Presentation is loading. Please wait.

Presentation is loading. Please wait.

The following is intended to outline our general product direction

Published byMolly Phillips Modified over 11 years ago

Similar presentations

Presentation on theme: "The following is intended to outline our general product direction"— Presentation transcript:

1

2 The following is intended to outline our general product direction
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3 Oracle Database Integration with Active Directory and Windows Security
Christian Shay Principal Product Manager, Windows Technologies Oracle USA

4 <Insert Picture Here>
Agenda <Insert Picture Here> Database Registration and Name Resolution Single Sign-On Windows Native Authentication Kerberos Security Integration for .NET Applications Enterprise User Security and Virtual Directory

5 Database Registration and Name Resolution Overview
Store and resolve Net names through Active Directory Eliminate tnsnames.ora on clients Centralize configuration, reduce administration Authenticated connection to Active Directory (11g) AD no longer needs to allow anonymous access Enhanced tools support for storing Net naming AD Users and Computers Oracle DB Configuration Assistant, Net Configuration Assistant and Net Manager

6 Database Registration and Name Resolution
Client OS Server OS AD OID Comments Windows Yes Any Tools for registering Net Service in AD must be run on Windows Linux/Unix No AD Integration solutions can help

7 Database Registration and Name Resolution Configuration/Administration
1 – Ensure that Administrator can modify Schema in Active Directory 2 – Register Schema using NetCA 5 - Configure Directory Naming and Directory Usage (AD) using NetCA Windows Environment 3 - Create Naming Context using NetCA Client Systems Active Directory 4 - Register database in AD using DBCA or Net Manager Repository of Database Names and Connect Descriptors

8 Database Registration and Name Resolution Run-time
Repository of Database Names and Connect Descriptors Active Directory 3 - Retrieves Connect Descriptor 1 – User signs on to Desktop Oracle Database 4 - Connect to Database using Connect Descriptor 2 – User issues Connect Request (Any Platform)

9 Database Registration and Name Resolution Demo Environment
Machine Name: xpclient.adnet.dev User: oracle Database Server: orcl Machine Name: w2k3s.adnet.dev Domain: adnet.dev Windows Server EE SP1 (Domain Controller) Windows XP SP2 Tools installed Support Tools (under Support directory on CD) -- ADSI  Edit is part of it Admin Tools (under i386 directory on CD) -- AD users & computers, etc (These are available on Windows 2003 media,)

10 Database Registration and Name Resolution
D E M O N S T R A T I O N Database Registration and Name Resolution

11 Database Registration and Name Resolution Summary
Ensure that Administrator can modify Schema in Active Directory Register Schema using NetCA (one time for the entire AD forest) Create Naming Context using NetCA (once per domain) Register Database in AD using DBCA or Net Manager Configure Directory Naming and Directory Usage (AD) using NetCA (on systems that want to use AD) Set NAMES.LDAP_AUTHENTICATE_BIND=Yes in SQLNET.ORA on all 11g client systems To support pre-11g clients Enable anonymous bind in AD Change ACLs for Oracle Naming Context and Database/Net Services objects to allow anonymous access Please refer to the white paper Configuring Microsoft Active Directory for Net Naming for detailed information

12 Single Sign-On

13 Single Sign-On Authentication Client OS Server OS Comments
Windows Native Authentication Windows Included and configured in all db editions MS KDC is used implicitly Uses External Users mechanism Enterprise User Security not supported Direct support of Windows group membership for role authorization Kerberos Any EE and ASO option needed MS KDC is supported Uses External Users mechanism (by default) Enterprise User Security supported EUS and AD integration solutions needed to support authorization through Windows group membership

14 Windows Native Authentication Basics
All of this is preconfigured; We use it internally ORA_DBA: All members get SYSDBA privileges ORA_OPER: all members get SYSOPER privileges ORA_ORCL_DBA: … get SYSDBA on ORCL only For any other Windows user, an external user needs to be created in Oracle DB create user “Sales\frank” identified externally; Windows groups can be used to assign roles (if os_roles is true) create role sales identified externally; Corresponding Windows group for a database with SID orcl: ORA_orcl_sales_d if this should be a default role If Oracle Administration Assistant is used, it makes appropriate changes in AD and Database

15 Windows Native Authentication
Enabled by default and can work across systems Windows user logon credentials used for database authentication Authentication protocol (Kerberos or NTLM) negotiated based on OS and Domain Controller Authorization can be granted through Windows group membership Pre-defined Windows groups for DBAs and Operators Uses Oracle External Users and External Roles mechanisms Oracle Administration Assistant can be used to manage user authentication and role authorization This feature is completely independent of Database Registration and Name Resolution feature

16 Windows Native Authentication
1 - User signs on to desktop Active Directory/KDC 3 – Negotiate security protocol and exchange security tokens 2 - User attempts to sign on to Oracle 5 – Find Windows Group memberships (if os_roles is true) 4 - Identify as a specific External User 6 – Assign roles based on database roles or group memberships (based on os_roles)

17 Windows Native Authentication Configuration
Set os_authent_prefix to “” (null) in init.ora By default it is set to OPS$ (for backward compatibility) Ensure that sqlnet.authentication_services is set to NTS in sqlnet.ora (default set up) DO NOT: Set remote_os_authent in init.ora (default value false is correct). Set os_auth_prefix_domain in Registry (default value true is correct) Set os_roles to true in init.ora if you want to use Windows Group Membership for role authorization

18 Windows Native Authentication
D E M O N S T R A T I O N Windows Native Authentication

19 Kerberos Authentication
Integrated with Microsoft Key Distribution Center (MSKDC) Supports heterogeneous systems A Windows client can connect to a non-Windows server and vice versa Uses External User mechanisms in Database Can also be supported with Enterprise User Security EE and ASO (Advanced Security Option) feature

20 Kerberos Enhancements in 11g
Stronger encryption algorithms (DES3, AES, RC4) Support default encryption type supported by MS KDC Encryption type configuration no longer needed in Registry Use DNS Domain Name as Kerberos REALM name by default Mapping between DNS Domain Name and Kerberos REALM name longer needed in kerberos config file Kerberos authentication to Oracle database in a MS cross-domain setup Removal of 30 character limit on the Kerberos user name

21 Kerberos Authentication Configuration
Create Kerberos and sqlnet configuration files on clients and severs using Oracle Net Manager Create users in Active Directory for Client and Database Server (for non-windows clients or servers) Use ktpass utility to create keytab file and copy to DB server node Obtain an initial ticket for the kerberos user Set os_authent_prefix to “” in init.ora DO NOT: Set remote_os_authent in init.ora. (default value FALSE is correct)

22 Kerberos Authentication
MS KDC User signs on to desktop User attempts to sign on to Oracle Database Identify as a specific External User and assign database roles accordingly Example: SQL> CREATE USER KRBUSER IDENTIFIED EXTERNALLY AS SQL> Grant connect, resource to KRBUSER;

23 Security Integration for .NET Applications

24 Security Integration for .NET Applications
OS Authenticated Connection Pool in Oracle Data Provider for .NET Support pooling of OS authenticated users using Windows identity ASP.NET Membership and Role Provider Validate and manage user and authorization information for your ASP.NET web applications in Oracle Database

25 Oracle Virtual Directory: Centralize DB User Account Management

26 Audience Questions How many have user accounts in AD? Sun? OID?
How many have databases on an OS besides Windows? How many can provide your CIO with an audit report verifying DBA and DB user access? How many can disable DBA access by disabling a password in a single repository ? Ask for any questions

27 Centralize Oracle Database Account Management
Organizations have many databases on variety of platforms Organization have implemented enterprise directory services Oracle Enterprise User Security is all about how to centralize database account management Oracle Enterprise User Security allows to externalize database accounts and roles to an LDAP server Oracle Virtual Directory allows EUS to work with 3rd party directories, not just OID

28 Oracle Virtual Directory Overview
Oracle Virtual Directory lets organizations rapidly deploy applications by providing a unified view of identity without synchronization.

29 Case Study – MKB Bank (Hungary) Database Security
Business Challenges Built Database Warehouse for reporting Wanted to leverage Active Directory & existing provisioning to manage credentials and role membership Did not want to synchronize to another directory Oracle Solution Return On Investment Enterprise User Security & OVD OVD connects to AD EUS allows employees to use Windows password and existing provisioning system to manage access Allowed to rapidly deploy secure access to Database warehouse Did not need to bring up yet another directory service just to manage database accounts Eliminated help desk calls Story Line: MKB needed to provide secure access to their data warehouse application. They decided to use Enterprise User Security and used OVD to map EUS accounts to data in their Active Directory domains. This sped up their deployment and eliminated need to synchronize data to another directory or databases.

30 Summary EUS centralizes database account management into a directory
EUS works across heterogeneous operating systems OVD enables EUS to work with 3rd party directories without synchronization

31 For More Information Windows Server System Center
Oracle Net Services (AD White Paper and more) .NET Developer Center (ASP.NET Providers) Oracle Virtual Directory (OVD) My

32 Q & Q U E S T I O N S A N S W E R S A

33 For More Information search.oracle.com or oracle.com

34

Download ppt "The following is intended to outline our general product direction"

Similar presentations

automated single login access to Novell storage resources

automated single login access to Novell storage resources
Getting Started with Oracle and .NET

Getting Started with Oracle and .NET
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Enable Bring Your Own Device with SCCM 2012 David Caddick Solutions Architect, Quest Software WCL315.

Enable Bring Your Own Device with SCCM 2012 David Caddick Solutions Architect, Quest Software WCL315.
1.

1.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,

Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Extern name server - translates addresses of e-mails messages - enables users to use e-mail aliases - … ID cards system - controls entrance to buildings,

Extern name server - translates addresses of s messages - enables users to use aliases - … ID cards system - controls entrance to buildings,
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Active Directory and Windows Security Integration with Oracle Database Alex Keh Principal Product Manager, Windows and.NET Oracle.

Active Directory and Windows Security Integration with Oracle Database Alex Keh Principal Product Manager, Windows and.NET Oracle.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google