Enterprise Security Reloaded - Loopback.ORG · 2016-04-05 · Enterprise Security Reloaded DOAG Security Day 17.03.2016 . DOAG Security Day 2016 2 Jan Schreiber Loopback.ORG GmbH,

1 DOAG Security Day 2016

Enterprise Security Reloaded

DOAG Security Day 17.03.2016


Jan Schreiber Loopback.ORG GmbH, Hamburg

Database Operations & Security

Data Warehouse & Business Intelligence

Oracle Architektur & Performance


Table

USER: SYSTEM PW: MANAGER

USER: SCOTTPW: TIGER

USER: OLAPSYS PW: OLAPSYS

USER: ANONYMOUS PW: ANONYMOUS

Table 8-2 Oracle 9i Default Accounts and Passwords

4 DOAG Security Day 2016 Quelle:XKCD


Quelle:XKCD


Oracle Hash Algorithmen

3DEShash(upper(username||password))

passwordhash(20bytes)=sha1(password

+salt(10bytes))

S8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A; H:DC9894A01797D91D92ECA1DA66242209; T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F75 7FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C

Uralt:

11g:

12.1.0.2:

11gHash

md5digest(‘USER:XDB:password')

PBKDF2-basedSHA512hash


LDAP-Directory Anbindung

Database Client

(1) Connect Leonard. Nimoy/ BIGDB

Oracle DB

Überprüft Passwort Hash,

ordnet User Rollen und Schema zu

(2) Request Leonard.Nimoy

(3) Returned Leonard.Nimoy

LDAP Server

Ablage für User, Rollen & EUS Konfiguration

SQL> alter user ... identified externally;


Jeder nur ein Kreuz – Hashes im Verzeichnis


Synchronisation •  Keine AD-Schema-

änderungen nötig •  AD Agent muss auf AD-

Kontrollern laufen und Klartext-Passwörter mitlesen

Proxy: •  AD-Schema-

änderungen nötig •  Password Filter muss auf

AD-Controllern laufen •  AD Update Recht muss

vorhanden sein

Virtualisierung: •  Nur AD-

Schemaänderung: Orclcommonattribute

•  Rollentrennung DBA/AD

Active Directory Verzeichnisintegration

DB FARM

OVD

Database Client

SqlPlus, Java, etc

(AUTH) Map Users,

Schema,Roles Hashes Groups

OID

DB FARM

Oracle OID

Database Client

SqlPlus, Java, etc

(AUTH)

Map Users, Schema,Roles

SYNC (DIP)

oidpwdcn.dll

DB FARM

OUD

Database Client

SqlPlus, Java, etc

(AUTH)


Hashes

Groups

oidpwdcn.dll

orclCommonAttribute


Kerberos-AD-Anbindung

Benutzerdaten-prüfung (2)

AD

DomainControllerKeyDistribu3onCenter(KDC)Authen3ca3onService(AS)TicketGran3ngService(TGS)

AuthenRsierung(1)Benutzer-TicketTGT(3)

Client-PC

Ticket-CacheSTfürAnwendungsserver

mitTGTprüfen(6)

AnforderungServiceTicketSTmitTGT(5)

Domänenanmeldung User

Password

TGT(4)

ST(7)

DBServer

PrüfungdesST(9)

Tauscheinesgemein-samenSchlüssels


PKI-Authentifizierung

PrivateKey PrivateKeyBenutzer / Applikation

Datenbank

Zertifizierungsstelle (CA)

User.csr

SSLHandshake

User/CACerts

DB.csr

DB/CACerts


Enterprise User Security (EUS) OracleInternetDirectory Datenbanken

EnterpriseUser

User

DBA

RoleEnterpriseUser

RoleEnterpriseDBA

EnterpriseRollen EnterpriseUser EnterpriseRollen

RoleUserGlobal1

RoleUserGlobal2

RoleDBAGlobal

RoleUserLocal1

RoleUserLocal2

Resource

DBA


AD-Integration mit Oracle Unified Directory (OUD) & Kerberos

DB FARM

OUD

Database Client

SqlPlus, Java, etc

(EUS)


Groups

OracleContext

OUD Proxy Setup: •  Lesender AD-Benutzer •  Leserechte auf DB-

Usereinträge im AD •  Oracle Context im LDAP •  Software: OUD, WebLogic,

ADF •  Funktioniert auch mit EUS

[linux7 Oracle_OUD1]$ ./oud-proxy-setup [linux6]$ okinit testuser [linux7]$ oklist

KerberosTicket


Secure External Password Store (1) $ orapki wallet create -wallet "/u01/app/oracle/wallet" \

-auto_login_local Oracle PKI Tool : Version 11.2.0.4.0 - Production Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. Enter wallet password: $ sqlplus /@ORCL SQL*Plus: Release 12.1.0.2.0 Production on Wed Jan 13 15:38:50 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. ERROR: ORA-12578: TNS:wallet open failed Enter user-name:


0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12

password 0x4D - EOF PKCS#12 data (ASN.1 block) _________________________________________________________________________________________

$ ./ssoDecrypt.sh ../PX-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c

Secure External Password Store (2)


Trennung von Schema-Owner und Zugriffs-Benutzer

2 3 n..41

APPLICATIONSCHEMA

DBUSER

1

23

n


Anforderung AlteWallets AD-Kerberos SSL-PKI EUS

SchutzdesPasswortsgegenAuslesen ★ ✔ ✔

AdminaufwandverringertfürPasswortänderung ✖ ✔ ✔

NachvollziehbarkeitvonÄnderungenverbessert ✖ ✔ ✔

IndividuelleBenutzerkennungen ✖ ✔ ✔

ZentraleBenutzerverwalt.&Passwortrichtlinien ✔

ZentraleRollenverwaltung ✔

LösungfüralleZugriffegeeignet ★ ★

CAerforderlich ✔

KerberosRoll-outerforderlich ✔

Walletskönnenweiterhinverwendetwerden ★ ✔

LizenkostenDirectoryentstehen

Kosten-Nutzen-Analyse


Kerberos: SPN-

Useraccount im AD


Kerberos Key Table PS C:\Users\Administrator> ktpass.exe -princ oracle/[email protected] -mapuser ioaotow01 -crypto RC4-HMAC-NT -pass XXX -out c:\ioaotow-hmac2.keytab -ptype KRB5_NT_PRINCIPAL Targeting domain controller: test-dchh01.tested.lcl Successfully mapped oracle/ioaotow01.tested.lcl to ioaotow01. Password successfully set! Key created. Output keytab to c:\ioaotow-hmac2.keytab: Keytab version: 0x502 keysize 73 oracle/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 13 etype 0x17 (RC4-HMAC) keylength 16 (0xbd54ec4ab1feb299c0969b67f1d9deb8) _______________________________________________________________________________

[oracle@ioaotow01 TESTDB-KERB5]$ oklist -k ioaotow01.keytab Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 13-JAN-2016 15:11:59 Copyright (c) 1996, 2014 Oracle. All rights reserved. Service Key Table: ioaotow01.keytab Ver Timestamp Principal 4 01-Jan-1970 01:00:00 oracle/[email protected]


Database Kerberos Konfiguration krc5.conf dns_lookup_realm = false [domain_realm] .tested.lcl = TESTED.LCL tested.lcl = TESTED.LCL __________________________________________________________________ sqlnet.ora GeneralSejngsNAMES.DIRECTORY_PATH=(TNSNAMES, HOSTNAME) SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5) KerberosSejngsSQLNET.KERBEROS5_CONF=/etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT=true SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle SQLNET.KERBEROS5_KEYTAB=/oracle/product/12.1.0/dbhome_1/network/

admin/ioaotow01.keytab SQLNET.KERBEROS5_CC_NAME=/oracle/diag/krb/cc/krb5cc_99


Kerberos User Login SQL>createuserUSER01identifiedexternallyas'[email protected]';Usercreated.SQL>grantconnecttouser01;

[oracle@ioaotow01 ~]$ okinit user01 Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production Copyright (c) 1996, 2014 Oracle. All rights reserved. Password for [email protected]: ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ oklist Kerberos Utilities for Linux: Version 12.1.0.2.0 - Production on 08-FEB-2016 16:24:43 Copyright (c) 1996, 2014 Oracle. All rights reserved. Ticket cache: /oracle/diag/krb/cc/krb5cc_99 Default principal: [email protected] Valid Starting Expires Principal 08-Feb-2016 14:11:20 08-Feb-2016 22:11:11 krbtgt/[email protected] 08-Feb-2016 14:11:33 08-Feb-2016 22:11:11 oracle/[email protected] 08-Feb-2016 14:16:40 08-Feb-2016 22:11:11 oracle/[email protected] ________________________________________________________________________________________________ [oracle@ioaotow01 ~]$ sqlplus /@TESTDB SQL*Plus: Release 12.1.0.2.0 Production on Mon Feb 8 16:24:51 2016 Copyright (c) 1982, 2014, Oracle. All rights reserved. Last Successful login time: Mon Feb 08 2016 14:17:35 +01:00 Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options SQL> show user; USER is "[email protected]


Kerberos Datenbank-Anmeldung

am Windows-PC


Kerberos & Datenbank 12c

•  Neu geschriebener Stack •  RC4-HMAC-NT / W2012 Server •  ORA-12638: Credential retrieval failed

–  SQLNET.AUTHENTICATION_SERVICES= (BEQ,TCPS,KERBEROS5PRE,KERBEROS5)

•  Bugs.... Reading List: Doc ID 1958479.1: "Bug 19931730, The keytab has/uses arcfour-hmac encryption which currently has an open 12c bug:19636771. The workaround for this is to use AES encryption in the keytab" Doc ID 1611643.1: Bug 17497520 : KERBEROS CONNECTIONS USING A 12C CLIENT AND THE OKINIT REQUESTED TGT ARE FAILING Doc ID 182979.1: Oracle is not able to parse the krb5.conf file due to the tabs between the assignment operator in the domain to realm mapping section. Doc ID 185897.1: Kerberos Troubleshooting Guide Master Note For Kerberos Authentication (Doc ID 1375853.1) WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1): "While creating the keytab file, SSO hostname value was given without specifying fully qualified domain" How To Configure EUS Kerberos Authentication For Database Administrative Users (SYSDBA and SYSOPER) (Doc ID 2081984.1): "On a 12c database sqlplus connection fails with ORA-1017 and this is caused by Bug 19307420 : KERBEROS AUTHENTICATED EUS USER FAILS WITH ORA-01017 FOR ADMINISTRATIVE LOGIN." Configuring ASO Kerberos Authentication with a Microsoft Windows 2008 R2 Active Directory KDC (Doc ID 1304004.1) Microsoft Technet: Service Logons Fail Due to Incorrectly Set SPNs Laurent Schneider: The long long route to Kerberos Microsoft Technet: FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain WNA- Kinit Fails with Exception: krb_error 6 Client Not Found in Kerberos Database (Doc ID 294890.1) Case Study: Configuring the Kerberos Adapter in a Windows Environment (Kevin Reardon, Consulting Technical Advisor)


PKI: Zertifikate und Wallets

Datenbank-Server

1.  Leeres Wallet erstellen

2.  Key und Zertifikat-Request stellen

3.  Request durch CA signieren lassen (Z.B. CN=db12c)

4.  CA Zertifikat importieren (CN=myCA)

5.  Signiertes Zertifikat importieren

Client

1.  Leeres Wallet erstellen

2.  Key und Zertifikat-Request stellen

3.  Request durch CA signieren lassen (Z.B. CN=jans)

4.  CA Zertifikat importieren (CN=myCA)

5.  Signierte Zertifikat importieren


PKI: Server-Wallet

$ mkdir $ORACLE_BASE/admin/loopds/pki

$ orapki wallet create -wallet \ $ORACLE_BASE/admin/loopds/pki -auto_login -pwd XXX

$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki \ -dn 'CN=db12c' -keysize 2048 -pwd XXX

$ orapki wallet export -wallet $ORACLE_BASE/admin/loopds/pki \ -dn 'CN=db12c' \ -request ~/db12c.csr

$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki \ -cert myca.pem –trusted_cert –pwd XXX

$ orapki wallet add -wallet $ORACLE_BASE/admin/loopds/pki \ -cert db12c.pem –user_cert –pwd XXX


PKI: Client-Wallet

$ orapki wallet create -wallet \ $ORACLE_HOME/owm/wallets/client -auto_login -pwd XXX

$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client \

-dn 'CN=jans' -keysize 2048 -pwd XXX

$ orapki wallet export -wallet $ORACLE_HOME/owm/wallets/client \ -dn 'CN=jans' \ -request ~/jans.csr

$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client \ -cert myca.pem –trusted_cert –pwd XXX

$ orapki wallet add -wallet $ORACLE_HOME/owm/wallets/client \ -cert jans.pem –user_cert –pwd XXX


Display Wallet

[oracle@linux11 ~]$ orapki wallet display -wallet /u01/app/oracle/product/11.2.0/dbhome_1/network/pki Oracle PKI Tool : Version 11.2.0.3.0 - Production Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. _________________________________________________________________________________________ Requested Certificates: User Certificates: Subject: CN=LOOPDS Trusted Certificates: Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: CN=LBO Root Certificate II,OU=LoopCA,O=Loopback.ORG GmbH,O=Loopback.ORG,L=Hamburg,ST=No-State,C=DE Subject: OU=Secure Server Certification Authority,O=RSA Data Security\, Inc.,C=US Subject: CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US Subject: OU=Class 2 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US


PKI: Listener-Konfiguration

SSL_CLIENT_AUTHENTICATION = FALSE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) ) LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = db12c.loopback.org)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = db12c.loopback.org)(PORT = 2484)) ) )


PKI: TNS-Konfiguration

SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS) NAMES.DIRECTORY_PATH= (TNSNAMES, HOSTNAME) SSL_CLIENT_AUTHENTICATION = TRUE WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = $ORACLE_BASE/admin/loopds/pki) ) )


Anmeldung mit User/Passwort und SSL

$ sqlplus user/pwd@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') ------------------------------------------------------------------------tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ------------------------------------------------------------------------PASSWORD


PKI: Anmeldung mit Zertifikat

SQL> create user JANS identified externally as 'CN=jans'; SQL> grant create session to JANS; $ sqlplus /@DB12C Connected. SQL> select sys_context('USERENV', 'NETWORK_PROTOCOL') from dual; SYS_CONTEXT('USERENV','NETWORK_PROTOCOL') --------------------------------------------------- tcps SQL> select sys_context('USERENV', 'AUTHENTICATION_METHOD') from dual; SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') ----------------------------------------------------- SSL


PKI: JDBC

•  Auch per JDBC kann SSL verwendet werden •  Integration auch über keytool

String url = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)

(HOST=servernam e)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=servicename)))"); Properties props = new Properties(); props.setProperty("user", "scott"); props.setProperty("password", "tiger"); props.setProperty("javax.net.ssl.trustStore",

"/truststore/ewallet.p12"); props.setProperty("javax.net.ssl.trustStoreType","PKCS12");

props.setProperty("javax.net.ssl.trustStorePassword","welcome123"); Connection conn = DriverManager.getConnection(url, props);

http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf

How to configure Oracle SQLDeveloper to use a SSL connection that was configured as per Note 401251.1


PKI: ODBC OracleODBCTreiberverwenden:OracleDataAccessComponents(ODAC)


Be a Certificate Authority (CA)

•  AD Certificate Service •  Kommerzielle Produkte

–  Auch Open Source: •  EBJCA •  OpenXPKI

•  Alle Schritte sind in OpenSSL implementiert –  Nicht mit selbstsignierten Zertifikaten zu verwechseln

openssl genrsa -out rootCA.key 2048

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem openssl ca -policy policy_anything -config loopca-url.cnf -out Certs/$1.pem\

-infiles Reqs/$1.req


Windows AD CA mit Autoenrollment


Certificate Chaining für Sub-CA


Jan Schreiber Loopback.ORG GmbH, Hamburg

databaseintelligence|operaRonsexcellence|bisoluRons

[email protected] blogs.loopback.org

Vielen Dank für Ihre Aufmerksamkeit!

Documents

Enterprise Security Reloaded - Loopback.ORG · 2016-04-05 · Enterprise Security Reloaded DOAG Security Day 17.03.2016 . DOAG Security Day 2016 2 Jan Schreiber Loopback.ORG GmbH,