Monday May 03, 2010

Privacy Protection in Oracle IRM 11g

Another innovation in Oracle IRM 11g is an in-built privacy policy challenge. By design, one of the many things that Oracle IRM does, of course, is collect audit information about how and where sealed documents are being used - user names, machine identifiers and so on. Many customers consider that this has privacy implications that the user should be invited to accept as a condition of service use - for the protection of both of the user and the service from avoidable controversy.

So, in 11g IRM, when a new user connects to a server for the first time, they can expect to see the following privacy policy dialog.

11g-privacy.png

The dialog provides a configurable URL that the customer can use to publish the privacy policy for their IRM service. The policy might clarify what data is being collected and stored, what use that data might be put to, and so on as required by the service owner's legal advisers.

In previous releases, you could construct an equivalent capability, and some customers did, but this innovation makes it much easier to do - you simply write a privacy policy and publish it as a web page for which the dialog automatically provides a link. This is another example of how Oracle IRM anticipates not just the security requirements of a customer, but also the broader requirements of service provisioning.

Oracle IRM video demonstration of separating duties of document security

One thing an Information Rights Management technology should do well is separate out three main areas of responsibility.

  • The business process of defining and controlling the classifications to which content is secured and the definition of the roles employees, customers, partners and contractors have when accessing secured content.
  • Allow IT to manage the server and perform the role of authorizing the creation of new classifications to meet business needs but yet once the classification has been created and handed off to the business, IT no longer plays a role on the ongoing management.
  • Empower the business to take ownership of classifications to which their own content is secured. For example an employee who is leading an acquisition project should be responsible for defining who has access to confidential project documents. This person should be able to manage the rights users have in the classification and also be the point of contact for those wishing to gain rights.

 

Oracle IRM has since it's creation in the late 1990's had this core model at the heart of its design. Due in part to the important seperation of rights from the documents themselves, Oracle IRM places the right functionality within the right parts of the business. For example some IRM technologies allow the end user to make decisions about what users can print, edit or save a secured document. This in practice results in a wide variety of content secured with a plethora of options that don't conform to any policy. With Oracle IRM users choose from a list of classifications to which they have been given the ability to secure information against. Their role in the classification was given to them by the business owner of the classification, yet the definition of the role resides within the realm of corporate security who own the overall business classification policies. It is this type of design and philosophy in Oracle IRM that makes it an enterprise solution that works beyond a few users and a few secured documents to hundreds of thousands of users and millions of documents.

This following video shows how Oracle IRM 11g, the market leading document security solution, lets the security organization manage and create classifications whilst the business owns and manages them. If you want to experience using Oracle IRM secured content and the effects of different roles users have, why not sign up for our free demonstration.

Tuesday Apr 20, 2010

Access Control and Accessibility in Oracle IRM 11g

A recurring theme you'll find throughout this blog is that IRM needs to balance security with usability and manageability. One of the innovations in Oracle IRM 11g typifies this, as we have introduced a new right that may be included in any role - Accessibility.

When creating or modifying a role, you simply select Accessibility along with Open, Print, Edit or whatever rights you want to include in the role.

11g-accessibility.png

You might, for example, have parallel roles of Reader and Reader with Accessibility and Contributor and Contributor with Accessibility.

The effect of the Accessibility right is to relax some of the protection of content in use such that selected users can use accessibility tools. For example, a user with the Accessibility right would be able to use the screen magnification tool, which IRM would ordinarily prevent because it involves screen capture.

This new right makes it easy for you to apply security to documents yet, subject to suitable approval processes, cater for the fact that a subset of users might be disproportionately inconvenienced by some of the normal usage constraints. Rather than make those users put up with the restrictions, or perhaps exempt them from using sealed documents altogether, this new right allows you to accommodate them in a controlled manner, and to balance security with corporate accessibility goals.

Content Encryption Options in Oracle IRM 11g


Another of the innovations in Oracle IRM 11g is a wider choice of encryption algorithms for protecting content. The choice is now as illustrated below.

11g-crypto-choices.png

As you see, three of the choices are marked as FIPS options, where FIPS refers to the Federal Information Processing Standard Publication 140-2, a U.S. government security standard for accreditation of cryptographic modules.

Monday Apr 19, 2010

Protecting offline IRM rights and the error "Unable to Connect to Offline database"

One of the most common problems I get asked about Oracle IRM is in relation to the error message "Unable to Connect to Offline database". This error message is a result of how Oracle IRM is protecting the cached rights on the local machine and if that cache has become invalid in anyway, this error is thrown.

 

Offline rights and security


First we need to understand how Oracle IRM handles offline use. The way it is implemented is one of the main reasons why Oracle IRM is the leading document security solution and demonstrates our methodology to ensure that solutions address both security and usability and puts the balance of these two in your control.

 

Each classification has a set of predefined roles that the manager of the classification can assign to users. Each role has an offline period which determines the amount of time a user can access content without having to communicate with the IRM server. By default for the context model, which is the classification system that ships out of the box with Oracle IRM, the offline period for each role is 3 days. This is easily changed however and can be as low as under an hour to as long as years. It is also possible to switch off the ability to access content offline which can be useful when content is very sensitive and requires a tight leash.

RoleOfflineDisplay.gif

So when a user is online, transparently in the background, the Oracle IRM Desktop communicates with the server and updates the users rights and offline periods. This transparent synchronization period is determined by the server and communicated to all IRM Desktops and allows for users rights to be kept up to date without their intervention. This allows us to support some very important scenarios which are key to a successful IRM solution.


  • A user doesn't have to make any decision when going offline, they simply unplug their laptop and they already have their offline periods synchronized to the maximum values. Any solution that requires a user to make a decision at the point of going offline isn't going to work because people forget to do this and will therefore be unable to legitimately access their content offline.
  • If your rights change to REMOVE your access to content, this also happens in the background. This is very useful when someone has an offline duration of a week and they happen to make a connection to the internet 3 days into that offline period, the Oracle IRM Desktop detects this online state and automatically updates all rights for the user. This means the business risk is reduced when setting long offline periods, because of the daily transparent sync, you can reflect changes as soon as the user is online. Of course, if they choose not to come online at all during that week offline period, you cannot effect change, but you take that risk in giving the 7 day offline period in the first place.
  • If you are added to a NEW classification during the day, this will automatically be synchronized without the user even having to open a piece of content secured against that classification. This is very important, consider the scenario where a senior executive downloads all their email but doesn't open any of it. Disconnects the laptop and then gets on a plane. During the flight they attempt to open a document attached to a downloaded email which has been secured against an IRM classification the user was not even aware they had access to. Because their new role in this classification was automatically synchronized their experience is a good one and the document opens.

More information on how the Oracle IRM classification model works can be found in this article by Martin Abrahams.

 

 

So what about problems accessing the offline rights database?


So onto the core issue... when these rights are cached to your machine they are stored in an encrypted database. The encryption of this offline database is keyed to the instance of the installation of the IRM Desktop and the Windows user account.

 

Why? Well what you do not want to happen is for someone to get their rights for content and then copy these files across hundreds of other machines, therefore getting access to sensitive content across many environments. The IRM server has a setting which controls how many times you can cache these rights on unique machines. This is because people typically access IRM content on more than one computer. Their work desktop, a laptop and often a home computer. So Oracle IRM allows for the usability of caching rights on more than one computer whilst retaining strong security over this cache.

So what happens if these files are corrupted in someway? That's when you will see the error, Unable to Connect to Offline database. The most common instance of seeing this is when you are using virtual machines and copy them from one computer to the next. The virtual machine software, VMWare Workstation for example, makes changes to the unique information of that virtual machine and as such invalidates the offline database.

 

How do you solve the problem?


Resolution is however simple. You just delete all of the offline database files on the machine and they will be recreated with working encryption when the Oracle IRM Desktop next starts. However this does mean that the IRM server will think you have your rights cached to more than one computer and you will need to rerequest your rights, even though you are only going to be accessing them on one. Because it still thinks the old cache is valid. So be aware, it is good practice to increase the server limit from the default of 1 to say 3 or 4. This is done using the Enterprise Manager instance of IRM.

 

DeviceLimit.gif

So to delete these offline files I have a simple .bat file you can use;

Download DeleteOfflineDBs.bat

Note that this uses pskillto stop the irmBackground.exe from running. This is part of the IRM Desktop and holds open a lock to the offline database. Either kill this from task manager or use pskillas part of the script.

Wednesday Jan 13, 2010

Offline Access Management for IRM Encrypted Documents

goneoffline.jpg

Perhaps the most frequent of frequently-asked-questions about IRM was put to me recently by one of my Irish colleagues:

If you have to get IRM decryption keys and access rights from an IRM server, how does that impact offline access to documents and offline creation of new documents? How do I ensure that business users can keep working when they are on customer premises, or sitting on a plane, or simply disconnected from the net for whatever reason?

All IRM solutions have, on the face of it, a similar answer: keys and rights may be cached for offline use for a defined period. Your cached rights enable you to keep working, but not indefinitely.

Offline access issues resolved? Well the devil is in the detail - and we believe that Oracle IRM offers the best available balance of security, usability, and manageability.

How so? First, let's consider how most solutions handle offline periods.

How Most Solutions Manage Offline Periods

With most solutions, every document is evaluated separately. So, when you first open Document-A, you contact the server and obtain the keys and rights for Document-A, and typically you are permitted to cache them for the offline period defined for Document-A. The clock starts ticking immediately for Document-A.

You then want to open Document-B, and you need to contact the server again because opening Document-A has no bearing on whether you can open Document-B - even if the two documents are supposedly subject to the same policy. Having been authorised to open Document-B, the clock starts ticking for Document-B. And likewise for Document-C and so on for each document you access. So, you have contacted the server several times, and now have cached rights and keys for several documents, and independent timers running for each.

The repeated communication with the server highlights a key shortcoming of most solutions. Users need to be online to gain access to each document on first use - and again when revisiting documents after the expiry of their offline periods. This constant per-document evaluation generates a lot of network traffic, and takes place even if exactly the same policy is defined for each document. Each document needs to be evaluated individually.

The fact that each document has its own timer makes it difficult for users to be confident that they will be able to work offline, and causes frustration when some documents turn out to be inaccessible even though the user knows that they are authorised.

Of course, user frustration leads to users bypassing a solution if they can - for example, by choosing not to protect documents due to the inconvenience this entails, or copying information out of documents so that they have an unprotected copy to work with.

But it doesn't end there. The natural user response to the inconvenience of the offline rights expiry is to specify a long offline period for documents that they protect. Long offline periods means less frequent inconvenience.

This pragmatic user behaviour reduces security for two reasons:

 


  • Users may continue to use cached rights for a considerable period after rights are revoked on the server
  • Routine policy changes take a considerable time to propagate out to all affected users because they may only refer back to the server once their cached rights have expired, which might be weeks after a policy change is configured

 

Most customers want to know that policy changes will be effective in a short space of time, but the user pressure for a long offline period conflicts with this requirement. Indeed, the fact that many solutions invite users to specify offline periods to suit themselves is a security and management shortcoming for many customers.

Another consequence of unpredictable, per-document timers is that users may have to make manual preparation to go offline. Rather than simply go offline, you might be expected to do a manual synchronisation step first, or required to explicitly notify the server that you are about to go offline and want to be able to work on certain documents. In practice, users won't remember to do this, and those who do remember will not appreciate the added chore.

Other attempts to address this issue involve nominating particular folders in which you will keep the documents that you want to be able to use offline, and have the IRM client software pro-actively manage rights caching for those documents. Sadly, again, users tend not to cope well with mechanisms that require them to keep things in particular locations, and there is a scalability issue if large numbers of users keep large numbers of documents in such folders.

Further, with most solutions you can only apply one offline period to each document, and some solutions require you designate documents as usable offline or only online. There is often no mechanism to differentiate between users according to role. So, if you want to offer a lengthy offline period to your most trusted users, you may have no choice but to give the same period to less trusted users.

As a related issue, with some solutions, a user will find they also need to be online when they want to apply protection to a new document. Setting up the policy and keys for the new document requires communication with the server. This leads to more frustration and, inevitably, leads to documents remaining unprotected.

So, How Does Oracle IRM Differ?

Firstly, Oracle IRM allows a single timer to run for all of the documents in a given classification. This immediately improves the predictability of the user experience. When you open Document-A, you start a timer for all documents in the same classification.

This massively reduces network traffic, and means that you do not need to be online every time you try to access a new document. Worst case, you need to be online when you encounter a new classification of document - there are far fewer of those, and we address even that potential frustration as described below.

Next, the offline period is defined as part of a user's role in each classification - different users get different offline periods for the same documents. So, your most trusted users can be given a role with a lengthy period, while less trusted users can be given a role with a short period.

Crucially, our policy model makes the entire policy set small enough for the IRM Desktop to support regular rights synchronisation for ALL of a user's rights IN ADVANCE of the user actually trying to open any documents, and to synchronise any policy changes pro-actively rather than when the offline period expires for various pieces of content.

In practice, this typically means that policy changes are propagated within 24 hours rather than several days or weeks. And this synchronisation is for ALL documents - not just the ones that the user has remembered to keep in a particular folder, or has nominated in some other way. Synchronisation a transparent process, making the solution significantly more user friendly. Users don't need to do any preparation to use content offline - they just pull the cable and go.

Automated synchronisation also means that whatever your offline period might be for a particular classification, it is regularly "refreshed" so that you don't have to worry about your rights expiring at an inconvenient time. So there is no conflict between users wanting a long offline period and security officers wanting a short offline period.

Finally, our solution does not routinely invite users to choose the offline periods to suit themselves. Offline periods are defined as part of a policy framework. This reduces variability, and removes a potential conflict between users and security officers.

Summary

For many solutions, particularly when used at scale, offline access creates significant frustrations and challenges for both business users and security officers. Oracle IRM's unique approach makes it significantly easier to balance usability, security, and manageability even for large scale deployments.

By the way, anyone using the IRM evaluation service is subject to a 3 day offline period, with daily synchronisation during office hours. The majority of those users will be blissfully unaware of this - which is precisely the point.

I hope this article has helped you understand Oracle's position on one of the most frequently asked questions. If you have any questions, feel free to drop us a line.

Tuesday Dec 08, 2009

Enabling Oracle IRM web services

Oracle IRM WSDL
Many people have been asking recently how to enable web services in the 10gR3 IRM server. By default they are not enabled and you need to do the following.
  • Stop the IRM Server service. The service name is Oracle Information Rights Management Server and can be found in the services list.
  • Open the server.properties file in a text editor such as Notepad. This file is located under the installation directory. The default location is as follows:

    %Program Files%\Oracle\Information Rights Management\ls\properties\server.properties

  • Locate the configuration setting called sealedmedia.server.plugins.

    sealedmedia.server.plugins=...

    Append to the end of the setting the location of the IRM Server Web Services plugin. This file will have been installed with the IRM Server.

    sealedmedia.server.plugins=[existing settings],c:\\Program Files\\Oracle\\Information Rights Management\\ls\\bin\\smsoapp.dll

    Note the use of the comma (,) to delimit plugin DLLs and the use of double backslashes.
  • Save the server.properties file.
  • Re-start the Oracle IRM Server
To confirm the Web Services are enabled open a browser and navigate to http://localhost:80/sm/wsdl/oracleirm.wsdl The browser should download/display the WSDL document for the IRM Server. Note, change the port if you have configured the server to listen on something other than port 80.

Saturday Nov 14, 2009

Encrypted Document Ownership: Whose File is it Anyway?

A frequently asked question is: "What happens when the person who encrypted a number of files leaves the organization?". The concern behind the question is that an organization might find itself locked out of its own information assets, with critical business processes being held up while administrators figure out how to regain control so that policy can be amended as required.

A related question is: "What happens when an author changes role?". Most IRM solutions reserve special privileges for the original authors of documents, such that they may retain access after moving away from a particular project or role, creating security and compliance issues. They may also continue to be called upon to modify policy for those documents long after they have moved out of the relevant position.

With most solutions, the reponse is not to worry because a superuser can always identify all of the documents owned by the outgoing user and transfer their ownership to someone else. Unfortunately, this means that IT override of access rights is a matter of routine, as staff turnover is an ongoing process. It also means that the new owner suddenly becomes responsible for, potentially, a large number of documents protected in a variety of ways by someone who can no longer be referred to for clarification.

With Oracle IRM, the answer is much cleaner. In standard deployments, the solution places no particular significance on who authored a document - documents belong to their classifications rather than to the individuals or applications that created them. If an author leaves the organization or the project, their documents continue to be protected according to classification policy. The author himself may well lose access rights because his account has been deleted, or because his rights have been updated to reflect a change of responsibilities within the organization. a_man_throwing_papers.jpg
The focus shifts, therefore, to the classification or context managers. What happens when they move on? In most cases, the role of classification manager is shared by a small number of business users, so the depature of one has no impact. If not, the departing user simply transfers their responsibility to an appropriate successor. This is a simple task that does not involve IT intervention and does not involve revisiting each of the individual documents.

And what of the admin burden for the incoming classification manager - suddenly responsible for managing rights to, potentially, thousands of documents? Well, one of the key benefits of the classification model is that the new manager can think in terms of policy for one classification rather than for thousands of distinct documents.

So, Oracle IRM does not suffer the administrative overhead that staff turnover creates for rival solutions. The overall policy set is small, it is managed by a small subset of users, and the responsibility is easily transferrable without IT intervention. There is no need for IT to be granted rights to override policies defined by the business.

Wednesday Nov 11, 2009

New Oracle IRM Desktop released and supports Windows 7

Released today is the latest version of the client software in the Oracle IRM technology suite, the IRM Desktop. As part of the move of the technology into Oracles Fusion Middleware platform the new release now supports the following 27 languages!

 

Arabic German Portuguese
Chinese - Simplified Greek Portuguese - Brazilian
Chinese - Traditional Hebrew Romanian
Czech Hungarian Russian
Danish Italian Slovak
Dutch Japanese Spanish
English Korean Swedish
Finnish Norwegian Thai
French Polish Turkish

To ensure compatibility with the latest platforms we have also added support for;

  • Windows 7 operating system
  • Adobe Reader 9.2
  • Lotus Notes 8.5

Other headline features in this new release are;

Right-click Unseal option

If you have the right to save a sealed document as an unsealed copy (that is, to unseal a document), you can now do so by right-clicking the file name or icon and selecting the Unseal command (for example, in Windows Explorer or on the Windows desktop). This feature is available only for individual files: it is not available for multiple files, that is, at folder level.

 

 

Choices about what happens to the unprotected originals of sealed files

In previous releases, the original version of a sealed file was always retained in
its unsealed state. In this release, the former behavior remains the default, but
you can also choose to move the original file to the Recycle Bin or to "not retain"
it. These options are available on the Desktop Sealing tab of the Oracle IRM
Desktop Options dialog. If you choose the "Do not retain" option, the original file
will be removed after a sealed version has been created. This is a normal file
system deletion, not a complete destruction of the file, so if you are concerned
that this does not provide adequate security, you may want to consider further
action.
10gR3pR5.2_DesktopSealingOptions.gif

 

You can download this version from the Oracle Technology Network (OTN). More information can also be found in the release notes.

 

Tuesday Oct 27, 2009

Oracle IRM and Symantec DLP version 10 integration announced

Symantec

This morning Symantec announced the latest incarnation of their data loss prevention (DLP) technology, version 10. DLP technologies allow organizations to do discovery and monitoring of enterprise perimeters to detect the flow of sensitive information. When DLP detects something that is deemed confidential it can take some action upon it, typically this is in the form of blocking the information from continuing to be transmitted. However combining DLP with IRM means you don't have to restrict the end user by blocking their attempts to collaborate. Instead encrypt and protect the document or email so that it can be shared. IRM ensures only authorized users have access and provides advanced security controls such as revocation to the information, even after it has left the control of your enterprise networks.

We've been working with Symantec over the past month to build an integration between Oracle IRM and DLP creating the most powerful security solution of any IRM and DLP combination. Oracle IRM is the leading rights management solution for enterprise-scale document and email security. Combining these features with Symantec's leading DLP solution means customers can now have rich monitoring and detection capabilities. Instead of blocking attempts to share valuable data, this solution allows it to happen securely. We first demonstrated this capability at Oracle Open World and if you were not able to attend, we've uploaded some video demonstrations to our YouTube channel.

If you want to learn more about using Oracle IRM and DLP together contact us.

 


 


Wednesday Jun 17, 2009

Setting up an Oracle IRM server in a highly available environment

This article is way, way over due. I've had a few requests to describe how the Oracle IRM server can be setup in a high availability environment as described in my blog article here. It is possible to have a setup where more than one IRM server is in production and if one fails requests to the service are served from another IRM server, like the diagram below.

HighAvailability.gif

 

Note that running the Oracle IRM server in fail over mode in this manner is supported but load balancing is not. The IRM server has not been designed nor tested in a load balanced mode simply because the performance of the system is so good you don't need to load balance systems together. Fail over to protect against network and operating system failure is however key for any highly available service.

I must also state the very obvious. Rehearse this setup on test systems BEFORE doing anything with a live production system and when you do install and configure the live server you MUST backup your IRM database.

This article requires you have the following;

  • A fully working Oracle IRM server
  • Access to the Oracle IRM database server and schema
  • A second server with network access to the database server and a valid database ODBC client installed
  • A network device to monitor and direct the traffic between the two servers

 

If these are in place you can now install the same version of the IRM server on the second server.

 

Setting up a second or more Oracle IRM servers for failover


The Oracle IRM server installation process involves the following main activities.

  • Deploy binaries to local file system, by default in;
    • C:\Program Files\Oracle\Information Rights Management
  • Write some registry keys
  • Write out a configuration file called server.properties in the properties folder
  • Build a schema in the database the installer has been pointed at
  • Create a superuser account

In a highly available fail over environment you configure the server to talk to a single database instance which represents a cluster of nodes. I have however seen customers setup two IRM servers, each with their own database and have a mechanism like log shipping ensure that the standby server database is up to date for when a fail over happens. However my own experiences with log shipping and other methods find that the effort, time and risks involved are such that you might as well configure both database servers in a clustered mode. So in this article i'm going to prepare my IRM server against a common clustered instance of the database.

 

Before we get into the installation, it is worth understanding the server startup procedure.

  • Read in the server.properties in the properties folder.
  • Connect to the database using the connection string sealedmedia.server.persistence.database.odbc.connectionstring.encrypted from the file. Note this is obviously encrypted because it contains the username and password to the database.
  • Load the plugins as specified in the setting sealedmedia.server.plugins in the properties file.
  • Read the configuration for the server in from the table [prefix]config where [prefix] is the string from the setting sealedmedia.server.persistence.namespace in the file.
  • Open and start logging to both the audit and log files as specified by the file stored settings;
    • sealedmedia.server.logging.destination
    • sealedmedia.server.logging.destination

  • Open and start logging to the web log file determined by the database stored config setting sealedmedia.server.web.logging.path
  • Start listening on the ports and IP addresses as specified in the sealedmedia.server.internal.port and sealedmedia.server.internal.bind as well as the .external. equivalents

 

 

Forcing configuration settings to the local IRM server installation


The above highlights some configuration information comes from the local properties file and some is gained after the server connects to the database. This presents a problem because there are some settings that reside in the database that might be specific to the local installation, such as logging directories. No worries, because there is a mechanism to have the server get settings from the local properties file and ignore the database. Open the server.properties and look for the line;



sealedmedia.server.persistence.localsettings=




This lists all the other properties which should be read from the local file and not from the database, by default these are;




sealedmedia.server.logging.destination

sealedmedia.server.audit.destination

sealedmedia.server.plugins

sealedmedia.server.component.config.encryption.activated

sealedmedia.server.nt.servicename

sealedmedia.server.external.port

sealedmedia.server.external.bind

sealedmedia.server.internal.port

sealedmedia.server.internal.bind

sealedmedia.server.plugins.port

sealedmedia.server.plugins.bind




There is a slight oddity here in that one more log setting resides in the database which should ideally be a localised one. If you install both IRM servers in exactly the same location, it doesn't matter, but if they change you'll need to add this setting to the sealedmedia.server.persistence.localsettings line;




sealedmedia.server.persistence.localsettings=sealedmedia.server.logging.destination,
sealedmedia.server.audit.destination,sealedmedia.server.plugins,sealedmedia.server.
component.config.encryption.activated,sealedmedia.server.nt.servicename,sealedmedia.
server.external.port,sealedmedia.server.external.bind,sealedmedia.server.internal.port,
sealedmedia.server.internal.bind,sealedmedia.server.plugins.port,sealedmedia.server.
plugins.bind,sealedmedia.server.web.logging.path




Then create a new line like the one below in the properties file. Note that in the properties file you need to escape all the backslashes so that the line below would have C:\\Program Files\\Oracle\\Infor... and so on.




sealedmedia.web.logging.path=C:\Program Files\Oracle\Information Rights Management\IRMServer\bin\..\log




Another aspect we need to consider is that of caching. It is advisable that all the caches on all the servers are disabled. The modern servers typically used to deploy IRM mean that switching off the caches doesn't really impact performance and only increases slightly the emphasis on the importance of reliable and fast database connection. Switching off the caching means that as you fail from one server to the next you are assured that serviced requests hit data in the database and that stale information is not delivered from the cache or written lazily to the database. Because we want to disable this on both servers we don't need to localize the settings, we can make the change to the values in the database. It doesn't matter when you do it, pre or post install, but here's how to disable all the caching.

Disabling the Oracle IRM server cache


Changes to the settings that reside in the database is done using the smconfig.exe tool that resides in the IRMServer\bin directory. There are three environment variables that are worth setting so you can just run smconfig without passing in the connection details each time. So start a command prompt on your existing IRM server installation and run the following, obviously changing in your own URL, ACCOUNT and PASSWORD;




T:\Oracle\IRMServer\bin>set ORACLE_IRM_SERVER_URL=seal://localhost:2001
T:\Oracle\IRMServer\bin>set ORACLE_IRM_SERVER_ACCOUNT=superuser
T:\Oracle\IRMServer\bin>set ORACLE_IRM_SERVER_PASSWORD=p455word
T:\Oracle\IRMServer\bin>smconfig -server ping




Important to note here is that this tool uses a port you may not be familiar with, 2001. This is the API port and is what the configuration tools for IRM use. By default this is enabled but you may have switched it off. You can re-enable this by connecting to the server using the Management Console as the superuser and under settings there is an API traffic applet where you can set the port and what addresses the server will listen on. If this is all working then the above ping command should return;




Oracle IRM Server configuration tool.
Copyright (c) 1996, 2008, Oracle. All rights reserved.

 

Connecting to [IRM Server]

seal://localhost:2001 is alive.

Installing the Oracle IRM server

Finally time to install the second server, start the installer hit next and ensure you select custom for the setup type.
Oracle IRM custom setup


Then choose your installation directory. Remember that if this is different from your first server you'll need to ensure your web logging root is configured for this local instance.
Choosing Oracle IRM server components


Setup the ODBC connection to the clustered database using the same account credentials to connect.
Setting up Oracle IRM ODBC connection


This is now the key area of the installation. The second field MUST be changed to be different from the first server otherwise you are going to drop and recreate all the tables for the production system!
failoversetup05.gif


The server name might want to reflect the failover server and it doesn't matter what the superusers details are because we will delete this data after install.
failoversetup06.gif


Network settings are important, make sure these reflect the public hostname you have for the service and that it is listening on the correct local address. This address will be what the fail over network device will redirect traffic to.
failoversetup07.gif
failoversetup08.gif
failoversetup09.gif


It is typical to have the service start as the local system account.
failoversetup10.gif


Logging again is configured locally, you might want to consider having the server write to a shared drive where both servers store logs in a common area. Note if you do this, you may need to change the previous service account details so that the server runs under a user that has permissions to write to the shared folder.
failoversetup11.gif
failoversetup12.gif


Finally you are ready to go. Before hitting install make sure you've done a backup of the database.
failoversetup13.gif

 

Nearly there! Now lets configure the environment so that the server points to the right data and not the fresh schema it has just created.

  • First of all stop the Oracle IRM server service
  • Open the server.properties and change the setting sealedmedia.server.persistence.namespace to reflect the correct namespace which by default is irm
  • If you need to, edit the sealedmedia.server.persistence.localsettings and add sealedmedia.server.web.logging.path details as explained previously in this article.
Now you can start the second IRM server to test it can connect. Use the Management Console on the local machine to connect to the local instance and just browse a few users to check. You can leave the IRM server running and connected as long as no traffic is directed to it. There is no support for a system which has two IRM servers talking to the database at the same time and could potentially result in corrupted data. The network device needs to be configured to monitor the primary server and when this isn't available, direct the requests onto the secondary. Testing from outside the local network you can determine which server is responding to the requests by using the following URL in any web browser.

http://irm.domain.com:80/ping

This will return;

[IRM Server,SECONDARY_SERVER,5.4 release 5 build 10,19 Jun 2009 19:24:11 UTC]

Where SECONDARY_SERVER is the netbios hostname of the Windows server that the IRM server is running on. This can be a useful URL for any monitoring tool to determine what service is currently active.

 

As a post clean up activity you may now wish to delete the tables that were created, there are also a few stored procedures, functions and packages depending on the database type you are using. You can drop the ones with any prefix which matches your secondary installation.


Excellent, now lets change the caching settings;

smconfig -setconfig sealedmedia.server.component.account.cache -value no
smconfig -setconfig sealedmedia.server.component.security.cache -value no
smconfig -setconfig sealedmedia.server.component.publisher.cache -value no
smconfig -setconfig sealedmedia.server.component.group.cache -value no

You can check all the settings in the config by running;

smconfig -show config

Sunday Jun 14, 2009

Customizing the Oracle IRM status pages

Ok, so very busy end of the year (Oracle Q4 just ended) and i'm really sorry for a lack of activity on the blog. There is some very interesting news on the way however and things are going to liven up significantly... watch this space...

In the meantime a question came through on the grapevine regarding the status pages in Oracle IRM. These are HTML web pages that are displayed to an end user when they don't have access to sealed content or they are for some other reason unloading a sealed document. Our mantra that security is nothing without an adequate user experience and a manageable administrative model is reinforced by these very flexible status pages. So often a security product will deny you access to a file, directory or other resource and all you get is an "Access denied" error with an OK button. Oracle IRM however sends the client to a web page of your choice to display a more informative error message, like the example below.

No license to content status page

Out of the box Oracle IRM gives you a set of standard pages which look like the above. These can be customized at three levels. Actually before I go into the customizations its worth knowing of a simple test page that allows you to look at all the possible status codes and pass in some data to see how they render. You can look at our evaluation server test page here.

 

Basic changes to status pages


Logging into the Oracle IRM Management website and clicking on "Settings" presents you with the dialog below. The first step here is that you can change the organization name that is displayed on the status pages. Not exactly the most uber of customizations, but you have to start somewhere right? You can also change the logo used on the pages to your own, simply replace the org_logo.gif in the folder \smweb\custom. More detail on this can be found in the Oracle IRM core customization guide. Oracle IRM Management website settings

Modifying the distributed web pages


Further reading of the document above details more files you can customize.

  • support_contact.htm This file, by default, contains a single line of HTML which is a HREF that contains two macros that are place holders for the system email address as per the settings dialog above. This line is then displayed on certain status pages. You can modify this line as you wish, just be careful to ensure whatever HTML you drop in plays safe with the rest of the page. You can see an example of where this would get used here.
  • footer.htm and header.asp allow you to again modify the HTML that is displayed top and bottom of the status page.
  • default.css means you can really go crazy with these status pages. There is a good set of style declarations already in this file so you've got a nice place to start from.
  • Finally there are a set of folders for English, German, Spanish, French and Italian versions of the website homepage. Sometimes the Oracle IRM Desktop will instead of sending you to a status page will redirect you to the basic homepage of the website and depending on the language version of the IRM Desktop you'll see the relavent file from these folders. It is often a good idea to reinforce your corporate security policies on these home pages and maybe link to other resources that an end user would find useful. Remember making the end user experience as smooth as possible is crucial to your security strategy.

Creating your own status pages from scratch


The Oracle IRM Management website has a bunch of logic which you could go changing the ASP pages if you wanted, but you'd be out of Oracle support. Sometimes customers want to do something very different and instead of using these provided files they want to write their own from scratch. This is entirely possible and to venture down this path requires knowledge of the following concepts.
  • default URL. Every file that is sealed has embeded in it something called the default URL. This is the address which the Oracle IRM Desktop will redirect the end user to when they are unable to open a sealed document. The URL typically looks like this;

    http://irmweb.domain.com/status/default.asp?%%allparams%%&%%usefordefault%%



    There are two very important macro's that sit on the URL. These macros are replaced by data during runtime when the client decides to send the user to the website.

    • %%usefordefault%% means that the IRM Desktop will always send the user to the website. There are also some offline HTML pages that are displayed in place of the online website when the user is not connected to the internet. If you were to remove this macro, even when the user is online they would be shown the offline pages, something you'd not want and in all honestly I think even removing this line may have no effect! Much more interesting is the other macro...
    • %%allparams%% is replaced by a whole set of data which pertains to the user and activity at time of redirection. This data is placed directly onto the query string and is therefore available to the web page that the URL refers to. Here is a broken down example of what the URL would look like;

       


      http://irmweb.domain.com/status/default.asp?
      cntxt=nolic
      &status=nolic
      &clntver=5.5.8
      &user=john.smith@domain.com
      &lang=EN
      &cat=Default
      &cs=default
      &item=2009_05_16%2001:10:36%20Finance%20report.sxls
      &mime=application/vnd.sealed.xls
      &srvurl=seal://irm.domain.com:80
      &pub=Top%20Secret%20Financial%20Data
      &vrsn=Default
      &brand=0
      &prod=Office%20Unsealer&src="2
      &sealedby=fred.bloggs@domain.com
      &cntschema=5.0.0.0.release&"

      Lots and lots of very useful information. status contains the information of what actually happened such as "No License available" or "Not Logged In". The list of these is on the test page. The user field contains who the logged in user was that is being redirected, sealedby tells you who sealed the document that the user is accessing.

    Now imagine taking this information from the querystring into your ASP/PHP/JSP page and then pass some of the data to the Oracle IRM server via the API and you can do some very funky things. A good example that I helped a customer write was for handling users that accessed multiple computers. The logic went something like...
    1. User attempts to open a sealed document on a machine and has hit their device limit. The device limit stops a user opening the same document to a certain number of machines. They are redirected to the default URL and the status that is passed is licinuse which means all available rights are in use.
    2. A dynamic web page then takes this information, including the user, and queries the IRM server to see how many devices they have access to and what groups the user is a member of.
    3. If the user is a member of an executive group, then the code automatically increases the users device limit.
    4. An email is then generated in the dynamic web page and is sent to the owner of the IRM classification the content was sealed to informing them of the activity.
    5. The status page then informs the end user that they've had their ability to open content on multiple machines increased and tells them to retry opening the content.

  • Each classification can have a different URL! This means two main things, if you want have the skills or the time to build a fancy dynamically driven status page application, you can set a different URL for each classification and point it to a static HTML page. Secondly from a dynamic perspective you now have even more flexibility. You can point different classifications to different applications, and have some simply point to static files. Some classifications could be forced to deliver these pages over SSL for instance whilst others not.
So all in all, this part of the Oracle IRM solution is VERY flexible. In our 10+ years of experience in deploying IRM solutions with customers we've found that making the end users experience very important. You have to guide them through WHY they cannot access content because often the reason changes. It might be that the user is new to the company and someone forgot to add them to a classificaiton. These pages enable the end user to understand and then contact the right people to get further help. Security, usability and manageability, all must be balanced to ensure a secure and effective solution.

 

Thursday Feb 19, 2009

Using Oracle IRM to secure your sensitive emails

Email is a very useful technology. It allows for people to easily and quickly communicate with vast numbers of people over great distances within minutes. However there is a downside to the ease of use, sensitive information can be broadcast with little effort and sometimes by mistake. How often have you been writing an email, filling in the "To" list and have allowed the email client to search through your history of previous emails and suggest the right recipient? Only to find that just after you've sent the email, you realize it went to the wrong person? I have heard all sorts of horror stories of sensitive documents, sometimes containing mergers and acquisition information being sent to the wrong people at the wrong company. Worse there have been reports of documents being sent to entire distribution/mailing lists of people by mistake.

 

Sealed email

 

So no surprise that we on the Oracle IRM team have a solution for protecting email communication. Oracle IRM supports a lot of formats, from Office (2000-2007, wider support than Microsoft's own IRM technology), PDF (Acrobat Reader 6.0+), HTML, JPEG, GIF, XML and others which allows people to protect documents that are attached to emails but we also support the ability to secure the content (body) of the email.

This is an area that comes with many different methods of creating, sending, receiving and reading the information. Some also regard their email client to be the most important tool in the workplace, so when integrating with this environment, especially from a security perspective, you need to be very careful and ensure you do not disrupt end users day to day activities.

 

Oracle IRM ensures the best user experience when protecting sensitive emails


When the Oracle IRM team decided to include email as part of the solution, we thought long and hard about how to address the issue of multiple email clients and servers. The decision was to be as agnostic as possible to the underlying platform so that we could ensure users could consume sealed information via as many clients and servers as possible. Nothing worse than a vendor trying to tie you into their way of doing things.

 

This led to the creation of the .seml format and the method of taking the body of an email, sealing it and then attaching that file to an ordinary email message. This means that the resulting email package can be sent via any of the usual email mechanisms. What did do on the client side was write some simple plug ins for the most common email clients to automate the above process. The email clients we current support are;

  • Microsoft Outlook 2000-2007
  • Lotus Notes 6.5-7.0
  • Novell GroupWise 6.5-7.0

Sending a secure email with Oracle IRM

When using one of the email clients above it is very simple to send a secured email. Simply start a new email as you would normally and the Oracle IRM Desktop will insert a small button in the email window. This allows you to mark the email as one which you wish to be sealed. Upon sending of the email the IRM software will ask you what classification (context) the email falls under and will list all the contexts to which you have the rights to secure information. This is exactly the same dialog and selection a user makes when sealing any document with Oracle IRM, consistency with the end user is important to reduce any confusion in the process. After choosing the classification the email is then sealed and sent onto the recipients.

Context selection dialog
It is still possible to send a sealed email if you don't have one of the supported clients. But it requires the end user to create the sealed email attachment manually like any other ordinary sealed file and attach that to the email. Future support of new email clients is however possible as we have an API exposed specifically for integrating with email. This API has already been used in Oracle to develop an integration with the open source Thunderbird email client.

 

 

Receiving a secure email with Oracle IRM


The beauty of the Oracle IRM solution is that receiving and opening a sealed email doesn't require any specific email client. Because the file is an attachment to the email, you just double click on the attachment and, assuming you have rights to the content, open the message.

 

There are some advantages with using a client that we've integrated with. For instance to reply to a sealed email is much easier with Outlook, Notes or Groupwise because we again insert a button behind which some logic automates the replying. But it is still possible to do this from any email client it just requires some manual effort on the end user.

 

Your email is secure and persistently under your control with Oracle IRM


Email extends the Oracle IRM format base to an area that is crucial for effective secure communication. It not only offers powerful protection using industry encryption algorithms to secure the information in transit, but it enables you to have total control over the email even after delivery. So even when your sensitive information goes out to thousands in the organization and is forwarded onto more, you still have the ability to audit and revoke access to every single copy of that communication, no matter where it resides.

 

About

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today