On Oracle Reports and Forms calls, for security reasons, Reports user should not see the Oracle Reports URL with Userid and Password parameters.
We use “manual” Reports calls out of Forms. So we just create the URL string and open this url with web.show_document().
Because Oracle Reports uses the GET method (instead of the POST method) to pass parameters, all parameters are visible to the user within the URL (….&userid=xxx/xxxx@xxxx)
Wo when using Oracle Reports and Forms direct URL calls, I suggest to use to two steps to secure it up:
A) From Oracle Forms 11g, call Oracle Reports with the new web.xxxjavascriptxxx function. With this new Forms 11g function, it’s possible to open an web document (e.g. Reports) within another browser window without URL field. So the user can’t see the url information.
B) Set up SSL (HTTPS) for Oracle Reports
Ok, now the user can’t see the full url anymore. But on network level, the hardcoded user/password information still could be read with a network sniffer tool.
The solution here: Set up SSL with HTTPS for Oracle Reports.
On the first network handshake between client and server, it detects that HTTPS is requested (no full URL has been transfered yet, only HTTP/HTTPS headers).
SSL Encryption will be set up, after that the full url will be also encrypted
Secure Oralce Reports URL (GET)
6.5.5.1 SSL for Oracle Reports
http://docs.oracle.com/cd/E17904_01/core.1111/e10105/sslconfig.htm#CBDFIHCE
7.14 Enabling HTTPS for Oracle Reports
http://docs.oracle.com/cd/E24269_01/doc.11120/e24479/pbr_conf014.htm
Oracle Support: Reports Parameter HTTPS 1322783.1
Oracle Reports Parameter Form Is Calling Http Server, Not Https. What is Needed to Allow Reports Parameter Form to Use SSL Protocol With OHS (HTTPS)?
Applies to Oracle Reports Developer – Version: 11.1.1.1.0 and later
Goal for Oracle Reports and Forms calls: Oracle Reports 11g when using SSL (HTTPS) protocol to run reports with Oracle Reports Parameter Form (paramform=yes),it is seen that the the Reports Parameter Form is not using SSL to submit the requested parameters.
set WLProxySSL ON on ssl.conf
[+] Go to WLS Console –> Servers –> WLS_REPORTS –> Configuration –> General
[+] Click on “Advanced” link at the bottom of the page
[+] Click on “Lock & Edit” button to allow changes to this page
[+] Check the check box for “WebLogic Plug-In Enabled”
[+] Click on “Save” button to save changes
[+] Click on “Activate Changes”button to activate changes for WLS_REPORTS managed server
[+] Re-start WLS_REPORTS managed server
OTN discussion forum: Reports Server – enable https mode
https://forums.oracle.com/forums/thread.jspa?messageID=6494709�
I’m using Oracle 11G. I want to access Oracle reports using https mode?
There is nothing special to do in Reports. The modifications are related to the HTTP Server (OHS)
Reports over https
https://forums.oracle.com/forums/thread.jspa?messageID=398158񡍎
I have been looking at using reports and calling them via URL and output to PDF format, can I use HTTPS?
YES, (old entry 2006!)
More information on Oracle Reports and Forms SSL (HTTPS) calls will be follwing next days (after I’ve set it up myself).
Keywords here:
- Oracle Reports and Forms
- Secure Oracle Reports
- 11g
- WebLogic
- HTTPS
- SSL
- HTTP server
- URL
- GET method
- parameters form
- paramform
- ssl.conf
- virtualhost