Forms Services Security Overview 11-3

11.1.2.3 Database Password Expiration when Using Single Sign-On

In some previous releases of Oracle Forms Services, the RAD information in Oracle Internet Directory was not updated if the database password had expired, and users then renewed them when connecting to a Forms application. In this release, Oracle Forms Services automatically updates the RAD information in Oracle Internet Directory whenever a database password is updated through Forms. There is no extra configuration necessary to enable this feature in Oracle Forms Services.

11.1.3 Authentication and Access Enforcement

For detailed information about the authentication flow of Oracle Single Sign-On Server support in Oracle Forms Services, such as when the first time the user requests an Oracle Forms Services URL, or from a partner application, see Section 9.1.1, Authentication Flow .

11.1.4 Leveraging Oracle Identity Management Infrastructure

Oracle Forms Services has tighter integration with Oracle Internet Directory with minimal configuration. When you configure Oracle Single Sign-On Server Server for your Forms applications, Oracle Forms Services handles much of the configuration and interaction with Oracle Internet Directory. With the absence of Repository API in 11g, Oracle Forms and Identity Management integration involves the registration of Forms application identity at the time of deployment when a relationship is established between Forms and the Oracle Internet Directory OID host. This process is know as associating with the Oracle Internet Directory. Related information such as Forms Distinguished Name formsDN and the password are stored in Credential Storage Framework CSF. At run time, a JNDI connection is made to Oracle Internet Directory after extracting the required information from CSF. Oracle Forms and Identity Management integration involves the following: ■ Integration at bootstrap: The Forms application entity and Distinguished Name with a password is created in Oracle Internet Directory. ■ Integration at run time: Previously, the connection to Oracle Internet Directory used Repository API. In 11g, a JNDI call is used to directly connect to Oracle Internet Directory. For more information about associating and disassociating Oracle Internet Directory, see Section 9.7, Configuring Oracle Internet Directory.

11.2 Configuring Oracle Forms Services Security

Configuring security for Oracle Forms Services is done through Oracle Fusion Middleware Control. Online help is available for each screen. For more information, see Chapter 4, Configuring and Managing Forms Services and Chapter 9, Using Forms Services with Oracle Single Sign-On .

11.2.1 Configuring Oracle Identity Management Options for Oracle Forms

Oracle Forms Services can be configured to create resources dynamically in Oracle Internet Directory, or have a user with no Oracle Internet Directory resource use a common resource. For more information, see Chapter 9, Using Forms Services with Oracle Single Sign-On . 11-4 Forms Services Deployment Guide

11.2.2 Configuring Oracle Forms Options for Oracle Fusion Middleware Security Framework

For more detailed information about configuring and securing Oracle Forms, see the following chapters: ■ Chapter 3, Basics of Deploying Oracle Forms Applications ■ Chapter 4, Configuring and Managing Forms Services ■ Chapter 9, Using Forms Services with Oracle Single Sign-On ■ Chapter 12, Tracing and Diagnostics

11.2.3 Securing RADs

To increase the security of RADs and prevent them from being viewable by the OID administrator, perform the following steps:

1.

Copy the contents enclosed by ---aci-change.ldif--- into the file aci-change.ldif ---aci-change.ldif--- dn: cn=Extended Properties,s_OracleContextDN changetype: modify delete: orclaci orclaci: access to attr=orclUserIDAttribute,orclPasswordAttribute by guidattr=orclOwnerGUIDread,search,compare,write by dnattr=orclresourceviewers read,search, compare, write by groupattr=orclresourceviewers read,search, write by none - add: orclaci orclaci: access to attr=orclUserIDAttribute,orclPasswordAttribute DenyGroupOverride by guidattr=orclOwnerGUIDread,search,compare,write by dnattr=orclresourceviewers read,search, compare, write by groupattr=orclresourceviewers read,search, write by none ---aci-change.ldif---

2. In the LDIF file, replace s_OracleContextDN with the distinguished name

DN of the realm-specific Oracle Context. For example, if the DN in the deployment is dc=acme,dc=com, then the realm-specific Oracle Context is cn=OracleContext,dc=acme,dc=com.

3. Execute the following command on the OID tier:

ldapmodify -p port -h host -D cn=orcladmin -q -v -f aci-change.ldif

4. When this command is run, it will prompt for the cn=orcladmin password since

the password is not included as a command-line parameter. To undo these changes, issue the same command subject to the notes as above, but using the following contents in the .ldif file: ---aci-revert.ldif--- dn: cn=Extended Properties,s_OracleContextDN Note: In aci-change.ldif, the line beginning with orclaci: access to attr= is a single line ending with by none and should not have any line breaks in the middle. Forms Services Security Overview 11-5 changetype: modify delete: orclaci orclaci: access to attr=orclUserIDAttribute,orclPasswordAttribute DenyGroupOverride by guidattr=orclOwnerGUIDread,search,compare,write by dnattr=orclresourceviewers read,search, compare, write by groupattr=orclresourceviewers read,search, write by none - add: orclaci orclaci: access to attr=orclUserIDAttribute,orclPasswordAttribute by guidattr=orclOwnerGUIDread,search,compare,write by dnattr=orclresourceviewers read,search, compare, write by groupattr=orclresourceviewers read,search, write by none ---aci-revert.ldif--- 11-6 Forms Services Deployment Guide

12

Tracing and Diagnostics 12-1

12

Tracing and Diagnostics This chapter contains the following sections: ■ Section 12.1, About Forms Trace