Kyle Brokaw – LDS Church Russ Lowenthal – Oracle Corp. Session #102 Enterprise User Security – One Companies Experience

Speaker Qualifications Kyle Brokaw (OCP) – Core Technology Manager at the LDS Church. Russ Lowenthal (CISSP, CISM, CISA, OCM) - Oracle’s Protected Enterprise group. Kyle Brokaw implemented Enterprise User Security in February of Russ Lowenthal works with Oracle customers and often presents on Oracle’s security related products.

Before Implementation Decide what you need.

Licensing Must have Oracle 8i and higher Enterprise Edition Database. Oracle no longer considers Enterprise User Security a separately licensable database option (in Oracle 8i and Oracle 9i Release 1 EUS was part of the Advanced Security Option. Starting with Oracle 9iRelease 2 EUS moves under the umbrella of the Enterprise Edition database and the only thing that requires a license is the Oracle Directory Service (this includes both Oracle Internet Directory and Oracle Virtual Directory). As always, contact your customer service rep. to verify all of this information.

What is Enterprise User Security? EUS Allows Centralized User Management May be used with any application or tool that uses an Oracle Database login Integrates with other vendors products (Active Directory, OpenLDAP, etc.) Extensible – API’s to replicate data out of and into Oracle’s Internet Directory Single Sign-on is also possible with EUS

How does EUS work? Databases and Applications authenticate their users through Oracle’s Directory Services. Oracle Internet Directory

How does EUS work? Oracle 8i introduced the capability to store user information in a centralized directory. At logon the database checks DBA_USERS If the user name DOES NOT exist in the local data store, the database checks to see if EUS is enabled If the user name DOES exist within the directory, the database verifies that a valid mapping exists between the user name and a database schema. If one does, the database retrives a password verifier from the directory and compares it with the password submitted by the user.

How does EUS work? Multiple OID users can be mapped to one database schema.

How does EUS work? EUS Roles must be mapped to database roles. Example role 1 Example role 2 Example role 3 OID Roles

How Does EUS Work? In OID, databases can be placed within realms. (ie. dc=mycompany,dc=com) Each Realm can contain multiple domains. This is useful for: –Having a production, test, and dev realms with the same roles and users but with different privileges. –Manage different sets of users for different domains within the same company (ie. manufacturing is separated from HR) Roles are unique within a domain Database user to OID user mapping is also unique within a domain as well.

Enterprise User Events With the ability to subscribe to events within the directory, applications can automatically provision users. Subscribe to events Applications Event notification callback Oracle Internet Directory – Provisioning and Integration Server

Tools you need. Database Version Enterprise Security Manager Oracle Directory ManagerDBCA Oracle Wallet Manager 9i Server or client $ORACLE_HOMEVery UsefulRequired 10g Client $ORACLE_HOME onlyVery UsefulRequired 11g Part of Database ControlVery UsefulRequired

Before Implementation Decide on your roles To simplify administration in our usecase we created three global roles. –DBA –Application Support –Developer Each database also had a create_session role in OID. By default all users are mapped to all databases and given the role of their job (DBA, Application Support, or Developer) When someone needs access to a database they are simply granted the create session role. This simplifies and automates 90% of user setup when a new database is created.

LDS Church Implementation Setup and install issues –Separating the database from the application server (undocumented ports). –Moved to an appliance model. This allowed us to convince architecture to put a database in the application zone. –Wallets 9i requires type-3 SSL (requires SSL certs. on both sides). Make sure you have access to a certificate authority or have your boss buy off on creating your own. 10g uses type-1 SSL (no SSL certificates required). 11g wallet creation is broken in DBCA. See metalink note

Password Policies and on allow password policies to be set at any level within the directory. Prior to only realms can have password policies (this presents a problem). Password policies apply to databases as well as users. For older OID installations you may wish to register databases in a different realm than users to avoid this issue Policies within OID are not enforced on users when they logon to the database. The database logs on to OID using its password and then only verifies the password for the user.

After OID is installed Create a new configuration set. This can save you from invalid changes.

Adding Users and DBs to OID Default interface to oiddas is User roles within OIDDAS are not the same as EUS roles. DBCA will register the database within OID. This adds all of the OID entries required for EUS.

Using OIDDAS to Add Users

Adding Databases to OID DBCA Registration Using ESM to Assign a Domain (10g,11g) Create Groups Within a Domain

Using Enterprise Security Manager to Map OID users to DB Users

Examples of Events Availible for Applications to Subscribe. User Add User Delete User Changed

Steps to subscribing to events For PL/SQL –Create a package that contains the following Functions: FUNCTION user_exists ( user_name IN VARCHAR2, user_guid IN VARCHAR2, user_dn IN VARCHAR2) return NUMBER; FUNCTION group_exists ( group_name IN VARCHAR2, group_guid IN VARCHAR2, group_dn IN VARCHAR2) RETURN NUMBER; FUNCTION event_ntfy ( event_type IN VARCHAR2, event_id IN VARCHAR2, event_src IN VARCHAR2, event_time IN VARCHAR2, object_name IN VARCHAR2, object_guid IN VARCHAR2, object_dn IN VARCHAR2, profile_id IN VARCHAR2, attr_list IN LDAP_ATTR_LIST ) RETURN NUMBER;

Steps to subscribing to events Use oidprovtool to setup a application subscription Start the odisrv process to begin the subscription oidprovtool operation=create ldap_host=localhost ldap_port=389 ldap_user_dn="cn=orcladmin“ ldap_user_password=iougtest0 application_dn="cn=portal,cn=Products,cn=OracleContext,dc=localdomain,dc=com“ organization_dn="dc=localdomain,dc=com" interface_name=userprov.oid_event interface_type=PLSQL interface_connect_info=localhost:1521:oid03:userprov:iougtest0 schedule=60 event_subscription="USER:dc=localdomain,dc=com:DELETE" event_subscription="GROUP:dc=localdomain,dc=com:DELETE“ event_subscription="USER:dc=localdomain,dc=com:MODIFY(orclDefaultProfileGroup, userpassword)" event_subscription="GROUP:dc=localdomain,dc=com:MODIFY(uniqueMember)" oidctl connect=oid03 server=odisrv instance=1 configset=0 start

Integration with Other LDAP Compliant Directories

Integration Server Setup Step by Step setup guide for Active Directory guide can be found in metalink note Uses the same server (odisrv) as event subscription Automated configuration is available by using scripts that reside in $ORACLE_HOME/ldap/odi/admin

Oracle Virtual Directory What is OVD? How does it compare to OID? When should you use it?

Items Learned in this Session Today we covered: –How Enterprise User can benefit you. –How to setup Enterprise User –Things to look out for when setting up your environment –How you can integrate Enterprise User Security into you environment

Questions?

LAB

Thank You Thank you for attending our session “Enterprise User Security – One Companies Experience” Session #102 –Please fill out your evaluation forms –If you have further questions you can contact: Kyle Brokaw at “Without education we are in a horrible and deadly danger of taking educated people seriously.” G. K. Chesterton