A secure architecture

Overview

APEX consists of a database and a HTTP Web server. The HTTP server can be of several flavors:

• An Oracle XML DB HTTP server
• An Oracle HTTP Server (OHS) from the database companion CD
• An Oracle HTTP Server (OHS) from the Oracle Application Server 10g

For more details of each type check this section.

A secure architecture for your APEX application can be done in many ways and is depended on how sensitive your data is. If your data is not that important you could put your APEX installation directly on the Internet but this is not a good idea. It is always wise to exposes as little as possible to the Internet. The minimum architecture I would suggest is this:

Minimum

APEX is tucked away on the Intranet. The Apache HTTP server in the DMZ can be an OHS, but you have to pay a license fee to Oracle if you use it. You are not allowed to install an OHS on any server other than one that contains the Oracle Database or the Oracle Application Server, unless you pay for an extra license. A free alternative is to use a standard Apache 1.3/2.0 HTTP server directly from Apache. Do note that administering a standard Apache differs from an OHS, so if you want a familiar interface you need an OHS.

For added security many choose to encrypt the communication between the browser and the HTTP Web server. If encryption is not used an eavesdropper can intercept all information sent between the browser and the server, even passwords. The most popular way to encrypt is via Secure Sockets Layer (SSL). The encryption is transparent to APEX and therefore no configuration is needed in APEX. For information about setting up SSL check this section.

With SSL to the DMZ

For added security it is also possible to use SSL encryption between the Apache HTTP server in the DMZ and the HTTP server installed with APEX.


Author: PeterLorenzen - 22 Apr 2007

Comments