Doubtful about security of oracle's Wrap code!

Similar Messages

• Doubt About Security Levels

  Hi Experts,
  I want to know more About Security Levels.
  1..What r the Security Levels
  2..Why Do we need
  3..Where we can give the Security Levels
  Please Clarify me
  Regards
  Khanna

  Hi Rajesh,
  You can define a security level for incoming messages handled by certain HTTP-based sender adapters.
  Possible HTTP security levels are (in ascending order):
  -- HTTP without SSL
  -- HTTP with SSL (= HTTPS), but without client authentication
  -- HTTP with SSL (= HTTPS) and with client authentication
  This will clear most of ur doubts
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  Regards,
  Prateek

• Basic Doubt about security

  Dear All,
  I am trying to implement following functionality. Can you suggest how i should go about implementing this in actual code.
  I have an J2EE application consisting of swing client and server components deployed on J2EE complient server. Now whenever a client tries to log in to system the username and password info is transmitted to server for authentication. Here i need to introduce a functionality by which password and may be user name is encrypted to before it is sent to app server and then app serve at it's end will decrypt before authenticating the user.
  Now theoritically i am planning to do following : using public/private key encryption. Client will encrypt the required string using public key and send it to server. Server will now decrypt using the private key which is available at it's end. The client and the app server aer on physical different machines. Does this make sense ? And is it correct ?
  Now my questions :
  Is my mechenism correct ?
  How to generate public/private keys ? is it using keytool but what are steps?
  How should transfer of these key take place ?
  If keys are generated using API rather then keytool how to transmit these keys to server?
  If keys are generated using keytool still how to distribute these keys and use the same in the program while doing encyrption/decryption ?
  Kindly reply soon. This is urgent. Thank you in advance
  Sachin

  I would suggest making an SSL connection to the server which verifies the password (and if it is not too computationally intensive, then for data as well). Java 1.4 has SSL functionality built-in (you just need to do some key management on the server end -- if you get a certificate from a provider that is preloaded).

• Security in oracle

  Hello,
  I'm planning to write my bachelor thesis and i'm writing about Security in Oracle database. I heard that security is an audit subject and it's interesting to talk about security. I wanna know what can i do at the practice part of my thesis? I wanna some ideas of what to do at the practice part, what's interesting to do in practice, regarding to this subject.
  Thanks!

  Hi roger;
  Give more details, security concept has huge concepts. Also i suggest check below link
  Security
  http://www.oracle.com/technetwork/topics/security/whatsnew/index.html
  Security Solutions From Oracle
  http://www.oracle.com/us/technologies/security/security-solutions-151411.html?origref=http://www.google.com.tr/
  Regard
  Helios

• Doubt about Oracle Acess Manager Identity System

  Hi , I have a doubt about the identity system , when I configure the Identity System to use the Data Anywhere where the user is create when I create one in administrative console ? as I know the Data Anywhere is managed by OVD.
  Thanks.

  And I could connect to the database.With which tool?
  >
  I wanted to mimic the connection to another system by just copying the c:\oracle folder. The connection was established and works fine.What type of client installation is this? Can you cross check in inventory/logs?

• Doubt About GPO - Security Zones

  I have Windows Server 2008 R2 and GPOXX with settings about Security Zones and run normally.
  I need create another GPOYY with settings about Security Zones different than GPOXX.
  My doubt is: When I create GPOYY and my settings won't occur conflict in my GPOXX? I don't can problem in my environment production in my GPOXX.
  Thanks a bunch!

  Hi,
  >>My doubt is: When I create GPOYY and my settings won't occur conflict in my GPOXX?
  As long as the settings we configure don't conflict with each other, there won't be conflict between GPOs. If the setting in GPOYY and GPOXX conflict with each other, saying we enable a setting in the former GPO and disable the same setting in the latter
  GPO, then there will be conflict and the GPO processed at last will be the winning GPO for applying the setting.
  Regarding group policy precedence, the following article can be referred to for more information.
  Group Policy processing and precedence
  http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
  Best regards,
  Frank Shen

• Doubts about use of REPORTS_SERVERMAP with Forms11g HA

  Hi,
  I'm configuring a Linux 64bits Forms/Reports 11g HA environment, the point is that i have two nodes, each one with its Forms and Reports servers, let's say FormsA and ReportsA for the first node and FormsB and ReportsB for the seconde node.
  i want FormsA to be able to call reports from ReportsB and FormsB to be able to call reports from ReportsA.
  I've been reading about REPORT_SERVERMAP
  http://docs.oracle.com/cd/E12839_01/bi.1111/b32121/pbr_conf003.htm#autoId5
  But i have some doubts about its use:
  1. I will not use a shared cluster file system or any way of cache solution, i will only have my rdf files on each node, and i'm wondering if just by configuring this parameter i will be able to get the effect mentioned above ??
  2. The link provided says "Using RUN_REPORT_OBJECT. If the call specifies a Reports Server cluster name instead of a Reports Server name, the REPORTS_SERVERMAP environment variable must be set in the Oracle Forms Services default.env file"
  In fact i'm using RUN_REPORT_OBJECT but
  what is the Reports Server cluster name ?? and where do i find that name ??
  3. Is this configuration well defined:
  REPORTS_SERVERMAP=clusterReports:ReportsA;clusterReports:ReportsB
  4. At forms applications when using RUN_REPORT_OBJECT, can i assume that the report server name will be the cluster name specified at the REPORTS_SERVERMAP ??
  5. Which files should i modify rwservlet.properties or default.env ??
  Hope you can help me :)
  Regards
  Carlos

  Hi,
  1. I will not use a shared cluster file system or any way of cache solution, i will only have my rdf files on each node, and i'm wondering if just by configuring this parameter i will be able to get the effect mentioned above ??
  --> In such case what could go wrong is
  Suppose Run_report_object executed jobs successfully to ReportsA
  But web.show_document command for getjobid failed ( as ReportsA went down by this time)
  --> You will not get the output shown ( though job was successful)
  If shared cache was enabled, then Even if ReportsA is down, other cluster member ( say ReportsB)
  will respond back to web.show_document.
  Point 2,
  --> Under HA is it highly recommended to use web.show_document ( a servlet call) to execute reports. This is to help use all HA features at the HTTP , Webcache or load balancer level.
  However if there is migrated code or Run_report_object is must, then the recommendations as you see in the pointed document is must.
  REPORTS_SERVERMAP setting needs to be configured in rwservlet.properties file and also in default.env Forms configuration file to map the Reports Server cluster name to the Reports Server running on the mid-tier where the Load Balancer forwarded the report request.
  For example FormsA, ReportsA, cluster name say rep_cluster
  default.env file
  REPORTS_SERVERMAP=rep_cluster:ReportsA
  Where "rep_cluster" is the Reports Server cluster name and "ReportsA" is the name of the Reports Server running on the same machine as FormsA
  rwservlet.properties file
  <reports_servermap>rep_cluster:ReportsA</reports_servermap>
  At default.env this is not a valid entry
  REPORTS_SERVERMAP=clusterReports:ReportsA;clusterReports:ReportsB
  what is the Reports Server cluster name ?? and where do i find that name ??
  --> This is created via EM on the report server side.
  Would recommend to refer following documents at the myoracle support repository
       How to Setup Reports HA (High Availability - Clusters) in Reports 11g [ID 853436.1]
       REP-52251 and REP-56033 Errors When Calling Reports From Forms With RUN_REPORT_OBJECT Against a Reports Cluster in 11g. [ID 1074804.1]
  Thanks

• Question about Communication with Oracle 7

  Hi,
  Generally we use Oracle Snapshots for Communication, but since Oracle 9.2.0.5 do not work with Oracle 7.1.5.2.4. we are thinking about do use Oracle Interconnect for this Link.
  Now I have the following two Questions about Communication with Oracle 7:
  1. Is an Adapter for Oracle 7.1.5.2.4 available?
  2. From your experience, does it make sense to install Oracle Interconnect for implementation of only one read only Link with 3 Tables if an OAS for BI is available?
  Thanks,
  Hannes

  1. The Oracle database adapter is for Oracle 8i and up. I checked the code needed in the database and doubt that will work in Oracle 7.
  1. The other option Advanced Queuing also needs 8i and up.
  2. For me it doesnt make sense that you want to connect to Oracle 7. Oracle 7 is unsupported and should not have to be developed against. Also the license costs for Oracle Interconnect ~17K without any discount is a bit steep for read only links to three tables. Having the OAS means you wont have to pay another additional ~17K for the apps server.

• Are Oracle Install Files Code Signed?

  Hi All
  I appreciate that Oracle products can provide a CA service that allows exploitation of X.509 certificate and PKI related services (e.g., code signing), but does Oracle have its own corporate Code Signing CA to sign its own products and applications to ensure and prove that it is valid Oracle software.
  I have been searching for an Oracle CA cert high and low on the Net and can find no evidence. Oracle's secure signing cert seems to be issued from Verisign?
  Does Oracle get its code signing certs from Verisign?
  Keep the faith dudes ;oD
  Kev

  1.2 Gigs of RAM is way more then is required, so you shouldn't really be running out of RAM. What is the available RAM (Task Manager), before the install starts? Is anything else running?
  If you need to get this done in a hurry, then you should contact either Oracle or Compaq support about this. Either could help faster then waiting for someone who had the same problem respond to your post.
  Like I said, I'm a UNIX guy so I can't really help further.

• How to install Oracle Label Security in Oracle Database 10g EE

  Hello All
  I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
  I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
  I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
  M.
  Sorry about my English.

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Doubt about  a null value assigned to a String variable

  Hi,
  I have a doubt about a behavior when assigning a null value to a string variable and then seeing the output, the code is the next one:
  public static void main(String[] args) {
          String total = null;
          System.out.println(total);
          total = total+"one";
          System.out.println(total);
  }the doubt comes when i see the output, the output i get is this:
  null
  nulloneA variable with null value means it does not contains a reference to an object in memory, so the question is why the null is printed when i concatenate the total variable which has a null value with the string "one".
  Is the null value converted to string ??
  Please clarify
  Regards and thanks!
  Carlos

  null is a keyword to inform compiler that the reference contain nothingNo. 'null' is not a keyword, it is a literal. Beyond that the compiler doesn't care. It has a runtime value as well.
  total contains null value means it does not have memory,No, it means it refers to nothing, as opposed to referring to an object.
  for representation purpose it contain "null"No. println(String) has special behaviour if the argument is null. This is documented and has already been described above. Your handwaving about 'for representation purpose' is meaningless. The compiler and the JVM don't know the purpose of the code.
  e.g. this keyword shows a hash value instead of memory addressNo it doesn't: it depends entirely on the actual class of the object referred to by 'this', and specifically what its toString() method does.
  similarly "total" maps null as a literal.Completely meaningless. "total" doesn't 'map' anything, it is just a literal. The behaviour you describe is a property of the string concatenation operator, not of string literals.
  I hope you can understand this.Nobody could understand it. It is compete nonsense. The correct answer has already been given. Please read the thread before you contribute.

• 7 Things every Adobe AIR Developer should know about Security

  7 Things every Adobe AIR Developer should know about Security
  1. Your AIR files are really just zip files.
  Don't believe me? Change the .air extension to zip and unzip
  it with your favorite compression program.
  What does this mean for you the developer? What this means is
  that if you thought AIR was a compiled protected format, alas it is
  not.
  2. All your content is easily accessible in the AIR file.
  Since we now that the AIR file is really just a zip file,
  unzip it and see what's inside. If you have added any content
  references when you published the AIR file, voila, there it all is.
  What does this mean for you the developer? Well, you content
  is sitting there ripe for the picking, and so is everything else
  including you Application descriptor file, images etc.
  3. Code signing your Air app does nothing as far as security
  for you.
  All code signing your app does is verify to the end user that
  someone published the app. I does nothing as far as encryption and
  does nothing to project your content.
  What does this mean for you the developer? We'll you should
  still do it, because getting publisher "unknown" is worse. It also
  means that joe hacker would not be able decompile your entire app
  and republish it with the same certificate, unless they
  somehow got a hold of that too.
  4. All your AIR SWF content is easily decompilable.
  Nothing new here, it's always been this way. Type flash
  decompiler into google and you'll find a variety of decompilers for
  under $100 that will take your AIR content swf and expose all your
  source code and content in no time.
  What does this mean for you the developer? All you content,
  code, urls and intellectual property is publicly available to
  anyone with a decompiler, unless you do some extra work and encrypt
  your swf content files, which is not currently a feature of AIR,
  but can be done if you do your homework.
  5. Your SQLite databases are easy to get at.
  SQLite datatbases can be accessed from AIR or any other
  program on you computer that knows how to work with it. Unless you
  put your database in the local encrypted datastore, or encrypt your
  entire database it's pretty easy to get at, especially if you
  create it with a .db extension.
  What does this mean for you the developer? We'll SQLite is
  very useful, but just keep in mind that your data can be viewed and
  altered if you're not careful.
  6. The local encrypted datastore is useful, but....
  The local encrypted datastore is useful, but developers need
  a secure way of getting information into it. Storing usernames,
  passwords and urls in clear text is a bad idea, since as we
  discussed, you code is easy to decompile an read. By putting info
  into the local encrypted datastore, the data is encrypted and very
  difficult to get at. The problem is, how do you get it into there,
  without have to store any info that can be read in the air file and
  without the necessity of communicating with a web server? Even if
  you called a web service and pushed the returned values into the
  datastore, this is not ideal, since you may have encoded the urls
  to you web service into your code, or they intercept the results
  from the web service call.
  What does this mean for you the developer? Use the local
  datastore, and hope that we get some new ways of protecting content
  and data form Adobe in the next release of AIR.
  7. There are some things missing form the current version of
  AIR (1.1) that could really help ease the concerns of people trying
  to develop serious applications with AIR.
  Developers want more alternatives for the protection of local
  content and data. Some of us might want to protect our content and
  intellectual property, remember not all of us are building toys
  with AIR. Other than the local encrypted datastore there are not
  currently any built in options I'm aware of for encrypting other
  content in the AIR file, unless you roll your own.
  What does this mean for you the developer? We'll I've been
  told that Adobe takes security very seriously, so I'm optimistic
  that we'll see some improvements in this area soon. If security is
  a concern for you as much as it is for me, let them know.

  Putting "secret data" as a clear text directly in your code
  is a broken concept in every environment, programing language.
  Every compiled code is reversible, especially strings are really
  easy to extract.
  There is no simple, straightforward way to include secret
  data directly with your app. This is a complicated subject, and if
  you really need to do this, you'll need to read up on it a bit.
  But in most cases this can be avoided or worked around
  without compromising security. One of the best ways is to provide
  the user with a simple "secret key" alongside the app (best way is
  the good old login/password). The user installs the app, and
  provides his "secret key", that goes directly into
  EncryptedLocalStore, and then you use this "secret key" to access
  the "secret data" that's stored on your server. Then you can
  transfer the "secret data" directly into EncryptedLocalStore.
  As for the whole thread:
  Points 1-5 -> Those points do not concern AIR apps only.
  If you are developing an application in any language, you should
  follow those rules, meaning:
  - Code installed on users computer is easy accessible
  - Data stored locally is easy accessible, even if it
  encrypted using any symmetric-key encryption, because the
  encrypting algorithm and encryption key is in your source code (you
  could probably write a book on using public-key encryption so let's
  just leave it for now ;)
  Point 6 -> Is a valid one. All your app security should
  relay on the EncryptedLocalStore. But it is your job to get the
  data securely into the ELS, because there is no point to encrypt
  data that can be intercepted.

• What about security in adf faces application ?

  It seem that the documentation has a little bit changed about security for adf faces application.
  SRDemo J2EE sample application only implemented the security at the web container and may be for the session beans (don't remember) by using security-role and security-constraint in web.xml configuration file.
  It seem that the documentation recommand now to implement adf security and didn't find anymore the reference to the standard j2ee security implementation.
  We found also that the security constraints checked by the web container was sometimes ignored and the container didn't ask us to login before displaying a page.
  Is ADF security a clear Oracle recommandation for ADF Faces application ?
  What about j2ee security for this type of application (why it is not recommended to use it) ?

  Hi,
  there is no single recommedation about security because security ideally is applied on several levels to implement security in depth. Container managed security with J2EE is a good option to secure page access and - if using EJB - to propagate the user identity for method level access control.
  Using ADF Security, which is security added to the binding layer based on JAAS, a second layer of the security onion becomes available that allows you to define which user is allowed to perform which operation on an iterator or attribute binding. This goes beyond of what container managed security can do for you.
  The thrid layer is business layer security and eventually database security.
  For Oracle Open World we will have a developmengt track and one of the presentation I am giving with Ric Smith from our team is about end-to-end application security for ADF Faces, ADF, ADF BCor TopLink/EJB and the Oracle database.
  The plan is to also write this up in a paper, but this would come late because of other priorities I have on my plate. So attending OOW probably is the best option for you to get the big picture
  Frank

• SOAP Header Security in Oracle Service Bus

  Currently we are in the process of implementing the SOAP Header Security through Oracle Service Bus. We have a requirement that BPEL need to call a external web service. That web service will be registered in OSB. While making the call, the OSB need to add the SOAP security header(user name & Pwd) in proxy service before forwarding the request to business service. Can you please help me find some information about that.

  Hi Manoj,
  The request payload which is going to the target is
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  </soap:Header>
  <soapenv:Body>
  <man:GetDefaultRechargeValuesRequest xmlns:man="http://www.NII.com/ManagePrepaidRecharge/workflow/ManagePrepaidRecharge">string</man:GetDefaultRechargeValuesRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  whereas the target expects the soap header populated. the payload expected by the target is
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <gsa:Authentication xmlns:gsa="http://www.nextel.com.br/Wbs/Gsa">
  <gsa:Account>test</gsa:Account>
  <gsa:Password>test</gsa:Password>
  <gsa:Guid>f65748e63b01</gsa:Guid>
  </gsa:Authentication>
  </soap:Header>
  <soapenv:Body>
  <man:GetDefaultRechargeValuesRequest xmlns:man="http://www.NII.com/ManagePrepaidRecharge/workflow/ManagePrepaidRecharge">string</man:GetDefaultRechargeValuesRequest>
  </soapenv:Body>
  </soapenv:Envelope>
  The Problem now is, when i call a business service(WSDL of the target) from a proxy service and when i set the above expression to the $header using replace action in the proxy service itself, the above expression,instead of going as a request to the business service, it is populated in the response.
  <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <gsa:Authentication xmlns:gsa="http://www.nextel.com.br/Wbs/Gsa">
  <gsa:Account>test</gsa:Account>
  <gsa:Password>test</gsa:Password>
  <gsa:Guid>f65748e63b01</gsa:Guid>
  </gsa:Authentication>
  </soap:Header>
  <soapenv:Body>
  <ns0:GetDefaultRechargeValuesResponse xmlns:ns0="http://www.NII.com/ManagePrepaidRecharge/workflow/ManagePrepaidRecharge">
  <ns0:StandardHeaderBlock>
  <ns2:ServiceState xmlns:ns2="http://xmlns.oracle.com/apps/StandardHeaderBlock">
  <ns2:errorCode>SOA_ERR_TARGET_SYSTEM_FAILURE</ns2:errorCode>
  <ns2:errorDesc>
  OSB Service Callout action received an error response
  </ns2:errorDesc>
  </ns2:ServiceState>
  </ns0:StandardHeaderBlock>
  </ns0:GetDefaultRechargeValuesResponse>
  </soapenv:Body>
  </soapenv:Envelope>
  Since the authentication details are not reaching the target, it is giving a target system failure. Can you suggest a remedy to this please.

• Doubt about Bulk Collect with LIMIT

  Hi
  I have a Doubt about Bulk collect , When is done Commit
  I Get a example in PSOUG
  http://psoug.org/reference/array_processing.html
  CREATE TABLE servers2 AS
  SELECT *
  FROM servers
  WHERE 1=2;
  DECLARE
  CURSOR s_cur IS
  SELECT *
  FROM servers;
  TYPE fetch_array IS TABLE OF s_cur%ROWTYPE;
  s_array fetch_array;
  BEGIN
    OPEN s_cur;
    LOOP
      FETCH s_cur BULK COLLECT INTO s_array LIMIT 1000;
      FORALL i IN 1..s_array.COUNT
      INSERT INTO servers2 VALUES s_array(i);
      EXIT WHEN s_cur%NOTFOUND;
    END LOOP;
    CLOSE s_cur;
    COMMIT;
  END;If my table Servers have 3 000 000 records , when is done commit ? when insert all records ?
  could crash redo log ?
  using 9.2.08

  muttleychess wrote:
  If my table Servers have 3 000 000 records , when is done commit ? Commit point has nothing to do with how many rows you process. It is purely business driven. Your code implements some business transaction, right? So if you commit before whole trancaction (from business standpoint) is complete other sessions will already see changes that are (from business standpoint) incomplete. Also, what if rest of trancaction (from business standpoint) fails?
  SY.