Transcript Document 54168

<Insert Picture Here>
Active Directory and Windows Security Integration
with Oracle Database
Alex Keh
Principal Product Manager, Windows and .NET
Oracle
Agenda
• Database Registration and Name
Resolution
• Single Sign-On
<Insert Picture Here>
– Windows Native Authentication
– Kerberos
• Security for Web Applications on Windows
• Enterprise User Security and Virtual Directory
Database Registration and Name Resolution
Overview
• Store and resolve Net names through Active
Directory
– Eliminate tnsnames.ora on clients
– Centralize configuration, reduce administration
– Authenticated connection to Active Directory (11g)
• Enhanced tools support for storing Net naming
– AD Users and Computers
– Oracle DB Configuration Assistant, Net Configuration
Assistant and Net Manager
Database Registration and Name Resolution
Active Directory support
Client OS
Server OS
AD
OID
Windows
Windows
Yes
Yes
Comments
Windows
Any
Yes
Yes
Tools for registering
Net Service in AD
must be run on
Windows
Linux/Unix
Any
No
Yes
AD Integration
solutions can be used
Database Registration and Name Resolution
Configuration/Administration
1 – Ensure Admin can modify Schema in AD
2 – Register Schema with NetCA
Windows
Admin
3 - Create Naming
Context using NetCA
4 - Register DB in AD
using DBCA or Net
Manager
DB Names and
Connect
Descriptors
Repository
Active
Directory
Client
Systems
5 - Configure Directory
Naming and AD Usage
with NetCA
Database Registration and Name Resolution
Run-time
DB Names and
Connect
Descriptors
Repository
1 – User signs
on to Desktop
2 – User issues
Connect Request
3 - Retrieves
Connect
Descriptor
AD/KDC
Oracle
DB
4 - Connect to DB
using Connect
Descriptor
(Any Platform)
Database Registration and Name Resolution
Demo Environment
Machine Name:
xpclient.adnet.dev
User: oracle
Database Server:
orcl
Windows XP
SP2
Machine Name:
w2k3s.adnet.dev
Domain: adnet.dev
Windows Server 2003
EE SP1
(Domain Controller)
Tools installed on Windows XP
Support Tools (under Support directory on CD) -ADSI Edit is part of it
Admin Tools (under i386 directory on CD) -- AD users &
computers, etc
(These are available on Windows 2003 media,)
D E M O N S T R A T I O N
Database
Registration and
Name Resolution
Database Registration and Name Resolution
Summary
1. Ensure that Administrator can modify Schema in Active
Directory
2. Register Schema using NetCA (one time for the entire AD
forest)
3. Create Naming Context using NetCA (once per domain or the
entire forest depending on where you create it)
4. Register Database in AD using DBCA or Net Manager
5. Configure Directory Naming and Directory Usage (AD) using
NetCA (on systems that want to use AD) on clients
6. Set NAMES.LDAP_AUTHENTICATE_BIND=Yes in
SQLNET.ORA on all 11g client systems
To support pre-11g clients
1. Enable anonymous bind in AD
2. Change ACLs for Oracle Naming Context and Database/Net
Services objects to allow anonymous access
Please refer to the white paper Configuring Microsoft Active Directory for Net Naming for
detailed information
Agenda
• Database Registration and Name
Resolution
• Single Sign-On
<Insert Picture Here>
– Windows Native Authentication
– Kerberos
• Security for Web Applications on Windows
• Enterprise User Security and Virtual Directory
• Q&A
Single Sign-On
Authentication
Windows Native
Authentication
Kerberos
Client
OS
Server
OS
Windows
•Included and configured in all editions
•MS KDC is used implicitly
•Uses External Users mechanism
Windows
•Direct support of Windows group
membership for role authorization
•Enterprise User Security not supported
Any
Any
Comments
•EE and ASO option needed
•MS KDC is supported
•Uses External Users mechanism (by
default)
•Enterprise User Security supported
•EUS and AD integration solutions
needed to support authorization through
Windows group membership
Windows Native Authentication
•
•
•
•
•
•
Enabled by default and can work across systems
Very easy to configure and use
Windows user logon credentials used for database
authentication
Authentication protocol (Kerberos or NTLM) negotiated
based on OS and Domain Controller
Oracle Administration Assistant can be used to manage
user authentication and role authorization
Independent of Database Registration and Name
Resolution feature
Windows Native Authentication
Use of Windows Groups
•
•
•
ORA_DBA: all members get SYSDBA privileges
ORA_OPER: all members get SYSOPER privileges
For any other Windows user, an external user needs to
be created in Oracle DB
–
•
create user “Sales\frank” identified externally;
Windows groups can be used to assign roles (if os_roles
is true)
–
–
create role sales identified externally;
Corresponding Windows group for a database with SID orcl:
ORA_orcl_sales_d if this should be a default role
(If Oracle Administration Assistant is used, it makes appropriate changes
in AD and Database)
Windows Native Authentication
1 - User
signs on to
desktop
AD/KDC
2 - User
attempts
to sign on to
Oracle
3 – Negotiate
security protocol
and exchange
security tokens
Oracle DB
4 - Identify as specific
External User
5 – Find
Windows Group
memberships (if
os_roles is true)
6 – Assign roles
based on DB roles or
group memberships
(based on os_roles)
Windows Native Authentication
Configuration
•
•
•
Set os_authent_prefix to “” in init.ora
Ensure that sqlnet.authentication_services is set to NTS
in sqlnet.ora (default set up)
Set os_roles to true in init.ora if you want to use Windows
Group Membership for role authorization
D E M O N S T R A T I O N
Windows Native
Authentication
Kerberos Authentication
•
•
Integrated with Microsoft Key Distribution Center
(MSKDC)
Supports heterogeneous systems
–
•
•
•
A Windows client can connect to a non-Windows server and vice
versa
Uses External User mechanisms in Database
Can also be supported with Enterprise User Security
EE and ASO (Advanced Security Option) feature
Kerberos Enhancements
• Constrained Delegation support for better support of Windows
middle tier applications
• Connected User dblink support over Kerberos
• IPv6 Support
• Stronger encryption algorithms (AES)
–
Support default encryption type supported by MS KDC
• Use DNS Domain Name as Kerberos REALM name by
default
• Kerberos authentication to Oracle database in a MS crossdomain setup
• Removal of 30 character limit on the Kerberos user name
Kerberos Authentication
Windows Client Configuration
•
Create Kerberos and sqlnet configuration files using
Oracle Net Manager
–
Set sqlnet.kerberos5_cc_name to “OSMSFT:” in sqlnet.ora so that
the credential is retrieved from Microsoft Credential Cache
Kerberos Authentication
Server configuration (non-Windows)
•
•
•
Create Kerberos and sqlnet configuration files on the
server using Oracle Net Manager
Create user in Active Directory for Database Server
On the Domain Controller, use ktpass utility (available
from Microsoft) to
–
–
–
•
•
Create Database Service Principal in AD
Map the Principal to AD user
Create keytab file
Copy keytab file to DB server node
Set os_authent_prefix to “” in init.ora
Kerberos Authentication
User
signs on
to desktop
User
attempts
to sign on
to Oracle
AD/KDC
Oracle
DB
Identify as specific External User and
assign DB roles accordingly
Example:
SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS
'[email protected]';
SQL> Grant connect, resource to KRBUSER;
Agenda
• Database Registration and Name
Resolution
• Single Sign-On
<Insert Picture Here>
– Windows Native Authentication
– Kerberos
• Security for Web Applications on Windows
• Enterprise User Security and Virtual Directory
Web Applications
on Windows
Service Test
Monitoring
User
Communities
AD/KDC
Oracle
Web Apps
On
Windows
(IIS)
Web User
Authentication
DB
Web Application to
DB Authentication
Web User Authentication Solutions
• Oracle Identity Management solutions
– Integrated with Active Directory
– Supports heterogeneous environments
– Check
http://www.oracle.com/technology/products/id_mgmt/ind
ex.htm
• ASP.NET Membership and Role Provider for Oracle
– Validate and manage user and authorization information
for your ASP.NET web applications in Oracle Database
– Deployment time option
– Oracle Database can be on any platform
These are Oracle provided solutions which can be used in
addition to the solutions provided by Microsoft
Web Application to Database Authentication
• Windows native authentication
– Run Web Applications as specific Windows users or use
IIS mechanisms for mapping Web users to Windows
users
– Use OS authenticated connection pool (ODP.NET
supports it)
– Database must be on Windows
• Kerberos authentication can be used when Database is on a
non-Windows platform
• User ID/Password
– If you must use it, use Secure External Password Store
(in Oracle Wallet) to store the password securely
– Database can be on any platform
• Evaluate other security solutions: Oracle Advanced Security
Recommend the use of Application Context/Client ID
for end-to-end auditing and security
Agenda
• Database Registration and Name
Resolution
• Single Sign-On
<Insert Picture Here>
– Windows Native Authentication
– Kerberos
• Security Integration for Web Applications on
Windows
• Enterprise User Security and Virtual Directory
Identity Management Options
Enterprise User Security
(EUS)
User Management 4
Databases (UM4DB)
Enterprise User Security
• Centralize user accounts and roles into enterprise
directory
• Requires Oracle Virtual Directory or Oracle Internet
Directory
What is Oracle Virtual Directory
• Service that aggregates identity data without
consolidation reducing the time it takes to deploy
LDAP, Web Service and Database applications
EUS – OVD Architecture
User Management for Databases (UM4DB)
• Provides centralized life-cycle management for
databases
– From hire to exit
– Provides self-service
• Audit/Compliance reports
• Restricted License of OIM and OVD/OID
UM4DB
UM4DB
New or
Existing
User
Oracle
Databases
Self
Request
Approval
Identity
Repository
Rules
Engine
Administrator
Access
Policies
Workflow
Connector
Policy Engine
Helpdesk
Approval
SQL Server, Sybase
DB2 Databases
Value: Automated Compliance Reporting
EUS and OVD
Summary
• EUS centralizes database account management into
a directory
• EUS works across heterogeneous operating systems
• OVD enables EUS to work with 3rd party directories
without synchronization
Session Summary
• Most comprehensive solutions for integration with
Active Directory and Windows Security
• Support client/server and web applications
• Support homogeneous and heterogeneous
environments
• Oracle solutions extend Microsoft offerings
For More Information
Windows Server System Center
http://www.oracle.com/technology/windows
Oracle Net Services
http://www.oracle.com/technology/products/oraclenet/index.html
Oracle Database Security
http://www.oracle.com/technology/deploy/security/databasesecurity/index.html
Oracle Virtual Directory (OVD)
http://www.oracle.com/identity
Oracle Identity & Access Management
http://www.oracle.com/identity
For questions, email [email protected]
The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.