We are upgrading from OAS (OWAS) 3 to OAS 4, but I have some problems with
it's conception. OAS administrators, do you agree with my considerations?
Are there any tips and tricks on OAS 4 in the internet? Is this the right
newsgroup for OAS at all (at least it is oracle and it is a server ;-) Here
some of the points which struck me:
- As far as I understand, in OAS 4 the "node manager" is much more crucial
to be protected from unauthorized access than the "admin listener", because
the latter is only used to run the log analyzer and demos, whereas with the
former you can configure almost everything and thus do much more mischief.
Access to those listeners should be protected by good *digest* (encrypted)
passwords and restriced on IP base, both of which are *not* the default
configuration. What's even worse, as far as I see, with the admin interface
you can only configure security for the admin listener, not for the more
important node manager. So I suppose, to be secure, you have to configure
security for the admin listener and then copy the relevant parts manually
from "svadmin.cfg" to "svnode.cfg". Is this right, or did I overlook
something?
- In OAS 4, there is no interconnection between http listeners and
applications. This has many disadvantages: a) You have to configure security
(users, passwords, groups, realms etc.) separately for listeners and
applications, with the possibility of making many mistakes. b) The
applications are not coupled to a specific port any more. This means I
cannot block e.g. Log Analyzer (Admin Utility) access at the firewall level.
- This also means, depending on which port I access an application, it's
static parts (maybe html footers or images) are searched at different
listeners. And so on. In my eyes this is a huge conceptional drawback in the
OAS's architecture, which has gone even worse compared with version 3.
- I cannot get custom user error vehaviour. At the HTTP listener level,
there seems to be no chance to have custom error behaviour (especially
important in the case of "URL not found"). At the application level, there
is a "Error Page", but the doco does not say when it is called, whether it
is HTML or nor, whether it is a physical path or an URL etc. At the
cartridge level, there is a "HTML Error Page" and you have to enter its
physical path. But it does not seem to work in OAS 4 any more.
Christoph Zwerschke
E-Mail: christoph.zwerschke_at_sun1.zuv.uni-heidelberg.de
WWW:
http://www.zuv.uni-heidelberg.de/~zwerschke/
Received on Thu Mar 04 1999 - 05:24:11 CST