Transcript Presentation Guidelines
Enterprise User Security – One Companies Experience
Kyle Brokaw – LDS Church Russ Lowenthal – Oracle Corp.
Session #102
Speaker Qualifications
• Kyle Brokaw (OCP) – Core Technology Manager at the LDS Church.
• Russ Lowenthal (CISSP, CISM, CISA, OCM) Oracle’s Protected Enterprise group.
• Kyle Brokaw implemented Enterprise User Security in February of 2007.
• Russ Lowenthal works with Oracle customers and often presents on Oracle’s security related products.
Before Implementation
• Decide what you need.
Licensing
• Must have Oracle 8
i
and higher Enterprise Edition Database.
• Oracle no longer considers Enterprise User Security a separately licensable database option (in Oracle 8
i
and Oracle 9
i
Release 1 EUS was part of the
Advanced Security Option
. Starting with Oracle 9
i
Release 2 EUS moves under the umbrella of the Enterprise Edition database and the only thing that requires a license is the Oracle Directory Service (this includes both Oracle Internet Directory and Oracle Virtual Directory).
• As always, contact your customer service rep. to verify all of this information.
What is Enterprise User Security?
• EUS Allows Centralized User Management • May be used with any application or tool that uses an Oracle Database login • Integrates with other vendors products (Active Directory, OpenLDAP, etc.) • Extensible – API’s to replicate data out of and into Oracle’s Internet Directory • Single Sign-on is also possible with EUS
How does EUS work?
Oracle Internet Directory Databases and Applications authenticate their users through Oracle’s Directory Services.
How does EUS work?
• Oracle 8
i
introduced the capability to store user information in a centralized directory. • At logon the database checks DBA_USERS • If the user name
DOES NOT
exist in the local data store, the database checks to see if EUS is enabled • If the user name
DOES
exist within the directory, the database verifies that a valid
mapping
exists between the user name and a database schema. If one does, the database retrives a
password verifier
from the directory and compares it with the password submitted by the user.
How does EUS work?
Multiple OID users can be mapped to one database schema.
How does EUS work?
• EUS Roles must be mapped to database roles.
Example role 1 Example role 2 Example role 3 OID Roles
How Does EUS Work?
• In OID, databases can be placed within realms. (ie. dc=mycompany,dc=com) • Each Realm can contain multiple domains. This is useful for: – Having a production, test, and dev realms with the same roles and users but with different privileges.
– Manage different sets of users for different domains within the same company (ie. manufacturing is separated from HR) • Roles are unique within a domain • Database user to OID user mapping is also unique within a domain as well.
Enterprise User Events
• With the ability to subscribe to events within the directory, applications can automatically provision users. Oracle Internet Directory – Provisioning and Integration Server Event notification callback Subscribe to events Applications
Tools you need.
Database Version 9i 10g 11g Enterprise Security Manager
Server or client
Oracle Directory Manager
$ORACLE_HOME Very Useful Client $ORACLE_HOME only Very Useful Part of Database Control Very Useful
DBCA
Required Required
Oracle Wallet Manager
Required Required
Before Implementation
• Decide on your roles • To simplify administration in our usecase we created three global roles.
– DBA – Application Support – Developer • Each database also had a create_session role in OID.
• By default all users are mapped to all databases and given the role of their job (DBA, Application Support, or Developer) • When someone needs access to a database they are simply granted the create session role. This simplifies and automates 90% of user setup when a new database is created.
LDS Church Implementation
• Setup and install issues – Separating the database from the application server (undocumented ports).
– Moved to an appliance model. This allowed us to convince architecture to put a database in the application zone.
– Wallets • 9i requires type-3 SSL (requires SSL certs. on both sides). Make sure you have access to a certificate authority or have your boss buy off on creating your own.
• 10g uses type-1 SSL (no SSL certificates required).
• 11g wallet creation is broken in DBCA. See
metalink note 458095.1
Password Policies
• 10.1.4.1 and on allow password policies to be set at any level within the directory. • Prior to 10.1.4.1 only realms can have password policies (this presents a problem).
• Password policies apply to databases as well as users. For older OID installations you may wish to register databases in a different realm than users to avoid this issue • Policies within OID are not enforced on users when they logon to the database. The database logs on to OID using its password and then only verifies the password for the user.
After OID is installed
• Create a new configuration set. This can save you from invalid changes.
Adding Users and DBs to OID
• Default interface to oiddas is http://localhost:7777/oiddas • User roles within OIDDAS are not the same as EUS roles.
• DBCA will register the database within OID. This adds all of the OID entries required for EUS.
Using OIDDAS to Add Users
Adding Databases to OID
• DBCA Registration • Using ESM to Assign a Domain (10g ,11g) • Create Groups Within a Domain
Using Enterprise Security Manager to Map OID users to DB Users
Examples of Events Availible for Applications to Subscribe.
• User Add • User Delete • User Changed
Steps to subscribing to events
• For PL/SQL – Create a package that contains the following Functions: FUNCTION user_exists ( user_name IN VARCHAR2, user_guid IN VARCHAR2, user_dn IN VARCHAR2) return NUMBER; FUNCTION group_exists ( group_name IN VARCHAR2, group_guid IN VARCHAR2, group_dn IN VARCHAR2) RETURN NUMBER; FUNCTION event_ntfy ( event_type IN VARCHAR2, event_id IN VARCHAR2, event_src IN VARCHAR2, event_time IN VARCHAR2, object_name IN VARCHAR2, object_guid IN VARCHAR2, object_dn IN VARCHAR2, profile_id IN VARCHAR2, attr_list IN LDAP_ATTR_LIST ) RETURN NUMBER;
Steps to subscribing to events
• Use oidprovtool to setup a application subscription oidprovtool operation=create ldap_host=localhost ldap_port=389 ldap_user_dn="cn=orcladmin“ ldap_user_password=iougtest0 application_dn="cn=portal,cn=Products,cn=OracleContext,dc=localdomain,dc=com“ organization_dn="dc=localdomain,dc=com" interface_name=userprov.oid_event interface_type=PLSQL interface_connect_info=localhost:1521:oid03:userprov:iougtest0 schedule=60 event_subscription="USER:dc=localdomain,dc=com:DELETE" event_subscription="GROUP:dc=localdomain,dc=com:DELETE“ event_subscription="USER:dc=localdomain,dc=com:MODIFY(orclDefaultProfileGroup, userpassword)" event_subscription="GROUP:dc=localdomain,dc=com:MODIFY(uniqueMember)" • Start the odisrv process to begin the subscription oidctl connect=oid03 server=odisrv instance=1 configset=0 start
Integration with Other LDAP Compliant Directories
Integration Server Setup
• Step by Step setup guide for Active Directory guide can be found in metalink note
403287.1
• Uses the same server (odisrv) as event subscription • Automated configuration is available by using scripts that reside in $ORACLE_HOME/ldap/odi/admin
Oracle Virtual Directory
• What is OVD?
• How does it compare to OID?
• When should you use it?
Items Learned in this Session
• Today we covered: – How Enterprise User can benefit you.
– How to setup Enterprise User – Things to look out for when setting up your environment – How you can integrate Enterprise User Security into you environment
Questions?
LAB
Thank You
• Thank you for attending our session “Enterprise User Security – One Companies Experience” Session #102 – Please fill out your evaluation forms – If you have further questions you can contact: • Kyle Brokaw at [email protected]
“Without education we are in a horrible and deadly danger of taking educated people seriously.” G. K. Chesterton