle HTTP Server................................................... Supporting PHP........................................................................
mod_perl 1.26 License............................................................................................................... Perl Artistic License................................................................................................................... Preamble .............................................................................................................................. Definitions ..............................................................................................
Send Us Your Comments Oracle HTTP Server Administrator’s Guide, 10g Release 1 (10.1) Part No. B12255-01 Oracle Corporation welcomes your comments and suggestions on the quality and usefulness of this document. Your input is an important part of the information used for revision.
xii
Preface This guide describes how to administer the Oracle HTTP Server.
Intended Audience The Oracle HTTP Server Administrator’s Guide is intended for database administrators and security managers. Documentation Accessibility Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology.
Organization This document contains: Chapter 1, "Oracle HTTP Server Overview" This chapter describes the Oracle HTTP Server, highlighting the differences between the Oracle distribution and the open source Apache product on which it is based. It also explains how to start, stop and restart the server. Chapter 2, "Oracle HTTP Server Concepts" This chapter introduces you to the Oracle HTTP Server directory structure, and configuration files, configuration file syntax, modules, and directives.
Chapter 9, "Frequently Asked Questions" This chapter provides answers to frequently asked questions about Oracle HTTP Server. Chapter A, "Oracle HTTP Server Configuration Files" This appendix lists commonly used Oracle HTTP Server configuration files. Chapter B, "Third Party Licenses" This appendix includes the Third Party License for all the third party products included with Oracle Database. Glossary The glossary defines terminology used throughout this guide and the Oracle Database documentation set.
Conventions This section describes the conventions used in the text and code examples of this documentation set. It describes: ■ Conventions in Text ■ Conventions in Code Examples ■ Conventions for Windows Operating Systems Conventions in Text We use various conventions in text to help you more quickly identify special terms. The following table describes those conventions and provides examples of their use.
Convention Meaning Example lowercase monospace (fixed-width) font Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values. Enter sqlplus to open SQL*Plus. The password is specified in the orapwd file.
Convention Meaning ... Horizontal ellipsis points indicate either: ■ ■ . . . That we have omitted parts of the code that are not directly related to the example That you can repeat a portion of the code Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example. Example CREATE TABLE ... AS subquery; SELECT col1, col2, ... , coln FROM employees; SQL> SELECT NAME FROM V$DATAFILE; NAME -----------------------------------/fsl/dbs/tbs_01.
Conventions for Windows Operating Systems The following table describes conventions for Windows operating systems and provides examples of their use. Convention Meaning Example Choose Start > How to start a program. To start the Database Configuration Assistant, choose Start > Programs > Oracle - HOME_ NAME > Configuration and Migration Tools > Database Configuration Assistant. c:\winnt"\"system32 is the same as File and directory File and directory names are not case names sensitive.
Convention Meaning Example ORACLE_HOME and ORACLE_ BASE In releases prior to Oracle8i release 8.1.3, when you installed Oracle components, all subdirectories were located under a top level ORACLE_HOME directory. For Windows NT, the default location was C:\orant. Go to the ORACLE_BASE\ORACLE_ HOME\rdbms\admin directory. This release complies with Optimal Flexible Architecture (OFA) guidelines. All subdirectories are not under a top level ORACLE_HOME directory.
xxii
1 Oracle HTTP Server Overview This chapter describes the Oracle HTTP Server, highlighting the differences between the Oracle distribution and the open source Apache product on which it is based. It also explains how to start, stop and restart the server.
Oracle HTTP Server Features Oracle HTTP Server Features Oracle HTTP Server is the Web server component of Oracle Database. It is based on the Apache HTTP Server, version 1.3.28. It is a robust, reliable Web server, preconfigured to do the following: ■ provide a high availability infrastructure integration with Oracle Process Manager and Notification Server (OPMN), for process management, death detection and failover for Oracle HTTP Server processes.
Oracle HTTP Server Components Oracle HTTP Server Components Oracle HTTP Server consists of several components that run within the same process. These components provide the extensive list of features that Oracle HTTP Server offers when handling client requests. Following are the major components: ■ ■ HTTP Listener: Oracle HTTP Server is based on an Apache HTTP listener to serve client requests. An HTTP server listener handles incoming requests and routes them to the appropriate processing utility.
Oracle HTTP Server Components Table 1–1 Oracle HTTP Server Modules (Cont.) Module Oracle Support Notes mod_auth_db No mod_auth_dbm No mod_auth_digest No Disabled. Not shipped by Oracle. Disabled. Experimental MD5 authentication; not shipped by Oracle.
Oracle HTTP Server Support Table 1–1 Oracle HTTP Server Modules (Cont.) Module Oracle Support Notes mod_onsint Yes Oracle module. mod_ossl Yes Oracle module. mod_perl Yes mod_plsql Yes mod_proxy Yes mod_rewrite Yes mod_setenvif Yes mod_so Yes mod_speling Yes mod_status Yes mod_unique_id Yes mod_userdir Yes mod_usertrack Yes mod_vhost_alias Yes Oracle module.
Oracle HTTP Server Management Oracle HTTP Server Management You can manage Oracle HTTP Server using opmnctl. It is the command-line utility for Oracle Process Manager and Notification Server (OPMN) for process management. It is located in ■ UNIX: ORACLE_HOME/opmn/bin ■ Windows: ORACLE_HOME\opmn\bin See Also: Oracle Process Manager and Notification Server Administrator’s Guide for more information on opmnctl.
Starting, Stopping, and Restarting Oracle HTTP Server Stopping Oracle HTTP Server To stop Oracle HTTP Server, use the stopproc command: ■ ■ UNIX: ORACLE_HOME/opmn/bin> opmnctl [verbose] stopproc ias-component=HTTP_Server Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] stopproc ias-component=HTTP_Server Restarting Oracle HTTP Server Restarting Oracle HTTP Server performs a graceful restart, which is invisible to clients. In a graceful restart, on UNIX, a USR1 signal is sent.
Starting, Stopping, and Restarting Oracle HTTP Server 1-8 Oracle HTTP Server Administrator’s Guide
2 Oracle HTTP Server Concepts This chapter introduces you to the Oracle HTTP Server directory structure, and configuration files, configuration file syntax, modules, and directives. Topics discussed are: ■ Understanding Oracle HTTP Server Directory Structure ■ Accessing Configuration Files ■ Configuration Files Syntax ■ Understanding Modules ■ Classes of Directives ■ Scope of Directives ■ About .htaccess Files Documentation from the Apache Software Foundation is referenced when applicable.
Understanding Oracle HTTP Server Directory Structure Understanding Oracle HTTP Server Directory Structure Oracle HTTP Server is installed in the ORACLE_HOME/Apache directory on UNIX or ORACLE_HOME\Apache directory on Windows for configuring modules. For example, the modplsql folder contains the subdirectories necessary to configure and run PL/SQL applications. The Apache directory is located at the top level under the ORACLE_HOME. It contains subdirectories for configuring modules mod_plsql.
Classes of Directives Understanding Modules Oracle HTTP Server is a modular server. Modules extend the basic functionality of the Web server, and support integration between Oracle HTTP Server and other Oracle Database components. Oracle HTTP Server includes Apache modules as well as Oracle HTTP Server modules. You can add modules using the LoadModule directive. Following is an example of LoadModule usage. LoadModule status_module modules/mod_status.
Scope of Directives Scope of Directives Directives placed in the main configuration files apply to the entire server. If you wish to change the configuration for only a part of the server, you can scope your directives by placing them in specific sections. The following section discusses the following types of directives: ■ Container Directives ■ Block Directives Container Directives Container directives specify the scope within which directives take effect.
Scope of Directives It should be used when specifying regular expressions, instead of using the tilde form of with wildcards in the directory specification. The following two examples have the same result, matching directories starting with web and ending with a number from 1 to 9: The and directives support access control by filename.
Scope of Directives Functions in an identical manner to and you should use it for specifying regular expressions instead of the tilde form of with wildcards in the location specification. For example: matches the URLs that contained the /extra/data or /special/data sub string. defines a block according to the HTTP method of the incoming request.
About .htaccess Files Oracle HTTP Server has the capabilities to serve many different Web sites simultaneously. Directives can also be scoped by placing them inside sections, so that they will only apply to requests for a particular Web site. Virtual host refers to the practice of maintaining more than one server on one machine, as differentiated by their apparent hostname.
About .
3 Specifying Server and File Locations This chapter explains how to set Oracle HTTP Server and server administrator options, and specifies file locations. Topics discussed are: ■ Setting Server and Administrator Functions ■ Specifying File Locations Documentation from the Apache Software Foundation is referenced when applicable. Note: Readers using this guide in PDF or hard copy formats will be unable to access third-party documentation, which Oracle provides in HTML format only.
Setting Server and Administrator Functions Setting Server and Administrator Functions The following set basic Oracle HTTP Server and administrator functions. They are located in the “Main Server Configuration” portion of the httpd.conf file. See Also: "httpd.
Setting Server and Administrator Functions ServerAdmin Creates an email address that is included with every default error message that clients encounter. It is useful to create a separate email address for this. See Also: “ServerAdmin directive” in the Apache Server documentation. ServerSignature Enables the server to recognize which server, among the various proxies, created the returned response, such as an error message.
Specifying File Locations Specifying File Locations The following directives to control the location of various server files. They are located in the “Global Environment” of the httpd.conf file. See Also: "httpd.conf File Structure" on page A-2 ■ CoreDumpDirectory ■ DocumentRoot ■ ErrorLog ■ LockFile ■ PidFile ■ ScoreBoardFile ■ ServerRoot CoreDumpDirectory Specifies the directory in which the server dumps core. The default is the ServerRoot directory.
Specifying File Locations ErrorLog Sets the name of the file to which the server notes any errors it encounters. If the name of the file does not begin with a slash (/), then it is assumed to be relative to the ServerRoot. If the name of the file begins with a pipe (|), then it is assumed to be a command to spawn to handle the error log. See Also: “ErrorLog directive” in the Apache Server documentation.
Specifying File Locations ServerRoot Specifies the directory that contains the conf and logs subdirectories. If the server is started with the -f option, then you will have to specify ServerRoot. See Also: “ServerRoot directive” in the Apache Server documentation.
4 Managing Server Processes This chapter provides an overview of the Oracle HTTP Server processes, and provides information on how to regulate, and monitor these processes. Topics discussed are: ■ Oracle HTTP Server Processing Model ■ Handling Server Processes ■ Limiting the Number of Processes and Connections ■ Getting Information about Processes Documentation from the Apache Software Foundation is referenced when applicable.
Oracle HTTP Server Processing Model Oracle HTTP Server Processing Model Once Oracle HTTP Server is started, the system is ready to listen for and respond to http(s) requests. The request processing model is different on UNIX and Windows. After installation, the main httpd parent process, as well as the child processes, run as the user who installed Oracle Database. The User and Group directive are used to set the privileges for the child processes.
Oracle HTTP Server Processing Model Additional Security Considerations For additional security on UNIX, you can change the user to “nobody”. Be sure that the child processes can accomplish their tasks as the user “nobody”. Change all static content, such as the ORACLE_HOME/Apache/Apache/htdocs directory on UNIX or ORACLE_HOME\Apache\Apache\htdocs on Windows, so that all the files are readable, but ideally not writable by the user “nobody”.
Handling Server Processes Handling Server Processes Use the following directives to manage the server processes: ■ ServerType ■ Group ■ User ServerType Provides the following two options, both being applicable on UNIX only: inetd: Starts up a new child process every time a request comes in. The program exits once the request is dealt with. This setting eliminates the option of having several child processes in waiting, making it slower and expensive, but more secure.
Limiting the Number of Processes and Connections Limiting the Number of Processes and Connections The following directives control and limit the number of child processes or simultaneous requests. They are located in the “Global Environment” of the httpd.conf file. See Also: "httpd.
Limiting the Number of Processes and Connections MaxRequestsPerChild Controls the number of requests a child process handles before it dies. This value should be specified again if the machine is rebooted. If you select the value to be 0, which is the default, then the process will never die. This is applicable to UNIX only. See Also: “MaxRequestsPerChild directive” in the Apache Server documentation. MaxSpareServers Sets the maximum number of idle child server processes.
Getting Information about Processes Getting Information about Processes There are several ways to monitor Oracle HTTP Server processes. 1. Use the performance monitor on Windows, or the ps utility on UNIX. See Also: Oracle Application Server 10g Performance Guide and your operating system documentation for more information. 2. Use mod_status for server status. By default, it is available from localhost only.
Getting Information about Processes 4-8 Oracle HTTP Server Administrator’s Guide
5 Managing the Network Connection This chapter provides information about specifying IP addresses and ports, and managing server interaction, and network connection persistence. Topics discussed are: ■ Specifying Listener Ports and Addresses ■ Managing Interaction Between Server and Network ■ Managing Connection Persistence ■ Configuring Reverse Proxies and Load Balancers Documentation from the Apache Software Foundation is referenced when applicable.
Specifying Listener Ports and Addresses Specifying Listener Ports and Addresses When Oracle HTTP Server is started, by default, it listens for requests on port 7777 (non-SSL). If port 7777 is occupied, Oracle HTTP Server listens on the next available port number between a range of 7777-7877. Thus, if port 7777 is busy, it would listen on port 7778, and so on. A file named setupinfo.txt is automatically generated in ORACLE_ HOME/Apache/Apache on UNIX or ORACLE_HOME\Apache\Apache on Windows.
Specifying Listener Ports and Addresses BindAddress Restricts the server to listen to a single IP address. If the argument to this directive is *, then it listens to all IP addresses. This directives has been deprecated. Listen offers similar functionality. See Also: “BindAddress directive” in the Apache Server documentation. Port Specifies the port of the listener, if no Listen or BindAddress are present.
Managing Interaction Between Server and Network Managing Interaction Between Server and Network The following directives are used to specify how the server interacts with the network. They are located in the “Global Environment” of the httpd.conf file. ■ ListenBackLog ■ SendBufferSize ■ TimeOut See Also: "httpd.conf File Structure" on page A-2 ListenBackLog Specifies the maximum length of the queue of pending connections.
Managing Connection Persistence Managing Connection Persistence The following directives determine how the server handles persistent connections. They are located in the “Global Environment” of the httpd.conf file. ■ KeepAlive ■ KeepAliveTimeout ■ MaxKeepAliveRequests See Also: ■ Oracle Application Server 10g Performance Guide ■ "httpd.conf File Structure" on page A-2 KeepAlive Enables a single connection to accept multiple requests from the same client. The default is set to “On”.
Configuring Reverse Proxies and Load Balancers Configuring Reverse Proxies and Load Balancers By default, Oracle Database installs using the local hostname as set up by ServerName directive in Oracle HTTP Server. Most Web sites tend to have a specific hostname or domain name for their Web server. However, this is not possible out of the box because with the ServerName directive, Oracle HTTP Server is instantiated with the local host.
Configuring Reverse Proxies and Load Balancers See Also: "Running Oracle HTTP Server as Root" on page 4-2 for instructions on running Oracle HTTP Server with ports lesser than 1024.
Configuring Reverse Proxies and Load Balancers 5-8 Oracle HTTP Server Administrator’s Guide
6 Configuring and Using Server Logs This chapter discusses Oracle Diagnostic Logging, log formats, and describes various log files and their locations. Topics discussed are: ■ Using Oracle Diagnostic Logging ■ Specifying Log Formats ■ Specifying Log Level ■ Specifying Log Files Documentation from the Apache Software Foundation is referenced when applicable.
Using Oracle Diagnostic Logging Using Oracle Diagnostic Logging Oracle offers a new method for reporting diagnostic messages. This new method, Oracle Diagnostic Logging (ODL), presents a common format for diagnostic messages and log files, and a mechanism for correlating all diagnostic messages from various components across Oracle Database. Using ODL, each component logs messages to its own private local repository.
Using Oracle Diagnostic Logging OraLogSeverity [module_name [:msg_level] Enables you to set message severity. The message severity specified with this directives is interpreted as the lowest message severity that is desired, and all messages of that severity level and higher will be logged. OraLogSeverity may be specified multiple times. It can be specified globally (no module_name) and once for each module for which a module-specific logging severity is desired.
Using Oracle Diagnostic Logging Table 6–1 lists some examples of OraLogSeverity.
Specifying Log Formats OraLogDir Specifies the path to the directory which contains all log files. This directory must exit. Default: ■ UNIX: ORACLE_HOME/Apache/Apache/logs/oracle ■ Windows: ORACLE_HOME\Apache\Apache\logs\oracle Specifying Log Formats LogFormat specifies the information included in the log file, and the manner in which it is written. The default format is the Common Log Format (CLF).
Specifying Log Level Specifying Log Level Table 6–3 lists all the different logging levels, their descriptions, and, example messages: Table 6–3 Logging Level Logging Level Description Example Message Emergency Emergencies- system is unusable. “Child cannot open lock file. Exiting.” Alert Action must be taken immediately. “getpwuid: couldn’t determine user name from uid” Critical Critical conditions. “socket: Failed to get a socket, exiting child” Error Error conditions.
Specifying Log Files Specifying Log Files The log files are discussed in the subsequent sections: ■ Access Log ■ CustomLog ■ Error Log ■ PID File ■ Piped Log ■ Rewrite Log ■ Script Log ■ SSL Log ■ Transfer Log It is important to periodically rotate the log files by moving or deleting existing logs on a moderately busy server. For this, the server must be restarted after the log files are moved or deleted so that new log files are opened.
Specifying Log Files Error Log The server sends diagnostic information and records error messages to a log file located, by default, in: ■ UNIX: ORACLE_HOME/Apache/Apache/logs/error_log ■ Windows: ORACLE_HOME\Apache\Apache\logs\error_log The file name can be set using the ErrorLog directive. See Also: “ErrorLog directive” in the Apache Server documentation.
Specifying Log Files Rewrite Log Rewrite Log is necessary for debugging when mod_rewrite is used. This log file produces a detailed analysis of how the rewriting engine transforms requests. The level of detail is controlled by the RewriteLogLevel directive. See Also: “Rewrite Log” in the Apache Server documentation. Script Log Script Log enables you to record the input to and output from the CGI scripts. This should only be used in testing, and not for live servers.
Specifying Log Files 6-10 Oracle HTTP Server Administrator’s Guide
7 Oracle HTTP Server Modules This chapter describes the modules (mods) included in the Oracle HTTP Server. The modules extend the basic functionality of the Web server, and support integration between Oracle HTTP Server and other Oracle Database components. Documentation from the Apache Software Foundation is referenced when applicable. Note: Readers using this guide in PDF or hard copy formats will be unable to access third-party documentation, which Oracle provides in HTML format only.
List of Modules List of Modules Table 7–1 lists all the Oracle HTTP Server modules discussed in this chapter.
mod_auth mod_access Controls access to the server based on characteristics of a request, such as hostname or IP address. See Also: Module mod_access in the Apache Server documentation. mod_actions Enables execution of CGI scripts based on file type or request method. See Also: Module mod_actions in the Apache Server documentation. mod_alias Enables manipulation of URLs in processing requests. It provides mapping between URLs and filesystem paths, and URL redirection capabilities.
mod_auth_anon mod_auth_anon Enables anonymous user access to protected areas (similar to anonymous FTP, where the email addresses can be logged). See Also: Module mod_auth_anon in the Apache Server documentation. mod_auth_db Uses Berkeley DB files to provide user authentication. This module is disabled in the Oracle HTTP Server and is not supported by Oracle. mod_auth_dbm Uses DBM files to provide user authentication. This module is not supported by Oracle.
mod_certheaders mod_certheaders Enables reverse proxies that terminate SSL connections in front of Oracle HTTP Server to transfer information regarding SSL connection, such as SSL client certificate information, to Oracle HTTP Server, and applications running behind Oracle HTTP Server. This information is transferred from the reverse proxy to Oracle HTTP Server using HTTP headers.
mod_certheaders Table 7–2 lists all the supported CGI environment variables with their corresponding HTTP header names.
mod_certheaders Table 7–2 CGI Environment Variables with Corresponding Header Names CGI Variable Header Name CGI Variable Header Name SSL_CLIENT_I_DN_O SSL-Client-I-DN-O SSL_SERVER_I_DN_O SSL-Server-I-DN-O SSL_CLIENT_I_DN_OU SSL-Client-I-DN-OU SSL_SERVER_I_DN_OU SSL-Server-I-DN-OU SSL_CLIENT_I_DN_CN SSL-Client-I-DN-CN SSL_SERVER_I_DN_CN SSL-Server-I-DN-CN SSL_CLIENT_I_DN_T SSL-Client-I-DN-T SSL_SERVER_I_DN_T SSL-Server-I-DN-T SSL_CLIENT_I_DN_I SSL-Client-I-DN-I SSL_SERVER_I_DN_I SS
mod_cgi This tells mod_certheaders to treat every request handled by this virtual host as HTTPS, or the directive can be placed within a , , or directive container such as: SimulateHttps on This limits it to URLs starting with /foo/. mod_cgi Enables the server to run CGI scripts. See Also: Module mod_cgi in the Apache Server documentation.
mod_example mod_dir Enables the server to perform slash (/) redirects. Directories must contain a trailing slash. If a request for a URL without a trailing slash is received, mod_dir redirects the request to the same URL followed by a trailing slash. For example: http://myserver/documents/mydirectory is redirected to http://myserver/documents/mydirectory/ See Also: Module mod_dir in the Apache Server documentation.
mod_expires mod_expires Enables the server to generate Expires HTTP headers, which provide information to the client about document validity. Documents are served from the source if, based on the expiration criteria, the cached copy has expired. See Also: Module mod_expires in the Apache Server documentation. mod_fastcgi Supports the FastCGI protocol, which enables you to maintain a pool of running servers for CGI applications, thereby eliminating start-up and initialization overhead.
mod_log_referer mod_info Summarizes the entire server configuration, including all installed modules and directive settings. See Also: Module mod_info in the Apache Server documentation. mod_isapi Enables serving of Internet Server extensions (such as .dll modules). It is available on the Windows platform only, and is not supported by Oracle. mod_log_agent Enables logging of client user agents. It is deprecated; you should use mod_log_ config instead of mod_log_agent.
mod_mime mod_mime Enables the server to determine the type of a file from its filename, and associate files with handlers for processing. See Also: Module mod_mime in the Apache Server documentation. mod_mime_magic Enables the server to determine the MIME type of a file by examining a few bytes of its content. It is used in cases when mod_mime cannot determine a file type. Make sure that mod_mime appears before mod_mime_magic in the configuration file, so that mod_mime processes the files first.
mod_onsint mod_onsint This module provides integration support with Oracle Notification Service (ONS) and OPMN (Oracle Process Manager and Notification Server). Benefits of mod_onsint mod_onsint provides the following functionality: ■ ■ ■ Provides a subscription mechanism for ONS notifications within Oracle HTTP Server. This is particularly important on UNIX where Oracle HTTP Server employs a multi-process architecture.
mod_onsint Implementation Differences for mod_onsint Due to the difference in architecture of Oracle HTTP Server on UNIX and Windows, the implementation of mod_onsint varies slightly on these platforms. On UNIX, mod_onsint spawns a process at module initialization time. This process is responsible for watching the parent process as well as sending and receiving ONS messages. Callback functions from other modules interested in ONS notifications are made in this process.
mod_perl This directive must be in the global section of the httpd.conf file. It cannot be embedded into any virtual host of location container. After installation, an OpmnHostPort directive is located in dms.conf. It points OPMN to the Oracle HTTP Server “diagnostic port”, which is a special localhost only virtual host. You cannot combine directives using the one-argument syntax with directives using the two-argument syntax.
mod_perl Database Usage Notes This section provides information for mod_perl users working with databases. It explains how to test a local database connection and set character forms. Using Perl to Access the Database The following section contains information about using Perl to access the database. Perl scripts access databases using the DBI/DBD driver for Oracle. The DBI/DBD driver is part of Oracle Database. It calls Oracle Callable Interface (OCI) to access the databases.
mod_perl You can access the DBI scripts from the following locations: http://:/cgi-bin/ http://:/perl/ If the script specifies “use Apache::DBI” instead of “use DBI”, then it will only be able to run from http://:/perl/. Testing Database Connection The following is a sample Perl script for testing the database connection of a local seed database.
mod_perl This release of DBD::Oracle supports SQL NCHAR datatypes and provides driver extension functions to specify the character form for data binding. The following script shows an example to access SQL NCHAR data: Example 7–3 Sample Script to Access SQLNCHAR Data # declare to use the constants for character forms use DBD::Oracle qw(:ora_forms); # connect to the database and get the database handle $dbh = DBI->connect( ...
mod_plsql set_form This function sets the character form for parameter(s). Valid forms are either ORA_IMPLICIT (default) or ORA_NCHAR. The constants are available as: ora_forms in DBD::Oracle.
mod_plsql Creating a DAD Perform the following steps to create a DAD: 1. Edit the DAD configuration file ORACLE_ HOME/Apache/modplsql/conf/dads.conf. 2. Add a DAD where the DAD has the following format: a. The Oracle HTTP Server directive which defines a virtual path used to access the PL/SQL Web Application. This directive begins enclosing a group of directives that apply to the named Location.
mod_plsql 3. Save the edits. 4. Obfuscate the DAD password by running the “dadTool.pl” script located in ORACLE_HOME/Apache/modplsql/conf. See Also: "PlsqlDatabasePassword" on page 7-36 for instructions on performing the obfuscation. 5. Restart the Oracle HTTP Server for the configuration to take effect. You can create additional DADs by defining other uniquely named Locations in dads.conf.
mod_plsql dads.conf This file contains the configuration parameters for the PL/SQL database access descriptor (DAD). A DAD is a set of values that specifies how mod_plsql connects to a database server to fulfill a HTTP request. cache.conf This file contains the configuration settings for the file system caching functionality implemented in mod_plsql. This configuration file is relevant only if PL/SQL applications use the OWA_CACHE package to cache dynamically generated content in the file system.
mod_plsql Table 7–3 mod_plsql Configuration Files and Parameters (Cont.) Configuration File Parameters dads.
mod_plsql Table 7–3 mod_plsql Configuration Files and Parameters (Cont.) Configuration File Parameters cache.conf PlsqlCacheCleanupTime PlsqlCacheDirectory PlsqlCacheEnable PlsqlCacheMaxAge PlsqlCacheMaxSize PlsqlCacheTotalSize plsql.conf This file contains the LoadModule directive to load mod_plsql into the Oracle HTTP Server, global settings for mod_plsql, and include directives for dads.conf and cache.conf. Note: Refer to plsql.
mod_plsql PlsqlLogEnable Enables debug level logging for mod_plsql. Debug level logging is meant to be used for debugging purposes only. When logging is enabled, log files are generated at: ■ UNIX: ORACLE_HOME/Apache/modplsql/logs ■ Windows: ORACLE_HOME\Apache\modplsql\logs as configured by PlsqlLogDirectory. This parameter should be set to “Off” unless recommended by Oracle support to debug problems with mod_plsql.
mod_plsql Specifies the time (in minutes) in which the idle database sessions should be closed and cleaned by mod_plsql. PlsqlIdleSessionCleanupInterval This directive is used in conjunction with connection pooling of database connections and sessions in mod_plsql. When a session is not used for the specified amount of time, it is closed, and freed. This is done so that unused sessions can be cleaned, and the memory is freed on the database side.
mod_plsql The following parameters are discussed in detail in the subsequent sections: ■ PlsqlAfterProcedure ■ PlsqlAlwaysDescribeProcedure ■ PlsqlAuthenticationMode ■ PlsqlBeforeProcedure ■ PlsqlBindBucketLengths ■ PlsqlBindBucketWidths ■ PlsqlCGIEnvironmentList ■ PlsqlCompatibilityMode ■ PlsqlDatabaseConnectString ■ PlsqlDatabasePassword ■ PlsqlDatabaseUserName ■ PlsqlDefaultPage ■ PlsqlDocumentPath ■ PlsqlDocumentProcedure ■ PlsqlDocumentTablename ■ PlsqlErrorStyle ■ Pls
mod_plsql PlsqlAfterProcedure Specifies the procedure to be invoked after calling the requested procedure. This enables you to put a hook point after the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call be made after running every procedure. Category Value Syntax PlsqlAfterProcedure string Default None Example PlsqlAfterProcedure portal.mypkg.
mod_plsql PlsqlAuthenticationMode Specifies the authentication mode to use for allow access through this DAD. Category Value Syntax PlsqlAuthenticationMode Basic/SingleSignOn/GlobalOwa/CustomOwa/PerPackageOwa Default Basic Example PlsqlAuthenticationMode Basic Notes: ■ ■ ■ Most customer applications use Basic Authentication. Custom Authentication modes (GlobalOwa, CustomOwa, PerPackageOwa) are used by very few PL/SQL applications.
mod_plsql PlsqlBeforeProcedure Specifies the procedure to be invoked before calling the requested procedure. This enables you to put a hook point before the requested procedure is called. This is useful in doing SQL*Traces/SQL Profiles while debugging a problem with the requested procedure. This is also useful when you want to ensure that a specific call be made before running every procedure. Category Value Syntax PlsqlBeforeProcedure string Default None Example PlsqlBeforeProcedure portal.mypkg.
mod_plsql Category Value Syntax PlsqlBindBucketLengths number multiline Default 4,20,100,400 Example PlsqlBindBucketLengths 4 PlsqlBindBucketLengths 25 PlsqlBindBucketLengths 125 Notes: ■ ■ ■ ■ ■ This parameter is relevant only if you are using procedures with array parameters, and passing varying number of parameters to the procedure. The default should be sufficient for most PL/SQL applications.
mod_plsql Category Value Syntax PlsqlBindBucketWidths number multiline Default 32,128,1450,2048,4000 Example PlsqlBindBucketWidths 40 PlsqlBindBucketWidths 400 PlsqlBindBucketWidths 2000 Notes: ■ ■ ■ ■ ■ This parameter is relevant only of you are using procedures with array parameters, and passing varying number of parameters to the procedure. The default should be sufficient for most PL/SQL applications.
mod_plsql Category Value Syntax PlsqlCGIEnvironmentList string multiline Default None Example ■ To add a new environment variable from the Oracle HTTP Server environment: PlsqlCGIEnvironmentList DOCUMENT_ROOT ■ To remove an environment variable: PlsqlCGIEnvironmentList MYENVAR2= ■ To override from the Oracle HTTP Server environment: PlsqlCGIEnvironmentList REQUEST_PROTOCOL=HTTPS ■ To add your own environment variable: PlsqlCGIEnvironmentList MY_VARNAME=MY_VALUE Notes: ■ ■ Environment varia
mod_plsql PlsqlDatabaseConnectString Specifies the connection to an Oracle database. Category Value Syntax PlsqlDatabaseConnectString stringServiceNameFormat/SIDFormat/TNSFormat/NetServiceNameFormat, where string can be one of the following based on the second argument: ■ ■ ■ ■ ServiceNameFormat: HOST:PORT:SERVICE_NAME format where HOST is the hostname running the database, PORT is the port number the TNS listener is listening on, SERVICE_NAME is the database service name.
mod_plsql Notes: ■ ■ ■ If the database is running in the same Oracle home, or the environment variable “TWO_TASK” is set (called “LOCAL” on Windows NT), this parameter need not be specified. If the database is running in a separate Oracle home, then this parameter is mandatory. If you have problems connecting to the database: ■ ■ Check the username and password information in the DAD.
mod_plsql PlsqlDatabasePassword Specifies the password to use to log in to the database. Category Value Syntax PlsqlDatabasePassword string Default None Example PlsqlDatabasePassword tiger After making manual configuration changes to DAD passwords, it is recommended that the DAD passwords are obfuscated by running the “dadTool.pl” script located in ORACLE_HOME/Apache/modplsql/conf. Following are the steps to obfuscate DAD passwords: 1.
mod_plsql 3. Set the appropriate shared library path environment variable for your platform. ■ On UNIX platforms, include the ORACLE_HOME/lib directory in your shared library path. Table 7–4 shows the appropriate environment variable for each platform.
mod_plsql Specifies the username to use to logon to the database. PlsqlDatabaseUserName Category Value Syntax PlsqlDatabaseUsername string Default None Example PlsqlDatabaseUsername scott Notes: ■ ■ ■ This is a mandatory parameter, except for a DAD that sets PlsqlAuthenticationMode to Basic and uses dynamic authentication. For DADs using SingleSignOn authentication, this parameter is the name of the schema owner.
mod_plsql PlsqlDocumentPath Specifies a virtual path in the URL that initiates document download form the document table. For example, if this parameter is set to docs, then the following URLs will start the document downloading process for URLs of the format: /pls/dad/docs /pls/plsqlapp/docs Category Value Syntax PlsqlDocumentPath string Default docs Example PlsqlDocumentPath docs Notes: ■ Omit this parameter for applications that do not perform document uploads or downloads.
mod_plsql Notes: ■ Omit this parameter for applications that do not perform document uploads or downloads. See Also: Oracle HTTP Server mod_plsql User’s Guide ■ In older versions of the product, this parameter was called document_proc. PlsqlDocumentTablename Specifies the table in the database to which all documents are uploaded. Category Value Syntax PlsqlDocumentTablename string Default None Example PlsqlDocumentTablename myschema.
mod_plsql ■ DebugStyle: This mode provides more details than ModplsqlStyle. mod_ plsql provides more details about the URL, parameters and also produces server configuration information. This mode is for debugging purposes only. Do not use this in a production system, since displaying internal server variables could be a security risk.
mod_plsql Category Value Example PlsqlExclusionList sys.* PlsqlExclusionList dbms_* PlsqlExclusionList utl_* PlsqlExclusionList owa_* PlsqlExclusionList owa.* PlsqlExclusionList htp.* PlsqlExclusionList htf.* PlsqlExclusionList myschema.private.* The preceding configuration excludes access to URLs containing sys.*, dbms_*, utl_*, owa_*, owa.*, htp.*, htf.*, myschema.private.
mod_plsql Category Value Syntax PlsqlFetchBufferSize number Default 200 Example PlsqlFetchBufferSize 256 Notes: ■ ■ This parameter is changed only for performance reasons. The minimum value for this parameter is 28, but it is seldom reduced. Change this parameter only under the following circumstances: ■ ■ ■ ■ The average response page is large and you want to reduce the number of round-trips mod_plsql makes to the database to fetch the response.
mod_plsql PlsqlMaxRequestsPerSession Specifies the maximum number of requests a pooled database connection should service before it is closed and re-opened. Category Value Syntax PlsqlMaxRequestsPerSession number Default 1000 Example PlsqlMaxRequestsPerSession 1000 Notes: ■ ■ ■ ■ This parameter helps relieve memory and resource problems that may occur due to prolonged session reuse by a PL/SQL application. This parameter should not need to be changed; the default is sufficient in most cases.
mod_plsql Notes: ■ Most applications have PlsqlTransferMode set to CHAR which means that the character set in PlsqlNLSLanguage needs to match the character set of the database. In one special case, where the database and mod_plsql are both using fixed-size character sets, and the character set width matches, the character set can be different. The response character set is always the mod_ plsql character set. ■ If PlsqlTransferMode is set to RAW, then this parameter can be ignored.
mod_plsql Notes: ■ For applications that do not use path aliasing, this parameter may be omitted. See Also: Oracle HTTP Server mod_plsql User’s Guide for more details about path aliasing functionality. ■ In older versions of the product, this parameter was called pathaliasproc. Specifies the cookie name whenPlsqlAuthenticationMode is set to SingleSignOn.
mod_plsql Specifies how package and session state should be cleaned up at the end of each mod_plsql request. PlsqlSesssionStateManagement ■ ■ ■ Setting this parameter to StatelessWithResetPackageState causes mod_ plsql to call dbms_session.reset_package_state at the end of each mod_plsql request. Setting this parameter to StatelessWithPreservePackageState causes mod_plsql to call htp.init at the end of each mod_plsql request. This cleans up the state of session variables in the OWA Web ToolKit.
mod_plsql ■ An older value of stateful=STATELESS_PRESERVE corresponds to PlsqlSessionStateManagement StatelessWithPreservePackageState. mod_plsql does not support stateful mode of operation. To equip PL/SQL applications with stateful behavior, save state in cookies and/or in the database. Specifies the transfer mode for data from the database back to mod_plsql. Most applications use the default value of CHAR.
mod_plsql Notes: ■ For applications that do not do document uploads or downloads, this parameter may be omitted. See Also: Oracle HTTP Server mod_plsql User’s Guide for more details about upload and download processes and the structure of the restrictions on the document table format. ■ In older versions of the product, this parameter was called upload_as_log_ raw. cache.conf cache.conf file contains the cache settings for mod_plsql.
mod_plsql Specifies the time to start the cleanup of the cache PlsqlCacheCleanupTime storage. This setting defines the exact day and time in which cleanup should occur. The frequency can be set as daily, weekly, and monthly. ■ ■ ■ To define daily frequency, the keyword “Everyday” is used. The cleanup starts everyday at the time defined. For example, Everyday 2:00. This causes the cleanup to happen everyday at 2 AM (local time) in the morning.
mod_plsql In older versions, this parameter was called “cache_dir” and resides in the “[PLSQL Cache]” section of ORACLE_ HOME/Apache/modplsql/cfg/cache.cfg. PlsqlCacheEnable Enables mod_plsql caching. Category Value Syntax PlsqlCacheEnable On/Off Default Off Example PlsqlCacheEnable On Notes: ■ ■ If you are sure that your application does not make use of the OWA_CACHE packages, in the PL/SQL Web Toolkit, then you can choose to disable caching.
mod_plsql PlsqlCacheMaxSize Specifies the maximum possible size of a cache file. This setting is to prevent the case in which one file can fill up the entire cache. In general, it is recommended that this be set to about 1-3 percent of the total cache size.
mod_rewrite mod_proxy This module provides proxy capability for FTP, CONNECT (for SSL), HTTP/0.9, HTTP/1.0, and HTTP/1.1. See Also: ■ Module mod_proxy in the Apache Server documentation. ■ "Using mod_proxy Directives" on page 8-30 mod_rewrite Oracle HTTP Server provides mod_rewrite as a tool for URL manipulation. A rewriting engine based on a regular-expression parser is used by mod_rewrite to rewrite requested URLs.
mod_rewrite mod_rewrite loops through the ruleset rule by rule (RewriteRule directive) and when a particular rule matches, it loops through corresponding conditions (RewriteCond directives). First the URL is matched against the Pattern of each rule. When it fails, mod_rewrite looks for corresponding rule conditions. If none are present, it just substitutes the URL with a new value which is constructed from the string Substitution and goes on with its rule-looping.
mod_rewrite mod_rewrite Directives This section discusses the following mod_rewrite directives: ■ RewriteEngine ■ RewriteOptions ■ RewriteLog ■ RewriteLogLevel ■ RewriteBase RewriteEngine Enables or disables the runtime rewriting engine. If it is set to “Off”, this module does no runtime processing at all. Use this directive to disable the module instead of commenting out all the RewriteRule directives. Rewrite configurations are not inherited by default.
mod_rewrite RewriteBase Explicitly sets the base URL for pre-directory rewrites. Rewrite rule can be used in per-directory configuration (.htaccess) files. When a substitution occurs for a new URL, the base URL should be added into the server processing. To be able to do this, the module needs to know what the corresponding URL-prefix or URL-base is. By default, this prefix is the corresponding file path itself. However, at most Web sites, URLs are not directly related to physical filename paths.
mod_rewrite Rewrite Rules Hints Table 7–5 provide hints for using rewrite rules. Table 7–5 Rewrite Rules Hints Value Definition . Any single character [char] Any character listed within a square bracket b* Any character b any number of times .* Any character any number of times For example, if you want to redirect requests from /demo1, /demo2, and /demo3 to /alldemos, write the rewrite rule as one of the following: RewriteRule /demo.
mod_rewrite If there was a request for /demo1/not_just_index.html, all the preceding rewrite rules would have redirected the request the request to /alldemos/index.html, that may not be what you want. It is quite possible that you may want to redirect to the corresponding files in /alldemos, as listed in Table 7–6. Table 7–6 Request Redirection Request for Redirected to /demo1/happy.html /alldemos/happy.html /demo1/go.jpg /alldemos/go.jpg /demos1/lucky.jpg /alldemos/lucky.
mod_status For disabling all requests using the HTTP TRACE method, set the following mod_ rewrite directives: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] mod_setenvif This module enables you to set environment variables based on characteristics of a request. See Also: Module mod_setenvif in the Apache Server documentation. mod_so This module loads executable code and modules into the server at start-up time. See Also: Module mod_so in the Apache Server documentation.
mod_unique_id mod_unique_id This module creates a unique ID for each request. See Also: Module mod_unique_id in the Apache Server documentation. This module is available on UNIX systems only. mod_userdir This module maps requests to user-specific directories. See Also: Module mod_userdir in the Apache Server documentation. mod_usertrack This module tracks user activity by creating a log. See Also: Module mod_usertrack in the Apache Server documentation.
8 Managing Security This chapter provides an overview of Oracle HTTP Server security features and configuration information for setting up a secure Web site using them.
About Oracle HTTP Server Security About Oracle HTTP Server Security Security can be organized into the three categories of authentication, authorization, and confidentiality. Oracle HTTP Server provides support for all three of these categories. It is based on the Apache Web server, and its security infrastructure is primarily provided by the Apache modules, mod_auth and mod_access, and the Oracle modules, mod_ossl.
Resources Protected Classes of Users and Their Privileges Oracle HTTP Server authorizes and authenticates users before allowing them to access, or modify resources on the server. Following are two classes of users that access the server using Oracle HTTP Server, and their privileges. ■ ■ Users that access the server without providing any authentication. They have access to unprotected resources only. Users that have been authenticated and potentially authorized by modules within Oracle HTTP Server.
Authentication and Authorization Enforcement Authentication and Authorization Enforcement Oracle HTTP Server provides user authentication and authorization at two stages: ■ ■ Host-based Access Control (stage one): This is based on the details of the incoming HTTP request and its headers, such as IP addresses or host names. User Authentication and Authorization (stage two): This is based on different criteria depending on the HTTP server configuration.
Authentication and Authorization Enforcement If you want to match objects at the file system level, then you must use or . If you want to match objects at the URL level, then you must use . Note: Allowing or restricting access based on a host name for Internet access is not considered a very good method of providing security, because host names are easy to spoof. While the same is true of IP addresses, sabotage is more difficult.
Authentication and Authorization Enforcement Using mod_access and mod_setenvif for Host-based Access Control Using host-based access control schemes, you can control access to restricted areas based on where HTTP requests originate. Oracle HTTP Server uses mod_access and mod_setenvif to perform host-based access control.
Authentication and Authorization Enforcement Controlling Access by Domain Name Domain name-based access control can be used with IP address-based access control to solve the problem of IP addresses changing without warning. When you combine these methods, if an IP address changes, then the secure areas of your site are still protected because the domain names you want to keep out will still be denied access.
Authentication and Authorization Enforcement Controlling Access with Environment Variables You can use arbitrary environment variables for access control, instead of using IP addresses or domain names. Use BrowserMatch and SetEnvIf directives for this type of access control. Note: Typically, BrowserMatch and SetEnvIf are not used to implement security policies. Instead they are used to provide different handling of requests based on browser types and versions.
Authentication and Authorization Enforcement User Authentication and Authorization Basic authentication prompts for a user name and password before serving an HTTP request. When a browser requests a page from a protected area, Oracle HTTP Server responds with an unauthorized message (status code 401) containing a WWW-Authenticate: header and the name of the realm configured by the configuration directive, AuthName. When the browser receives this response, it prompts for a user name and password.
Authentication and Authorization Enforcement Table 8–1 Directives Descriptions (Cont.) Directive Name Description AuthUserFile Specifies the path to a file that contains user names and passwords. AuthGroupFile Specifies the path to a file that contains group names and their members. Using mod_ossl to Authenticate Users Secure Sockets Layer (SSL) is an encrypted communication protocol that is designed to securely send messages across the Internet.
Authentication and Authorization Enforcement 5. Stop Oracle HTTP Server using the following command: ■ ■ 6. Windows: ORACLE_HOME\opmn\bin> opmnctl [verbose] stopproc ias-component=HTTP_Server Start Oracle HTTP Server using the following command: ■ ■ 7.
Security Services Implemented Within Oracle HTTP Server Security Services Implemented Within Oracle HTTP Server Oracle HTTP Server provides security services that enable you to protect your server from unwanted users and malicious attacks. These security services ensure secure data exchanged between client and the server. mod_ossl enables secure connections between Oracle HTTP Server and a browser client by using an Oracle-provided encryption mechanism over SSL.
Security Services Implemented Within Oracle HTTP Server The following mod_ssl directives listed are not supported by mod_ossl. ■ SSLRandomSeed ■ SSLCertificateFile ■ SSLCertificateKeyFile ■ SSLCertificateChainFile ■ SSLCACertificateFile ■ SSLCACertificatePath ■ SSLVerifyDepth Caution: The server will not start if these directives are used. Using mod_ossl Directives To configure SSL for your Oracle HTTP Server, enter the mod_ossl directives you want to use in the httpd.conf file.
Security Services Implemented Within Oracle HTTP Server ■ SSLSessionCacheTimeout ■ SSLVerifyClient ■ SSLWallet ■ SSLWalletPassword SSLAccelerator Specifies if SSL accelerator is used. Currently only nFast card is supported.
Security Services Implemented Within Oracle HTTP Server SSLCARevocationPath Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
Security Services Implemented Within Oracle HTTP Server Table 8–3 SSLCipher Suite Tags Function Tag Meaning Key exchange kRSA RSA key exchange Key exchange kDHr Diffie-Hellman key exchange with RSA key Authentication aNULL No authentication Authentication aRSA RSA authentication Authentication aDH Diffie-Hellman authentication Encryption eNULL No encryption Encryption DES DES encoding Encryption 3DES Triple DES encoding Encryption RC4 RC4 encoding Data Integrity MD5 MD5 ha
Security Services Implemented Within Oracle HTTP Server Table 8–4 Cipher Suites Supported in Oracle Advanced Security 9i Cipher Suite Authentication Encryption Data Integrity SSL_RSA_WITH_3DES_EDE_CBC_ SHA RSA 3DES EDE CBC SHA SSL_RSA_WITH_RC4_128_SHA RSA RC4 128 SHA SSL_RSA_WITH_RC4_128_MD5 RSA RC4 128 MD5 SSL_RSA_WITH_DES_CBC_SHA RSA DES CBC SHA SSL_DH_anon_WITH_3DES_EDE_ CBC_SHA DH anon 3DES EDE CBC SHA SSL_DH_anon_WITH_RC4_128_MD5 DH anon RC4 128 MD5 SSL_RSA_WITH_3DES_EDE_
Security Services Implemented Within Oracle HTTP Server SSLEngine Toggles the usage of the SSL Protocol Engine. This is usually used inside a section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts. Example 8–8 Using SSL Engine Directive SSLEngine on ...
Security Services Implemented Within Oracle HTTP Server SSLLogLevel Specifies the verbosity degree of the SSL engine log file. Category Value Valid Values The levels are (in ascending order, where each level is included in the levels preceding it): ■ ■ ■ ■ ■ ■ none: No dedicated SSL logging is done. Messages of type ’error’ are duplicated to the standard HTTP server log file specified by the ErrorLog directive. error: Only messages of the type ’error’ (conditions that stop processing) are logged.
Security Services Implemented Within Oracle HTTP Server SSLMutex Type of semaphore (lock) for SSL engine’s mutual exclusion of operations that have to be synchronized between Oracle HTTP Server processes. Category Value Valid Values ■ ■ ■ 8-20 none: Uses no mutex at all. Not recommended, because the mutex synchronizes the write access to the SSL session cache. If you do not configure a mutex, the session cache can become garbled. file:path/to/mutex: Uses a file for locking.
Security Services Implemented Within Oracle HTTP Server Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus (’+’) or minus (’-’) symbol, then the options are merged.
Security Services Implemented Within Oracle HTTP Server Category Valid Values (for SSLOptions continued) Value ■ StrictRequire: Denies access when, according to SSLRequireSSL or SSLRequire directives, access should be forbidden. Without StrictRequire, it is possible for a ’Satisfy any’ directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.
Security Services Implemented Within Oracle HTTP Server Type of pass phrase dialog for wallet access. mod_ossl asks the administrator for a pass phrase in order to access the wallet. SSLPassPhraseDialog Category Value Valid Values ■ builtin: when the server is started, mod_ossl prompts for a password for each wallet. This cannot be used when Oracle HTTP Server is managed by OPMN. No user interaction is allowed when Oracle HTTP Server is started by OPMN.
Security Services Implemented Within Oracle HTTP Server Denies access unless an arbitrarily complex boolean expression is true.
Security Services Implemented Within Oracle HTTP Server Table 8–5 lists the standard variables for SSLRequire varname.
Security Services Implemented Within Oracle HTTP Server Table 8–6 SSL Variables for SSLRequire Varname (Cont.
Security Services Implemented Within Oracle HTTP Server SSLSessionCache Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. Category Value Valid Values ■ ■ ■ none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.
Security Services Implemented Within Oracle HTTP Server SSLVerifyClient Specifies whether or not a client must present a certificate when connecting.
Security Services Implemented Within Oracle HTTP Server SSLWalletPassword Specifies the Wallet password needed to access the wallet specified within the same context. You can choose either a cleartext wallet password or an obfuscated password. The obfuscated password is created with the command line tool iasobf. If you must use a regular wallet, Oracle recommends that you use the obfuscated password instead of a cleartext password.
Security Services Implemented Within Oracle HTTP Server Using mod_proxy Directives The following directives are for mod_proxy support only: ■ SSLProxyCache ■ SSLProxyCipherSuite ■ SSLProxyProtocol ■ SSLProxyWallet ■ SSLProxyWalletPassword Specifies whether the proxy cache will be used. The proxy will use the same session as the SSL server uses.
Security Services Implemented Within Oracle HTTP Server Specifies the location of the wallet containing the certificates to use when opening proxy connections. SSLProxyWallet Category Value Syntax SSLProxyWallet wrl Default None Context server configuration, virtual host SSLProxyWalletPassword Specifies the proxy wallet password. Category Value Syntax SSLProxyWalletPassword password Default None Context server configuration, virtual host Note: SSLProxyWalletPassword has been deprecated.
Security Services Implemented Within Oracle HTTP Server Using mod_ossl Directives to Configure Client Authentication This section provides instructions on how you can use the directives mentioned earlier to set up configurations that enable you to use client certificates for authenticating clients. Following are some scenarios: ■ Authenticating clients based on certificates when all clients are known. The server wallet has imported the CA certificate which signed all the client certificates.
Security Services Implemented Within Oracle HTTP Server Using the iasobf Utility The iasobf utility enables you to generate an obfuscated wallet password from a cleartext password. If you are using an Oracle Wallet that has been created with Auto Login enabled (an SSO wallet), then you do not need to use this utility.
Security Services Implemented Within Oracle HTTP Server 8-34 Oracle HTTP Server Administrator’s Guide
9 Frequently Asked Questions This chapter provides answers to frequently asked questions about Oracle HTTP Server. See Also: “Frequently Asked Questions” in the Apache Server documentation. Documentation from the Apache Software Foundation is referenced when applicable. Note: Readers using this guide in PDF or hard copy formats will be unable to access third-party documentation, which Oracle provides in HTML format only.
Creating Application-specific Error Pages Oracle HTTP Server has a default content handler for dealing with errors. You can use the ErrorDocument directive to override the defaults. See Also: “ErrorDocument directive” in the Apache Server documentation. Offering HTTPS to ISP (Virtual Host) Customers For HTTP, Oracle HTTP Server supports two types of virtual hosts: name-based and IP-based. HTTPS supports only IP-based virtual hosts.
Using Different Language and Character Set Versions of Document You can use multiviews, a general name given to the Apache server’s ability to provide language and character-specific document variants in response to a request. See Also: “Multiviews” in the Apache Server documentation. Sending Proxy Sensitive Requests to Oracle HTTP Server Behind a Firewall You should use the Proxy directives, and not the Cache directives, to send proxy sensitive requests across firewalls.
Supporting PHP mod_php is not supported, however, you have the following two options: ■ ■ Install mod_php by yourself and use it. If there is a support question on any aspect of Oracle HTTP Server, you might be asked to reproduce the problem without mod_php. Use PHP in a CGI mode, in which case support of the rest of the Oracle HTTP Server stack would not be an issue.
Protecting Web Site From Hackers There are many attacks, and new attacks are invented everyday. Following are some general guidelines for securing your site. You can never be completely secure, but you can avoid being an easy target. ■ ■ ■ ■ ■ ■ ■ ■ Use a commercial firewall between your ISP and your Web server. Recognize, however, that not all hackers are outside your organization. Use switched ethernet to limit the amount of traffic a compromised server can sniff.
9-6 Oracle HTTP Server Administrator’s Guide
A Oracle HTTP Server Configuration Files This appendix lists commonly used Oracle HTTP Server configuration files. Files discussed are: ■ httpd.conf ■ opmn.xml Documentation from the Apache Software Foundation is referenced when applicable. Note: Readers using this guide in PDF or hard copy formats will be unable to access third-party documentation, which Oracle provides in HTML format only.
httpd.conf httpd.conf This is a server configuration file which typically contains directives that affect how the server runs, such as user and group IDs it should use, and location of other files. Because the server configuration file is the main file that the server starts with, Oracle HTTP Server does not include any directive that says where to locate it. The location is passed on command line when the server starts. It is located at: ■ UNIX: ORACLE_HOME/Apache/Apache/conf/httpd.
httpd.conf Main Server Configuration This is section two of the httpd.conf file. It contains the directives of the default server. See Also: "Setting Server and Administrator Functions" on page 3-2. Virtual Hosts This is section three of the httpd.conf file.It contains parameters specific to virtual hosts, which override some of the main server configuration defaults. Figure A–1 illustrates the file structure of the httpd.conf file. Figure A–1 httpd.
httpd.conf As shown in Figure A–1, httpd.conf contains directives to include configuration files such as: ■ mime.types ■ dms.conf ■ oracle_apache.conf ■ ssl.conf mime.types mime.types controls the Multi Internet media types that are sent to the client for the given file extensions. Sending the correct media type to the client is important so that the client knows how to handle the content of the file.
httpd.conf oracle_apache.conf oracle_apache.conf is included in the main configuration file to store configuration files of supported modules. It contains directives to include the following configuration files: ■ aqxml.conf ■ ojsp.conf ■ plsql.conf ■ xml.conf aqxml.conf aqxml.conf enables and configures Advanced Queuing. It is located at: ■ UNIX: ORACLE_HOME/Apache/Apache/conf ■ Windows: ORACLE_HOME\Apache\Apache\conf ojsp.conf ojsp.conf configures Java Server Pages.
httpd.conf xml.conf xml.conf is associated the .xsql extension with the XSQL servlet. It is located at: ■ UNIX: ORACLE_HOME/xdk/admin ■ Windows: ORACLE_HOME\xdk\admin Example A–1 oracle_apache.conf file # Advanced Queuing - AQ XML include "/private1/oracle/Apache/Apache/conf/aqxml.conf" # #Directives needed for OraDAV module include "/private1/oracle/Apache/oradav/conf/moddav.conf" include "/private1/oracle/Apache/jsp/conf/ojsp.conf" include "/private1/oracle/Apache/modplsql/conf/plsql.
opmn.xml opmn.xml opmn.xml describes the processes that Oracle Process Manager and Notification Server (OPMN) manages within an Oracle Database installation. The opmn.xml file is the main configuration file for OPMN. It contains information for the ONS, the PM, and Oracle Database component-specific configuration.The opmn.xml file shows you which Oracle Database components OPMN is managing on your system.
opmn.
B Third Party Licenses This appendix includes the Third Party License for all the third party products included with Oracle Database.
Apache HTTP Server Apache HTTP Server Under the terms of the Apache license, Oracle is required to provide the following notices. However, the Oracle program license that accompanied this product determines your right to use the Oracle program, including the Apache software, and the terms contained in the following notices do not change those rights.
Apache SOAP Apache SOAP Under the terms of the Apache license, Oracle is required to provide the following notices. However, the Oracle program license that accompanied this product determines your right to use the Oracle program, including the Apache software, and the terms contained in the following notices do not change those rights.
Apache SOAP * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache", * nor may "Apache" appear in their name, without prior written * permission of the Apache Software Foundation. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED.
DBI Module DBI Module Oracle is required to provide the text of the third-party license, but the third-party program will be subject to the Oracle license, and Oracle will NOT provide warranties and technical support for the third-party technology. This program contains third-party code from DBI. Under the terms of the DBI license, Oracle is required to provide the following notices.
DBI Module “Reasonable copying fee” is whatever you can justify on the basis of media cost, duplication charges, time of people involved, and so on. (You will not be required to justify it to the Copyright Holder, but only to the computing community at large as a market that must bear the fee.) “Freely Available” means that no fee is charged for the item itself, though there may be fees involved in handling the item.
DBI Module 4. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a. distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b. accompany the distribution with the machine-readable source of the Package with your modifications. c.
DBI Module 8. Aggregation of this Package with a commercial distribution is always permitted provided that the use of this Package is embedded; that is, when no overt attempt is made to make this Package's interfaces visible to the end user of the commercial distribution. Such use shall not be construed as a distribution of this Package. 9. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission. 10.
Perl Perl Oracle is required to provide the text of the third-party license, but the third-party program will be subject to the Oracle license, and Oracle will NOT provide warranties and technical support for the third-party technology. This program contains third-party code from Perl. Under the terms of the Perl license, Oracle is required to provide the following notices.
Perl For those of you that choose to use the GNU General Public License, my interpretation of the GNU General Public License is that no Perl script falls under the terms of the GPL unless you explicitly put said script under the terms of the GPL yourself.
Perl * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The names "Apache" and "Apache Software Foundation" must * not be used to endorse or promote products derived from this * software without prior written permission. For written * permission, please contact apache@apache.org. * * 5.
Perl Definitions “Package” refers to the collection of files distributed by the Copyright Holder, and derivatives of that collection of files created through textual modification. “Standard Version” refers to such a Package if it has not been modified, or has been modified in accordance with the wishes of the Copyright Holder as specified below. “Copyright Holder” is whoever is named in the copyright or copyrights for the package. “You” is you, if you're thinking about copying or distributing this Package.
Perl d. 4. make other distribution arrangements with the Copyright Holder. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following: a. distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version. b. accompany the distribution with the machine-readable source of the Package with your modifications. c.
Perl 8. Aggregation of this Package with a commercial distribution is always permitted provided that the use of this Package is embedded; that is, when no overt attempt is made to make this Package's interfaces visible to the end user of the commercial distribution. Such use shall not be construed as a distribution of this Package. 9. The name of the Copyright Holder may not be used to endorse or promote products derived from this software without specific prior written permission. 10.
mod_dav mod_dav mod_dav has been licensed to Oracle free of charge by Greg Stein under a license similar to the Apache Software Foundation license. The following copyright notice applies to mod_dav and Oracle’s use of mod_dav: Copyright © 1998-2001 Greg Stein. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
mod_dav THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
FastCGI FastCGI Oracle is required to provide the text of the third-party license, but the third-party program will be subject to the Oracle license, and Oracle will NOT provide warranties and technical support for the third-party technology. This program contains third-party code from FastCGI. Under the terms of the FastCGI license, Oracle is required to provide the following notices.
FastCGI Open Market shall retain all right, title and interest in and to the Software and Documentation, including without limitation all patent, copyright, trade secret and other proprietary rights. OPEN MARKET MAKES NO EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE SOFTWARE OR THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
FastCGI Open Market shall retain all right, title and interest in and to the Software and Documentation, including without limitation all patent, copyright, trade secret and other proprietary rights. OPEN MARKET MAKES NO EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE SOFTWARE OR THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Jaxen Jaxen Oracle is required to provide the text of the third-party license, but the third-party program will be subject to the Oracle license, and Oracle will NOT provide warranties and technical support for the third-party technology. This program contains third-party code from Jaxen. Under the terms of the Jaxen license, Oracle is required to provide the following notices.
Jaxen THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Expat Expat Oracle is required to provide the text of the third-party license, but the third-party program will be subject to the Oracle license, and Oracle will NOT provide warranties and technical support for the third-party technology. This program contains third-party code from Expat. Under the terms of the Expat license, Oracle is required to provide the following notices.
SAXPath SAXPath Oracle is required to provide the text of the third-party license, but the third-party program will be subject to the Oracle license, and Oracle will NOT provide warranties and technical support for the third-party technology. This program contains third-party code from SAXPath. Under the terms of the SAXPath license, Oracle is required to provide the following notices.
SAXPath THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Glossary Apache Apache is a public domain HTTP server derived from the National Center for Supercomputing Applications (NCSA). authentication The process of verifying the identity of a user, device, or other entity in a host system, often as a prerequisite to granting access to resources in a system. A recipient of an authenticated message can be certain of the message’s origin (its sender). Authentication is presumed to preclude the possibility that another party has impersonated the sender.
A certificate contains the entity’s name, identifying information, and public key. It is also likely to contain a serial number, expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, it contains information about the certificate authority that issued it. certificate authority A trusted third party that certifies that other entities—users, databases, administrators, clients, servers—are who they say they are.
database access descriptor A database access descriptor (DAD) is a set of values that specify how an application connects to an Oracle database to fulfill an HTTP request. The information in the DAD includes the username (which also specifies the schema and the privileges), password, connect-string, error log file, standard error message, and national language support (Globalization Support) parameters such as Globalization Support language.
DIT See directory information tree. DN See distinguished name. encryption The process of disguising a message thereby rendering it unreadable to any but the intended recipient. Encryption is performed by translating data into secret code. There are two main types of encryption: public-key encryption (or asymmetric-key encryption) and symmetric-key encryption. entry In the context of a directory service, entries are the building blocks of a directory.
Lightweight Directory Access Protocol A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory. MD5 A hashing algorithm intended for use on 32-bit machines to create digital signatures. MD5 is a one-way hash function, meaning that it converts a message into a fixed string of digits that form a message digest.
PL/SQL PL/SQL is Oracle’s proprietary extension to the SQL language. PL/SQL adds procedural and other constructs to SQL that make it suitable for writing applications. plaintext Also called cleartext. Unencrypted data in ASCII format. port A port is a number that TCP uses to route transmitted data to and from a particular program. private key In public-key cryptography, this key is the secret key. It is primarily used for decryption but is also used for encryption with digital signatures.
public/private key pair A set of two numbers used for encryption and decryption, where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are held by their respective owners. Though mathematically related, it is generally viewed as computationally infeasible to derive the private key from the public key.
Secure Shell Secure Shell (SSH) is a well known protocol and has widely available implementation that provide a secure connection tunneling solution. SSH provides a daemon on both the client and server sides of a connection. Clients connect to the local daemon rather than connecting directly to the server. The local SSH daemon then establishes a secure connection to the daemon on the server side.
X.509 Public keys can be formed in various data formats. The X.509 v3 format is one such popular format.
Glossary-10
Index A access log, 6-7 access.conf, A-2 AccessConfig, 8-5 AccessFileName, 2-7 ACKS, 5-4 AddCertHeader, 7-5 AddType, A-4 Advanced Queuing, A-5 aqxml.conf, A-5 Al16UTF-16, 7-17 alert, 6-4, 6-6 AllowOverride, 2-7 always_desc, 7-28 Apache, 2-2, Glossary-1 2.0 support, 9-3 security patches, 9-3 Apache HTTP Server, 1-2 license, B-2 Apache SOAP license, B-3 Apache software license, B-2 apachectl, 1-6 ApacheStyle, 7-40 application-specific error pages, 9-2 aqxml.
-f, 3-6 restartproc, 1-7 startproc, 1-6 stopproc, 1-7 CompatEnvVars, 8-22 components, 1-3 CondPattern, 7-54 conf, 3-6 confidentiality, 8-2 configuration files, 2-2, A-1 access.conf, A-2 aqxml.conf, A-5 cache.conf, 7-22 dads.conf, 7-22 dms.conf, A-4 httpd.conf, A-2 file structure, A-2 iaspt.conf, A-2 mime.types, A-4 ojsp.conf, A-5 opmn.xml, A-7 oracle_apache.conf, A-5 plsql.conf, 7-21, A-5 srm.conf, A-2 ssl.conf, A-6 syntax, 2-2 xml.
DirectoryMatch, 2-5 Files, 2-5 FilesMatch, 2-5 Limit, 2-6 LimitExcept, 2-6 Location, 2-5 LocationMatch, 2-6 VirtualHost, 2-7 CoreDumpDirectory, 3-4 create name space, 9-4 Define, 7-8 DocumentRoot, 3-4 ErrorLog, 3-5 Group, 4-2, 4-4 KeepAlive, 5-5 KeepAliveTimeOut, 5-5 Listen, 5-3 ListenBackLog, 5-4 LoadModule, 2-3 LockFile, 3-5 LogFormat, 6-5 MaxClients, 4-5 MaxKeepAliveRequests, 5-5 MaxRequestsPerChild, 4-6 MaxSpareServers, 4-6 MinSpareServers, 4-6 mod_ossl, 8-10 mod_ssl, 8-10 OpmnHostPort, 7-14 OraLogDir,
entry, Glossary-4 environment variables controlling access, 8-8 error, 6-4, 6-6 error log, 6-8 ErrorLog, 3-5 Expat license, B-22 ExportCertData, 8-21 Extended API, 7-8 host-based access control, 8-4 domain name, 8-7 environment variables, 8-8 IP address, 8-6 mod_access, 8-6 mod_setenvif, 8-6 netmask, 8-7 network, 8-7 .htaccess files, 2-7 HTTP, Glossary-4 HTTP listener, 1-3 httpd parent process, 4-2 httpd.
L M LDAP, Glossary-4 lightweight directory access protocol, Glossary-5 Limit directive, 2-6 LimitExcept directive, 2-6 limiting connection number, 4-5 process number, 4-5 Listen, 5-3 ListenBackLog, 5-4 listener addresses, 5-2 listener ports, 5-2 load balancers, 5-6 LoadModule directive, 2-3, 7-5, 7-21, 7-24 Location directive, 2-5 LocationMatch directive, 2-6 LockFile, 3-5 log, 3-6 log files, 6-7, 6-8 locations, 6-7 log formats, 6-5 authuser, 6-5 bytes, 6-5 Common Log Format, 6-5 data, 6-5 host, 6-5 ident
mod_imap, 7-10 mod_include, 7-10 mod_info, 7-11 mod_isapi, 7-11 mod_log_agent, 7-11 mod_log_config, 7-11 mod_log_referer, 7-11 mod_mime, 7-12 mod_mime_magic, 7-12 mod_mmap_static, 7-12 mod_negotiation, 7-12 mod_onsint benefits, 7-13 implementation differences, 7-14 modules mod_onsint, 7-13 mod_oradav, 7-15 mod_ossl, 7-15, 8-2, 8-10, 8-12 authenticate users, 8-10 directives, 8-13 client authentication, 8-32 SSLAccelerator, 8-14 SSLCARevocationFile, 8-14 SSLCARevocationPath, 8-15 SSLCipherSuite, 8-15 SSLEngin
document_path, 7-39 document_proc, 7-40 document_table, 7-40 pathaliasproc, 7-46 PerPackageOwa, 7-29 plsql.
mod_userdir, 7-60 mod_usertrack, 7-60 mod_vhost_alias, 7-60 multiviews, 9-3 N netmask controlling access, network controlling access, nFast, 8-14 notice, 6-4, 6-6 8-7 8-7 O ojsp.conf, A-5 one-way hash function, Glossary-5 OPMN, Glossary-5 OpmnHostPort, 7-14 opmn.
OraLogSeverity, order, 8-4 overview, 1-1 6-3 P pathaliasproc, 7-46 PEM, 8-14, Glossary-5 performance monitor, 4-7 Perl access database, 7-16 license, B-9 Perl interpreter, 1-3 PHP, 9-4 PID, 6-8 PID file, 6-8 PidFile, 3-5 piped log, 6-8 plaintext, Glossary-6 PL/SQL, Glossary-6 PlsqlAfterProcedure, 7-28 PlsqlAlwaysDescribesProcedure, 7-28 PlsqlAuthenticationMode, 7-29 PlsqlBeforeProcedure, 7-30 PlsqlBindBucketLengths, 7-30 PlsqlBindBucketWidths, 7-31 PlsqlCacheCleanupTime, 7-50 PlsqlCacheDirectory, 7-50 Pls
reverse proxies, 5-6 rewrite log, 6-9 RewriteBase, 7-56 RewriteEngine, 7-55 RewriteLog, 7-55 RewriteLogLevel, 6-9, 7-55 RewriteOptions, 7-55 root, 4-2 RSA, 8-12, Glossary-7 running root, 4-2 S SAXPath license, B-23 scalability, Glossary-7 scope, 2-4 ScoreBoardFile, 3-5 script log, 6-9 Secure Hash Algorithm, Glossary-7 Secure Shell, Glossary-8 Secure Sockets Layer, 1-2, Glossary-8 secure sockets layer, 8-10 security authentication, 8-2 authorization, 8-2 confidentiality, 8-2 protected resources, 8-3 user cl
SSLLogLevel, 8-19 SSLMutex, 8-20 SSLOptions, 8-21 CompatEnvVars, 8-22 ExportCertData, 8-21 FakeBasicAuth, 8-21 OptRenegotiate, 8-22 StdEnvVars, 8-21 StrictRequire, 8-22 SSLPassPhraseDialog, 8-23 SSLProtocol, 8-23 SSLProxyCache, 8-30 SSLProxyCipherSuite, 8-30 SSLProxyProtocol, 8-30 SSLProxyWallet, 8-31 SSLProxyWalletPassword, 8-31 SSLRandomSeed, 8-13 SSLRequire, 8-24 variables SSL, 8-25 standard, 8-25 SSLRequireSSL, 8-26 SSLSessionCache, 8-27 SSLSessionCacheTimeout, 8-27 SSLVerifyClient, 8-28 SSLVerifyDepth,
Index-12