Active Directory and Windows Security Integration with Oracle Database Alex Keh Principal Product Manager, Windows and .NET Oracle
<Insert Picture Here> Agenda <Insert Picture Here> Database Registration and Name Resolution Single Sign-On Windows Native Authentication Kerberos Security for Web Applications on Windows Enterprise User Security and Virtual Directory
Database Registration and Name Resolution Overview Store and resolve Net names through Active Directory Eliminate tnsnames.ora on clients Centralize configuration, reduce administration Authenticated connection to Active Directory (11g) Enhanced tools support for storing Net naming AD Users and Computers Oracle DB Configuration Assistant, Net Configuration Assistant and Net Manager
Database Registration and Name Resolution Active Directory support Client OS Server OS AD OID Comments Windows Yes Any Tools for registering Net Service in AD must be run on Windows Linux/Unix No AD Integration solutions can be used
Database Registration and Name Resolution Configuration/Administration 1 – Ensure Admin can modify Schema in AD 2 – Register Schema with NetCA Windows Admin DB Names and Connect Descriptors Repository 3 - Create Naming Context using NetCA 4 - Register DB in AD using DBCA or Net Manager Active Directory Client Systems 5 - Configure Directory Naming and AD Usage with NetCA
Database Registration and Name Resolution Run-time DB Names and Connect Descriptors Repository 1 – User signs on to Desktop 2 – User issues Connect Request 3 - Retrieves Connect Descriptor AD/KDC Oracle DB 4 - Connect to DB using Connect Descriptor (Any Platform)
Database Registration and Name Resolution Demo Environment Machine Name: xpclient.adnet.dev User: oracle Database Server: orcl Machine Name: w2k3s.adnet.dev Domain: adnet.dev Windows Server 2003 EE SP1 (Domain Controller) Windows XP SP2 Tools installed on Windows XP Support Tools (under Support directory on CD) -- ADSI Edit is part of it Admin Tools (under i386 directory on CD) -- AD users & computers, etc (These are available on Windows 2003 media,)
Database Registration and Name Resolution D E M O N S T R A T I O N Database Registration and Name Resolution
Database Registration and Name Resolution Summary Ensure that Administrator can modify Schema in Active Directory Register Schema using NetCA (one time for the entire AD forest) Create Naming Context using NetCA (once per domain or the entire forest depending on where you create it) Register Database in AD using DBCA or Net Manager Configure Directory Naming and Directory Usage (AD) using NetCA (on systems that want to use AD) on clients Set NAMES.LDAP_AUTHENTICATE_BIND=Yes in SQLNET.ORA on all 11g client systems To support pre-11g clients Enable anonymous bind in AD Change ACLs for Oracle Naming Context and Database/Net Services objects to allow anonymous access Please refer to the white paper Configuring Microsoft Active Directory for Net Naming for detailed information
<Insert Picture Here> Agenda <Insert Picture Here> Database Registration and Name Resolution Single Sign-On Windows Native Authentication Kerberos Security for Web Applications on Windows Enterprise User Security and Virtual Directory Q&A
Single Sign-On Client OS Server OS Comments Authentication Windows Native Authentication Windows Included and configured in all editions MS KDC is used implicitly Uses External Users mechanism Direct support of Windows group membership for role authorization Enterprise User Security not supported Kerberos Any EE and ASO option needed MS KDC is supported Uses External Users mechanism (by default) Enterprise User Security supported EUS and AD integration solutions needed to support authorization through Windows group membership
Windows Native Authentication Enabled by default and can work across systems Very easy to configure and use Windows user logon credentials used for database authentication Authentication protocol (Kerberos or NTLM) negotiated based on OS and Domain Controller Oracle Administration Assistant can be used to manage user authentication and role authorization Independent of Database Registration and Name Resolution feature
Windows Native Authentication Use of Windows Groups ORA_DBA: all members get SYSDBA privileges ORA_OPER: all members get SYSOPER privileges For any other Windows user, an external user needs to be created in Oracle DB create user “Sales\frank” identified externally; Windows groups can be used to assign roles (if os_roles is true) create role sales identified externally; Corresponding Windows group for a database with SID orcl: ORA_orcl_sales_d if this should be a default role (If Oracle Administration Assistant is used, it makes appropriate changes in AD and Database)
Windows Native Authentication 1 - User signs on to desktop AD/KDC 3 – Negotiate security protocol and exchange security tokens 5 – Find Windows Group memberships (if os_roles is true) 2 - User attempts to sign on to Oracle Oracle DB 6 – Assign roles based on DB roles or group memberships (based on os_roles) 4 - Identify as specific External User
Windows Native Authentication Configuration Set os_authent_prefix to “” in init.ora Ensure that sqlnet.authentication_services is set to NTS in sqlnet.ora (default set up) Set os_roles to true in init.ora if you want to use Windows Group Membership for role authorization
Windows Native Authentication D E M O N S T R A T I O N Windows Native Authentication
Kerberos Authentication Integrated with Microsoft Key Distribution Center (MSKDC) Supports heterogeneous systems A Windows client can connect to a non-Windows server and vice versa Uses External User mechanisms in Database Can also be supported with Enterprise User Security EE and ASO (Advanced Security Option) feature
Kerberos Enhancements Constrained Delegation support for better support of Windows middle tier applications Connected User dblink support over Kerberos IPv6 Support Stronger encryption algorithms (AES) Support default encryption type supported by MS KDC Use DNS Domain Name as Kerberos REALM name by default Kerberos authentication to Oracle database in a MS cross-domain setup Removal of 30 character limit on the Kerberos user name Constrained Delegation support Support Windows Server constrained delegation feature Middle tier applications can use Kerberos adapter and authenticate to Oracle DB on behalf of the Windows user (uses MS Credentials Cache)
Kerberos Authentication Windows Client Configuration Create Kerberos and sqlnet configuration files using Oracle Net Manager Set sqlnet.kerberos5_cc_name to “OSMSFT:” in sqlnet.ora so that the credential is retrieved from Microsoft Credential Cache
Kerberos Authentication Server configuration (non-Windows) Create Kerberos and sqlnet configuration files on the server using Oracle Net Manager Create user in Active Directory for Database Server On the Domain Controller, use ktpass utility (available from Microsoft) to Create Database Service Principal in AD Map the Principal to AD user Create keytab file Copy keytab file to DB server node Set os_authent_prefix to “” in init.ora
Kerberos Authentication User signs on to desktop AD/KDC User attempts to sign on to Oracle Oracle DB Identify as specific External User and assign DB roles accordingly Example: SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS 'KerberosUser@SOMEORGANIZATION.COM'; SQL> Grant connect, resource to KRBUSER;
<Insert Picture Here> Agenda <Insert Picture Here> Database Registration and Name Resolution Single Sign-On Windows Native Authentication Kerberos Security for Web Applications on Windows Enterprise User Security and Virtual Directory
Web Applications on Windows Service Test Monitoring Web Applications on Windows AD/KDC User Communities Web Apps On Windows (IIS) Oracle DB Web User Authentication Web Application to DB Authentication
Web User Authentication Solutions Oracle Identity Management solutions Integrated with Active Directory Supports heterogeneous environments Check http://www.oracle.com/technology/products/id_mgmt/index.htm ASP.NET Membership and Role Provider for Oracle Validate and manage user and authorization information for your ASP.NET web applications in Oracle Database Deployment time option Oracle Database can be on any platform These are Oracle provided solutions which can be used in addition to the solutions provided by Microsoft
Web Application to Database Authentication Windows native authentication Run Web Applications as specific Windows users or use IIS mechanisms for mapping Web users to Windows users Use OS authenticated connection pool (ODP.NET supports it) Database must be on Windows Kerberos authentication can be used when Database is on a non-Windows platform User ID/Password If you must use it, use Secure External Password Store (in Oracle Wallet) to store the password securely Database can be on any platform Evaluate other security solutions: Oracle Advanced Security Recommend the use of Application Context/Client ID for end-to-end auditing and security
<Insert Picture Here> Agenda <Insert Picture Here> Database Registration and Name Resolution Single Sign-On Windows Native Authentication Kerberos Security Integration for Web Applications on Windows Enterprise User Security and Virtual Directory
Identity Management Options Enterprise User Security (EUS) User Management 4 Databases (UM4DB)
Enterprise User Security Centralize user accounts and roles into enterprise directory Requires Oracle Virtual Directory or Oracle Internet Directory
What is Oracle Virtual Directory Service that aggregates identity data without consolidation reducing the time it takes to deploy LDAP, Web Service and Database applications
EUS – OVD Architecture
User Management for Databases (UM4DB) Provides centralized life-cycle management for databases From hire to exit Provides self-service Audit/Compliance reports Restricted License of OIM and OVD/OID
UM4DB UM4DB New or Existing User Approval Self Request Oracle Policy Engine Oracle Databases Administrator Identity Repository Access Policies Workflow Connector Rules Engine SQL Server, Sybase DB2 Databases Approval Role mining allows mapping of access privileges to roles based on business context, current policies practices and such analysis. So, when a new employee joins the company, based on her role and the organization context, she is assigned a role and accordingly access to various systems via the user provisioning system. The user provisioning tool’s user interface also allows an organization to ‘on board’ customers, vendors or other users via an intuitive self-services, non-HRMS based interface. In both cases, the role mgmt tool defines approvers per the user role or application that allows the integrated provisioning system to route approval requests accordingly. The provisioning workflow enforces provisioning policies & processes while maintaining an audit trail. Helpdesk 33
Value: Automated Compliance Reporting Main Point: OIM comes with a comprehensive set of OOB reports and additionally uses Oracle BI Publisher to allow you to generate custom reports Oracle Identity Manager brings a comprehensive set of OOB reports both current and historic states including user resource access history, user account activity, who has or had access to what – assigned by whom, approved by whom, when, etc. 34
EUS and OVD Summary EUS centralizes database account management into a directory EUS works across heterogeneous operating systems OVD enables EUS to work with 3rd party directories without synchronization
Session Summary Most comprehensive solutions for integration with Active Directory and Windows Security Support client/server and web applications Support homogeneous and heterogeneous environments Oracle solutions extend Microsoft offerings
For More Information Windows Server System Center http://www.oracle.com/technology/windows Oracle Net Services http://www.oracle.com/technology/products/oraclenet/index.html Oracle Database Security http://www.oracle.com/technology/deploy/security/database-security/index.html Oracle Virtual Directory (OVD) http://www.oracle.com/identity Oracle Identity & Access Management For questions, email alex.keh@oracle.com
The preceding is intended to outline our general product direction The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
39