Transcript Presentation Guidelines

Enterprise User Security – One
Companies Experience
Kyle Brokaw – LDS Church
Russ Lowenthal – Oracle Corp.
Session #102
Speaker Qualifications
• Kyle Brokaw (OCP) – Core Technology Manager at
the LDS Church.
• Russ Lowenthal (CISSP, CISM, CISA, OCM) Oracle’s Protected Enterprise group.
• Kyle Brokaw implemented Enterprise User Security in
February of 2007.
• Russ Lowenthal works with Oracle customers and
often presents on Oracle’s security related products.
Before Implementation
• Decide what you need.
Licensing
• Must have Oracle 8i and higher Enterprise Edition Database.
• Oracle no longer considers Enterprise User Security a
separately licensable database option (in Oracle 8i and Oracle
9i Release 1 EUS was part of the Advanced Security Option.
Starting with Oracle 9iRelease 2 EUS moves under the umbrella
of the Enterprise Edition database and the only thing that
requires a license is the Oracle Directory Service (this includes
both Oracle Internet Directory and Oracle Virtual Directory).
• As always, contact your customer service rep. to verify all of this
information.
What is Enterprise User Security?
• EUS Allows Centralized User Management
• May be used with any application or tool that
uses an Oracle Database login
• Integrates with other vendors products (Active
Directory, OpenLDAP, etc.)
• Extensible – API’s to replicate data out of and
into Oracle’s Internet Directory
• Single Sign-on is also possible with EUS
How does EUS work?
Oracle Internet Directory
Databases and Applications authenticate their
users through Oracle’s Directory Services.
How does EUS work?
• Oracle 8i introduced the capability to store user
information in a centralized directory.
• At logon the database checks DBA_USERS
• If the user name DOES NOT exist in the local data
store, the database checks to see if EUS is enabled
• If the user name DOES exist within the directory, the
database verifies that a valid mapping exists between
the user name and a database schema. If one does,
the database retrives a password verifier from the
directory and compares it with the password
submitted by the user.
How does EUS work?
Multiple OID users can be mapped to one
database schema.
How does EUS work?
• EUS Roles must be mapped to database
roles.
Example role 1
Example role 2
Example role 3
OID Roles
How Does EUS Work?
• In OID, databases can be placed within realms. (ie.
dc=mycompany,dc=com)
• Each Realm can contain multiple domains. This is
useful for:
– Having a production, test, and dev realms with the
same roles and users but with different privileges.
– Manage different sets of users for different
domains within the same company (ie.
manufacturing is separated from HR)
• Roles are unique within a domain
• Database user to OID user mapping is also unique
within a domain as well.
Enterprise User Events
• With the ability to subscribe to events within
the directory, applications can automatically
provision users.
Oracle Internet Directory –
Provisioning and Integration Server
Event notification callback
Applications
Subscribe to events
Tools you need.
Oracle
Database Enterprise Security Directory
Version
Manager
Manager
Server or client
9i
$ORACLE_HOME Very Useful
Client
$ORACLE_HOME
10g
only
Very Useful
Part of Database
11g
Control
Very Useful
DBCA
Oracle
Wallet
Manager
Required Required
Required
Required
Before Implementation
• Decide on your roles
• To simplify administration in our usecase we created three
global roles.
– DBA
– Application Support
– Developer
• Each database also had a create_session role in OID.
• By default all users are mapped to all databases and given the
role of their job (DBA, Application Support, or Developer)
• When someone needs access to a database they are simply
granted the create session role. This simplifies and automates
90% of user setup when a new database is created.
LDS Church Implementation
• Setup and install issues
– Separating the database from the application
server (undocumented ports).
– Moved to an appliance model. This allowed us to
convince architecture to put a database in the
application zone.
– Wallets
• 9i requires type-3 SSL (requires SSL certs. on both
sides). Make sure you have access to a certificate
authority or have your boss buy off on creating your own.
• 10g uses type-1 SSL (no SSL certificates required).
• 11g wallet creation is broken in DBCA. See metalink
note 458095.1
Password Policies
• 10.1.4.1 and on allow password policies to be set at
any level within the directory.
• Prior to 10.1.4.1 only realms can have password
policies (this presents a problem).
• Password policies apply to databases as well as
users. For older OID installations you may wish to
register databases in a different realm than users to
avoid this issue
• Policies within OID are not enforced on users when
they logon to the database. The database logs on to
OID using its password and then only verifies the
password for the user.
After OID is installed
• Create a new configuration set. This can
save you from invalid changes.
Adding Users and DBs to OID
• Default interface to oiddas is
http://localhost:7777/oiddas
• User roles within OIDDAS are not the same
as EUS roles.
• DBCA will register the database within OID.
This adds all of the OID entries required for
EUS.
Using OIDDAS to Add Users
Adding Databases to OID
• DBCA Registration
• Using ESM to Assign a Domain (10g ,11g)
• Create Groups Within a Domain
Using Enterprise Security Manager to
Map OID users to DB Users
Examples of Events Availible
for Applications to Subscribe.
• User Add
• User Delete
• User Changed
Steps to subscribing to events
• For PL/SQL
– Create a package that contains the following Functions:
FUNCTION user_exists ( user_name
user_guid
IN VARCHAR2,
user_dn
IN VARCHAR2)
return NUMBER;
IN VARCHAR2,
FUNCTION group_exists ( group_name IN VARCHAR2,
group_guid IN VARCHAR2,
group_dn
IN VARCHAR2)
RETURN NUMBER;
FUNCTION event_ntfy ( event_type
event_id
IN VARCHAR2,
event_src
IN VARCHAR2,
event_time IN VARCHAR2,
object_name IN VARCHAR2,
object_guid IN VARCHAR2,
object_dn
IN VARCHAR2,
profile_id IN VARCHAR2,
attr_list
IN LDAP_ATTR_LIST )
RETURN NUMBER;
IN VARCHAR2,
Steps to subscribing to events
• Use oidprovtool to setup a application
subscription
oidprovtool operation=create ldap_host=localhost ldap_port=389
ldap_user_dn="cn=orcladmin“
ldap_user_password=iougtest0
application_dn="cn=portal,cn=Products,cn=OracleContext,dc=localdomain,dc=com“
organization_dn="dc=localdomain,dc=com" interface_name=userprov.oid_event
interface_type=PLSQL interface_connect_info=localhost:1521:oid03:userprov:iougtest0
schedule=60 event_subscription="USER:dc=localdomain,dc=com:DELETE"
event_subscription="GROUP:dc=localdomain,dc=com:DELETE“
event_subscription="USER:dc=localdomain,dc=com:MODIFY(orclDefaultProfileGroup,
userpassword)" event_subscription="GROUP:dc=localdomain,dc=com:MODIFY(uniqueMember)"
• Start the odisrv process to begin the subscription
oidctl connect=oid03 server=odisrv instance=1 configset=0 start
Integration with Other LDAP
Compliant Directories
Integration Server Setup
• Step by Step setup guide for Active Directory
guide can be found in metalink note 403287.1
• Uses the same server (odisrv) as event
subscription
• Automated configuration is available by using
scripts that reside in
$ORACLE_HOME/ldap/odi/admin
Oracle Virtual Directory
• What is OVD?
• How does it compare to OID?
• When should you use it?
Items Learned in this Session
• Today we covered:
– How Enterprise User can benefit you.
– How to setup Enterprise User
– Things to look out for when setting up your
environment
– How you can integrate Enterprise User Security
into you environment
Questions?
LAB
Thank You
• Thank you for attending our session “Enterprise User Security –
One Companies Experience” Session #102
– Please fill out your evaluation forms
– If you have further questions you can contact:
• Kyle Brokaw at [email protected]
“Without education we are in a horrible and deadly danger of
taking educated people seriously.”
G. K. Chesterton